Symantec Endpoint Security Complete (SESC) displays an EDR event in SESC where Powershell.exe invokes SC.exe with a specific command line. The local administration team determines that it is benign. Is it possible to tune this out without allow-listing a specific file?

Release :

Component :

While EDR on-prem appliance has a feature to tune out EDR events based on a command line, SESC does not have this feature.

Instead, you would need to add an executable to the Allow list within SESC.

Please consult the local management team and local IT security team to examine the risks versus benefits of adding high risk executables such as powershell.exe to the Allow list.