There may be cases where a specific Anti-Exploit protection is affecting the stability of a machine or application.
Depending on the situation, you may want to exclude either the process being protected, or the protection from being enabled. This article describes how to disable a specific Anti-Exploit Protection.
Currently there are 5 different Anti-Exploit protections available. Following is a list of the protections with the protection name.
| Protection |
Protection Rule Name |
| Import-Export Address Table Parsing |
Gen.Exploiter.IET |
| Return Oriented Programming |
Gen.Exploiter.ROP |
| VB Script God Mode |
Gen.Exploiter.VBS |
| Stack Pivoting |
Gen.Exploiter.SP |
| RDP Vulnerability (CVE-2019-0708) |
Gen.Exploiter.CVE_2019_0708 |
| RCE Vulnerability (CVE-2019-1181) |
Gen.Exploiter.CVE_2019_1181/2 |
Disabling a protection
Disabling an Anti-Exploit protection is done through a change to the "Monitoring and Exclusions" action in "SandBlast Agent Anti-Ransomware, Behavioral Guard and Forensics" policy.
Once opened, you can add a new exclusion by clicking "Add location..." and choose the "Certificate" as the new exclusion type.
Once done, you can disable a specific protection by typing:
rulename::xxxx where xxxx is the name of the protection from Forensics report.
So, for example, to disable the protection for ROP you need to type the following:
rulename::Gen.Exploiter.ROP
Click "OK", save changes and install the policy.
The specific Anti-Exploit protection will be disabled.
|
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
|
|
This solution is about products that are no longer supported and it will not be updated
|
