Image exclusion is not working for FileCreate

[PetrPoleshko]

Hello, I installed Sysmon with your configuration file .

I receive event 11 with message like below:

File created:
UtcTime: 2017-03-03 07:45:12.846
ProcessGuid: {c1ec32d1-1f03-58b9-0000-00107b02ac0a}
ProcessId: 27480
Image: C:\Program Files\System Center Operations Manager\Agent\MonitoringHost.exe
TargetFilename: C:\Program Files\System Center Operations Manager\Agent\Health Service State\Monitoring Host Temporary Files 14022\11725\DiscoverSQL2008DB.vbs
CreationUtcTime: 2017-03-03 07:45:12.846

I went ahead and modified lines related to FileCreate as below and I still receive eventids by MonitoringHost.exe

<FileCreateTime onmatch="include">
    <Image condition="begin with">C:\Users</Image> <!--Look for timestomping in user area-->
</FileCreateTime>
<FileCreateTime onmatch="exclude">
    <Image condition="image">OneDrive.exe</Image> <!--OneDrive constantly changes file times-->
    <Image condition="contains">setup</Image> <!--Ignore setups-->
    **<!--SECTION: MyOwnSection-->**
    <Image condition="image">C:\Program Files\System Center Operations Manager\Agent\MonitoringHost.exe</Image>
    <Image condition="end with">C:\Program Files\System Center Operations Manager\Agent\MonitoringHost.exe</Image>
</FileCreateTime>

The question is: What's the correct form of excluding Images from FileCreate events?

[lundyfpv]

I had issues with Registry Exclusions not working. Had to uninstall sysmon and reinstall with the updated config.

[PetrPoleshko]

Skizztle, If you only knew how many times i did complete uninstall of Sysmon and install it back again with Tay's config... :( FileCreateTime is not the only one which doesn't accept filter rules... RawDiskRead - doesn't filter events by ProcessGUID too...

[SwiftOnSecurity]

Please try Sysmon 6.03 which should fix this issue