Support Center > Search Results > SecureKnowledge Details
Anti-Exploit disabling a specific protection Technical Level
Solution

There may be cases where a specific Anti-Exploit protection is affecting the stability of a machine or application.

Depending on the situation, you may want to exclude either the process being protected, or the protection from being enabled. This article describes how to disable a specific Anti-Exploit Protection.

Currently there are 5 different Anti-Exploit protections available. Following is a list of the protections with the protection name.

Protection Protection Rule Name
Import-Export Address Table Parsing    Gen.Exploiter.IET
Return Oriented Programming Gen.Exploiter.ROP
VB Script God Mode Gen.Exploiter.VBS
Stack Pivoting Gen.Exploiter.SP
RDP Vulnerability (CVE-2019-0708)  Gen.Exploiter.CVE_2019_0708
RCE Vulnerability (CVE-2019-1181) Gen.Exploiter.CVE_2019_1181/2

 

 

 

 

 



Disabling a protection

Disabling an Anti-Exploit protection is done through a change to the "Monitoring and Exclusions" action in "SandBlast Agent Anti-Ransomware, Behavioral Guard and Forensics" policy.

Once opened, you can add a new exclusion by clicking "Add location..." and choose the "Certificate" as the new exclusion type.

Once done, you can disable a specific protection by typing:

rulename::xxxx where xxxx is the name of the protection from Forensics report.

So, for example, to disable the protection for ROP you need to type the following:

rulename::Gen.Exploiter.ROP

 

Click "OK", save changes and install the policy.

The specific Anti-Exploit protection will be disabled.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment