Views: 1108

It is recommended to exclude the agent's AMSP process and folder in Sysmon to fix the interop issue. Please add the following exclusions to the corresponding event in the Sysmon configuration:

<!-- Event ID 1 == Process Creation - Excludes -->
        <ParentImage condition="image">coreServiceShell.exe</ParentImage>
        <Image condition="image">dsa.exe</Image>
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 2 == File Creation Time - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <TargetFilename condition="contains">C:\ProgramData\Trend Micro\AMSP</TargetFilename>
 
    <!-- Event ID 3 == Network Connection - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <Image condition="image">dsa.exe</Image>
 
    <!-- Event ID 10 == ProcessAccess - Excludes -->
        <SourceImage condition="image">coreServiceShell.exe</SourceImage>
        <SourceImage condition="image">dsa.exe</SourceImage>
        <SourceImage condition="is">C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe</SourceImage>
 
    <!-- Event ID 11 == FileCreate - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <TargetFilename condition="contains">C:\ProgramData\Trend Micro\AMSP</TargetFilename>
        <Image condition="image">dsa.exe</Image>
 
    <!-- Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed - Excludes -->
        <Image condition="image">dsa.exe</Image>
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 22 == DNS Queries and their results Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 23 == File Delete and overwrite events - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 25 == Process tampering events - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
 
    <!-- Event ID 26 == File Delete and overwrite events - Excludes -->
        <Image condition="image">coreServiceShell.exe</Image>
        <TargetFilename condition="contains">C:\ProgramData\Trend Micro\AMSP</TargetFilename>

Reference configuration: https://github.com/deep-security/sysmon-config/blob/master/DSSysmonConfig.xml

It is also suggested to add the following exclusions in the Process Image File list:

  • ${windir}\sysmon64.exe
  • ${windir}\sysmon.exe