Try removing the * after factset\ . Check if the exclusions are actually applying on the machine. Get-mpprefence run with admin privileges should get you the list.
office application creating child process exclusion ASR
hi
we activated in block mode after audit the ASR rule "Block all office application from creating child process"
But exclusions does not seems to work (for testing)
In deed we work with Factset software that add a plugin in Excel that inject data in Excel but they are all blocked
Even excel does not open when launching the Factset plugin
Factset is well know legitimate software its so strange that MS does not have a whitelist but anyway, exclusion are not working at all
thanks for, your help
2 answers
Sort by: Most helpful
-
-
Crystal-MSFT 45,656 Reputation points Microsoft Vendor
2023-02-20T01:43:46.0666667+00:00 @Guillaume AMGAR, Thanks for posting in Q&A.
Based on my research, it seems the asterisk replaces a single folder. For our situation, I think we can change the value to C:\Program Files (x86)\Factset*.exe. Here is a link with more details for your reference:
Meanwhile, I notice per-rule exclusions cannot be added to the existing policy. As it is currently implemented, in order to configure per-rule exclusions, you must create a new policy in MEM to replace the existing policy. Please create a new policy with the new setting value to see if it works:
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.