@User85564626 Since I'm unsure what event ID or signature ID you're concerned about, I'm going to throw out a several different suggestions below based on what I can assume you're concerned about.

There is a known issue affecting Exploit Prevention rule 6015 with event ID 18055 where even with the rule disabled it triggers. This issue is corrected in ENS 10.5.3 HF3 and later. You can find more info in KB90074 and KB82450. 

If you simply do not want any reporting sent to your ePO for the signature ID, then you can go into the Exploit Prevention policy and next to the particular signature, uncheck the box for report. 
If you don't want the event ID at all, you can go into your ePO Server Settings >> Event Filtering, and disable the event ID.

Finally, if you would prefer to retain all reporting and just exclude the "false positive" you see triggering on the event ID, you can implement either a global exclusion for the process in the exclusions section, or you can also make the exclusion specific to a particular signature ID. For detailed information about how exclusions for Exploit Prevention work, please see the ENS Threat Prevention Product Guide.

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

@User85564626 Since I'm unsure what event ID or signature ID you're concerned about, I'm going to throw out a several different suggestions below based on what I can assume you're concerned about.

There is a known issue affecting Exploit Prevention rule 6015 with event ID 18055 where even with the rule disabled it triggers. This issue is corrected in ENS 10.5.3 HF3 and later. You can find more info in KB90074 and KB82450. 

If you simply do not want any reporting sent to your ePO for the signature ID, then you can go into the Exploit Prevention policy and next to the particular signature, uncheck the box for report. 
If you don't want the event ID at all, you can go into your ePO Server Settings >> Event Filtering, and disable the event ID.

Finally, if you would prefer to retain all reporting and just exclude the "false positive" you see triggering on the event ID, you can implement either a global exclusion for the process in the exclusions section, or you can also make the exclusion specific to a particular signature ID. For detailed information about how exclusions for Exploit Prevention work, please see the ENS Threat Prevention Product Guide.

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

If desired, you can uncheck the REPORT ALL option on the ENS signature.  ENS will block it, but not report the event to ePO.  It would be a better idea though to find out what those events are and determine if an exclusion rule would be appropriate, instead of disabling reporting on the signature.

Alternatively, you can create an ePO tably query to find those events you don't want, then use an ePO Server Purge Events task against that query and set that task to run on a recurring schedule to remove them from the ePO database (e.g., find all these Signature X events and run a Purge Events task daily against them).