We recommend that you disable the obsolete Exploit Prevention signatures listed in the table below to reduce false positives, unless you're using them for monitoring purposes in your environment.

The following table describes the products on which the signatures are supported and the default reaction type.

	Product / Environment
	Host Intrusion Prevention Exploit Prevention		Endpoint Security Threat Prevention Exploit Prevention
Signature ID	Is Supported?	Default Reaction Type	Is Supported?	Default Reaction Type
1148	Yes	Disabled	No	Not Applicable
6015	Yes	Disabled	Yes	Disabled

The following table provides details about why we recommend that you disable these signatures.

Signature ID	Signature Name	Recommendation
1148	CMD Tool Access by a Network Aware Application	Disable this signature.   This signature is obsolete because the existing antivirus scanners block any malware activity it can identify.
6015	Suspicious Function Invocation - Target Address Mismatch	Disable this signature.   We’ve noticed a recent increase in applications and software that move to Just-In-Time compilation, wherein Signature 6015 can generate false positives. Signature 6015 is a special variant of the Endpoint Security Exploit Prevention signature. It adds a redundant layer of protection against Buffer Overflow and memory corruption exploits because of other strong and generic Exploit Prevention signatures available. The following generic Buffer Overflow signatures can catch any such exploit behavior earlier in the exploit lifecycle: 428 - Generic Buffer Overflow 6012 - Suspicious Function Invocation - Return to API 6013 - Suspicious Function Invocation - CALL Not Found 6014 - Suspicious Function Invocation - Return Address Not Readable If these signatures are enabled, signature 6015 can be disabled without compromising security.

To disable an Exploit Prevention signature:

• Using the ePolicy Orchestrator (ePO) console:
  1. Open Policy Catalog, select Endpoint Security Threat Prevention, and locate the policy you want to change under Exploit Prevention.
  2. Edit the policy. All signatures are listed under Signatures.
  3. Locate the signature, and make the changes needed.
  4. Click Save.
      
• Using the Endpoint Security console:
  1. Click Threat Prevention, click Show Advanced, and navigate to Exploit Prevention.
  2. Locate the signature, and make the changes needed.
  3. Click Apply.