So Many False Positives
I've found myself white-listing many directories instead of MD5 hashes because hashes change with updates, and TDR is absolutely wild with false-positives. So far, TDR has highlighted Meraki updates, Office (updates and executables), Windows Defender updates, Windows Updates, GoToMeeting updates, Webroot updates, and more, all as suspicious. I spend hours cleaning this up.
What is the best practice here? I know they score low (suspicious), but one in a hundred may be worth sandboxing. With many program directories now white-listed, i would think it would be pretty easy to stash a payload there. Also, since white-listing is locked to hard path or MD5, how do you overcome updates that run in a users temp directory that uses rotating filenames (ie WRupdate_x10038). Would love to white-list using a wildcard against an executable, but sadly can't.
Just getting started with TDR, so forgive the drawn out bleh'ness of the thread... it's been frustrating.