Working on a fix for this one - I think it will be out in 13.03 which should come out soon enough (13.02 was out yesterday and doesn't have this fix).
Filter Sysmon EventCode7 (ImageLoad) not working ?
Hi !
I am trying to use a "sub group" exclude filter for ImageLoad but it seems like that does not work !?
A singel exclude line like:
<Image condition="is">C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe</Image> - Works fine
But if I add:
<Rule groupRelation="and">
<Image condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
<ImageLoaded condition="begin with">C:\Windows\System32\</ImageLoaded>
</Rule>
It seems to be ignored
Rule groups like thos works fine for all the other events.
Is it not supported in ImageLoad !? or am I doing something wrong here..?
Running Sysmon v.13.01
3 answers
Sort by: Most helpful
-
-
Dave McCormack 11 Reputation points
2021-02-18T00:22:53.39+00:00 Are you specifying your schemaVersion at the top? It defaults to assuming an older schema where what you're doing may not be supported. At the top of my config for Sysmon 13.01 I have:
<Sysmon schemaversion="4.50">
-
Niklas Sjögren 41 Reputation points
2021-02-19T07:13:01.53+00:00 Hi!
Yes, I have the same schemaversion at the top of my config..<Sysmon schemaversion="4.50">