I'm currently running CSA 5.2 r238 with all systems in Test Mode. I keep seeing events for certain modules loading after startup, such as pdcrypt2.sys in a Citrix environment. I know these events are normal and don't care to have those events logged any more.
The events are being generated by Rule 50, a Kernel Protection rule with a monitor action in System Hardening Module [V5.2 r238]. I've copied this rule to a custom rule module and set it to priority allow and did not check the Log option.
I created a file set for pdcrypt2.sys as follows:
Directories Matching: **\Program Files\Citrix\system32\drivers but not <none>
Files matching: pdcrypt2.sys but not <none>
I'm still seeing events generated by rule 50. I know my rule is enforced by looking at an affected host and my rule appears to process beore Rule 50. Why am I still seeing events generated by rule 50?