MEMORY EXPLOIT PROTECTION EXCLUSION
-
Click Add Memory Exploit Protection Exclusion
-
In the pop-up window, add the process name and press Enter. One entry can be added at a time. Click SAVE
-
Based on the provided exclusion, MEP behavior can be defined as:
-
If process names with extensions (Example: chrome.exe) are provided, MEP libraries are not injected into the specified processes
-
If processes are specified using full paths or regular expressions, MEP libraries are injected into the specified processes, but the generated incidents are not reported in CMS
-
-
The rules for the RegEx patterns are provided below:
Goal
RegEx Expression
RegEx Example
Represented Files/ Directories
Operating System
Match the beginning of a line
^
^C:\\test\\path
C:\test\path
Windows
Match the beginning of a line
^
^/opt/virsec
/opt/virsec/test
Linux
Match the end of a line
$
tmp\\path$
C:\\tmp\\path
Windows
Match the end of a line
$
test/path$
/tmp/test/path
Linux
Make an expression case insensitive
(?i)
(?i)c:\\tmp\\test.exe
C:\\Tmp\\Test.exe,
c:\\tmp\\TEST.exe
Windows
Make an expression case insensitive
(?i)
: (?i)test_app
/tmp/Test_App/
/tmp/test_APP
Linux
Require at least 1 whitespace
[ ]+
EncodedCommand[ ]+
powershell.exe -EncodedCommand abf2321e
Windows
Require at least 1 whitespace
[ ]+
-c[ ]+ test_cmd
bash -c test_cmd
bash -c test_cmd
Linux
Ignore arbitrary number of chars
.*
.*nativeImages.*.dll
C:\\nativeImages\\test.dll,
C:\\nativeImages\\test_123.dll
Windows
Ignore arbitrary number of chars
.*
/tmp/.*.so
/tmp/test.so,
/tmp/test123.so
Linux
Restrict a particular char to a known set
[]
[Cc]:\\test
c:\\test\\app.exe,
C:\\test\\app.exe
Windows
Restrict a particular char to a known set
[]
/opt/[vV]irsec
/opt/virsec,
/opt/Virsec
Linux
Table - RegEx Rules
-
The table below shows a couple of RegEx examples:
RegEx Examples
Represented Files/ Directories
Operating System
.:\\*test.*\\*tmp\\*.*
C:\test-1\tmp\tmp-lib.dll
C:\test-2\tmp\tmp-lib-2.dll
D:\test-test\tmp\tmp-lib-3.dll
Windows C:\\ProgramData\\Amazon\\SSM\\*.*
C:\ProgramData\Amazon\SSM\example.exe
Windows C:\\dir1\\tmp\\tmp-lib.dll
Specific file: C:\dir1\tmp\tmp-lib.dll
Windows C:\\dir1\\dir2\\*.exe
All the files with extension .exe in the directory: C:\dir1\dir2
Windows C:\\dir1\\dir2\\*
All the files in the directory: C:\dir1\dir2
Windows /opt/test/tmp.*/.*
/opt/test/tmp-1/example
/opt/test/tmp-abc/example-2
Linux /var/packages/.*cache.*/.*
/var/packages/pkg-cache/program-1
/var/packages/publisher-cache/program-2
Linux /opt/test/tmp-1/example.sh
Specific file: /opt/test/tmp-1/example.sh
Linux /home/user/*.log
All the files with extension .log in the directory: /home/user
Linux /home/user/log/*
All the files in the directory: /home/user/log
Linux Table - RegEx Examples