false positives are expected from legitimate applications generating events that are similar to those generated by malicious activity. for example, event id 1122 is generated when a process attempts to load a dll that is blocked by an asr rule. this can be triggered by legitimate applications that attempt to load dlls that are not blocked by asr rules. this is block only. | |