I just deployed MBAR across my domain after running it independently on a few machines. The independent machines ran just fine, no issues for a week or so, and I decided to deploy it through my RMM tool silently to all end user workstations. The deploy with the silent switches worked flawlessly. However I got a call this morning that one of my staff members had a detection this morning. Boy, I was feeling like the luckiest guy in the world with the timely install and detection catch, but I came to find out that it was detecting my Kixtart logon script executing from our AD sever (which in turn prevents the user from logging in since the script hangs and terminating the script logs the user off). I tried to go into exclusions and add the actual file in question but no dice... it would still detect it on logon. Oddly enough, it's only for this one user so far (out of 100 or so).
Any ideas? I have two AD servers so I added the detection path to both servers to the exclusion list. I have since turned off protection for this one user.