I run powershell scripts from my RMM software agent to manage endpoints. Every time I run a script, I get a Scripting Abuse or Abnormal Process Execution notification. How can I whitelist the RMM agent on the endpoint to stop these false positives?
Hi, can you let me know if the Command lines change ?
If not you can try the below steps.
To whitelist a file directly, complete the following:
Once you have at least 1 incident that is identical to the incident, and there is no identical incident where status is closed as confirmed, the false positive handling in WithSecure Elements Endpoint Detection and Response (EDR) will close the false-positive automatically.
Broad context detections can be closed as Auto false positive automatically when they are identical to previously closed false alarms. For WithSecure Elements Endpoint Detection and Response to close a broad context detection as Auto false positive, the following criteria must be met:
More information about automatic handling of incidents can be found here.
In the event that this has been completed multiple times and the file still gets detected, make a whitelist request for the False Positive event as follows: