App Control Console : Enabling Mimikatz Protection Rapid Config generates false positives
search cancel

App Control Console : Enabling Mimikatz Protection Rapid Config generates false positives

book

Article ID: 288437

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Enabling Mimikatz Protection Rapid Config generates false positives

Environment

  • App Control Console : All versions

Cause

By default Mimikatz Rapid Config, will only exclude default windows processes

Resolution

Any legitimate processes deemed as good/false positive can be excluded as follows :
  1. Login to the App Control console.
  2. Navigate to Rules > Software Rules > Rapid Configs
  3. Edit "Mimikatz Protection" Rapid Config
  4. Add the processes to be excluded to 'Exception Processes Allowed To Read Lsass.Exe Memory'
  5. Save
Powered by Wolken Software