This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 8%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Hi !
I am trying to use a "sub group" exclude filter for ImageLoad but it seems like that does not work !?
A singel exclude line like:
<Image condition="is">C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe</Image> - Works fine
But if I add:
<Rule groupRelation="and">
<Image condition="is">C:\Windows\System32\wbem\WmiPrvSE.exe</Image>
<ImageLoaded condition="begin with">C:\Windows\System32\</ImageLoaded>
</Rule>
It seems to be ignored
Rule groups like thos works fine for all the other events.
Is it not supported in ImageLoad !? or am I doing something wrong here..?
Running Sysmon v.13.01
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 35%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
The undesired behavior seems to occur when when using more than one condition in "and" based rule that is part of an "exclude" based rule group. The same problem does not occur in include based rule groups.
Here is a onedrive link to resources which simplify problem reproduction.
Nice to hear that you could reproduce the symptom..
I'm guessing this is a bug then?!
seems like a bug to me. i reported my analysis of scope of your findings to developers via the syssite email alias. will report back if there are signs of effort on resolution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 30%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENA%3C/text%3E%3C/svg%3E)
Any updates on this one?
Working on a fix for this one - I think it will be out in 13.03 which should come out soon enough (13.02 was out yesterday and doesn't have this fix).
Thank you for the feedback, looking forward for the release of next version :-)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 79%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Are you specifying your schemaVersion at the top? It defaults to assuming an older schema where what you're doing may not be supported. At the top of my config for Sysmon 13.01 I have:
<Sysmon schemaversion="4.50">
Hi!
Yes, I have the same schemaversion at the top of my config..
<Sysmon schemaversion="4.50">
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 1%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Hi all,
we use sysmon version 13.04 but se have same behavior.
Group rule in and condition with:
ImageLoaded and Image don't work like aspected.
We tested also last sysmon version 15 but without success (and in exclude mode with ImageLoad event ID 7 doesn't work).
Can someone to help me? Can exist any workaround to bypass this problem?
Thanks in advance.