CSA triggers with one of the pre-configured rules, when WgaTray.exe tries to scan a host. WGA is Microsofts Windows Genuine Advantage, which we got with Windows Update some time ago. I could create an exception for that, but what if I'd like the CSA to block it permanently? How can I get rid of the event messages?
I have cloned the rule and changed it, so that it targets WgaTray.exe only. The problem is, even though I unticked the log option, a Terminate Process will create a dump and this results in another entry in the event log.
I then tried to change the action into a simple Deny, but then the original rule triggers first. Any idea what I could do?
You are correct that some process terminations will result in dumps and log entries (especially something like WGAtray.exe).
You could exclude wgatray.exe from the terminate process rule and then the deny and not log rule should work as you expect.
What specific rule (type, name and rule module) is generating this alert?
I don't see any alerts on my MC regarding WGAtray but I may not have the same policies applied.