Hello,

Over the past couple of months I have become really annoyed with the threat prevention product because it seems to be totally unaware of the fact that Microsoft releases updates for it's products.

For example today I received a bunch of false positives for this "Powershell Command Restriction - Command" when our Exchange server had the audacity to update itself.

Module Name:  Threat Prevention

Analyzer Content Creation Date:              10/20/20 10:19:00 PM EDT

Analyzer Content Version:          10.6.0.10775

Analyzer Rule ID:             6086

Analyzer Rule Name:      Powershell Command Restriction - Command

Source Description:              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command . 'D:\Exchange\\scripts\customization\CustomPatchInstallerActions.ps1' PostPatchInstallActions

Target Hash:      7353f60b1739074eb17c5f4dddefe239

Target Signed:   Yes

Target Signer:    CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US

Target Parent Process Signed:    Yes

Target Parent Process Signer:     C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT CORPORATION

Target Parent Process Name:      QUIETEXE.EXE

Target Parent Process Hash:       5bf45e9cedd1d9ff0d40e9bb8cc80aab

Target Name:    POWERSHELL.EXE

Target Path:       C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0

Target File Size (Bytes):  448000

Target Modify Time:       9/14/18 11:14:14 PM EDT

Target Access Time:        9/14/18 11:14:14 PM EDT

Target Create Time:        9/14/18 11:14:14 PM EDT

API Name:          AtlComPtrAssign

First Action Status:         Not available

Does McAfee not get a feed from Microsoft that tells the McAfee products what changes to expect during their patching? How do I protect our organization from actual powershell borne threats without getting spammed to death with false positives for routine OS updates?