Hi
SEPM 12.1 RU1 (log) found a trojan worm zijqqnt.exe which was placed in quarantine but 15 minutes later it was changed to allowed application. The user is not having admin rights and could not have created an exception rule to allow the application. We accidentally noticed this trojan worm when we were looking at the user-allowed application view in the Exception policy.
For some reason there was an exception rule created on the client computer which could not be done by the user. With my admin account I was able to delete the rule and also the quarantined file from the client computer.
I have created a rule in the exception policy (applied to all computers) to remove the application (see attached image) but when I delete this rule the application will automatically re-appear in the User-allowed Applications list.
Is there anybody who have seen/had this issue before?
How can we remove zijqqnt.exe from the user-allowed application view of the exceptions policy?
thanks
Rogier