false positives may be present based on sourceimage paths, particularly those with a legitimate reason for accessing lsass.exe or regsvr32.exe. if removing the paths is important, realize svchost and many native binaries inject into processes consistently. restrict or tune as needed. | |