There may be cases where a specific Anti-Exploit protection is affecting the stability of a machine or application.
Depending on the situation, you may want to exclude either the process being protected, or the protection from being enabled. This article describes how to disable a specific Anti-Exploit Protection.
Currently there are 5 different Anti-Exploit protections available. Following is a list of the protections with the protection name.
||Protection Rule Name
|Import-Export Address Table Parsing
|Return Oriented Programming
|VB Script God Mode
|RDP Vulnerability (CVE-2019-0708)
|RCE Vulnerability (CVE-2019-1181)
Disabling a protection
Disabling an Anti-Exploit protection is done through a change to the "Monitoring and Exclusions" action in "SandBlast Agent Anti-Ransomware, Behavioral Guard and Forensics" policy.
Once opened, you can add a new exclusion by clicking "Add location..." and choose the "Certificate" as the new exclusion type.
Once done, you can disable a specific protection by typing:
rulename::xxxx where xxxx is the name of the protection from Forensics report.
So, for example, to disable the protection for ROP you need to type the following:
Click "OK", save changes and install the policy.
The specific Anti-Exploit protection will be disabled.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.