Hello,

I configured ASR rules and now reviewing exceptions.

Is it possible to find out what triggers “sc.exe” or “conhost.exe” without checking event viewer on the specific machine? Or we can just exclude paths that we actually see as exceptions and that’s it?

That way we could define the exception more precisely instead of putting “sc.exe” or “conhost.exe” as exception.

Here are 2 paths blocked by the same rule:

C:WindowsSystem32conhost.exe

Block process creations originating from PSExec and WMI commands

C:WindowsSystem32sc.exe

Block process creations originating from PSExec and WMI commands

Thank you!

​Hello,I configured ASR rules and now reviewing exceptions.Is it possible to find out what triggers “sc.exe” or “conhost.exe” without checking event viewer on the specific machine? Or we can just exclude paths that we actually see as exceptions and that’s it?That way we could define the exception more precisely instead of putting “sc.exe” or “conhost.exe” as exception.Here are 2 paths blocked by the same rule:C:WindowsSystem32conhost.exeBlock process creations originating from PSExec and WMI commandsC:WindowsSystem32sc.exeBlock process creations originating from PSExec and WMI commandsThank you!  Read More

​