-
Posts
22 -
Joined
-
Last visited
About ILoveESET
-
Rank
Newbie
Profile Information
-
Location
Malaysia
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
-
ILoveESET changed their profile photo
-
Hello, As the title of this thread sounds, what configurations may result in bypass of the blocking of hashes set in EEI? I was able to successfully execute a ransomware without trigger from the antivirus through configuration of detection name exclusions. I could see the alarms coming into the EEI. I then configured blocking of that ransomware hash , and tried to execute in another machine. The execution was not blocked. And best part is that the "Blocked Hashes" entries under "Admin" still shows that it was blocked based on the timestamp displayed at "Blocked on" column. This is confusing because administrator will think it is blocked, but at the user side it was not. Could there be functions in ESMC/EEI that supercedes blocking of hashes? How can i verify if the blocking of hashes was indeed sent to the endpoints?
-
Hello, i was trying to create a rule which detects registry changes made by powershell that was generated from excel. Below is my rule sets. it passed the syntax check. The activity was re-produced by creating the registry HKCU:\Software\myEEIEx on endpoints with EEI agent installed. Detecting of registry key change worked, but when adding the logic of detecting process changes, it doesnt seem to trigger... <definition> <Process> <operator type="OR"> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="powershell" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cscript" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="wscript" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cmd" /> </operator> </Process> <operations> <operation type="RegSetValue"> <operator type="OR"> <condition component="RegistryItem" condition="starts" property="Key" value="HKCU:\Software\myEEIEx" /> </operator> </operation> </operations> </definition>
-
Understanding EEI Dashboard
ILoveESET replied to ILoveESET's topic in ESET Inspect On-prem (Detection and Response)
Any update on this please? -
Relationship between EEI and LiveGrid
ILoveESET replied to ILoveESET's topic in ESET Inspect On-prem (Detection and Response)
thank you Michal, you are awesome as always! -
ILoveESET reacted to a post in a topic: Relationship between EEI and LiveGrid
-
Hello my fellow comrades in ESET, May i know which component of LiveGrid is used in EEI to obtain reputation and popularity ratings for executables found in EEI console? For the reputation ratings, i deduce it should rightfully rely on LiveGrid Reputation system, which sends hashes of the executables for matching to database of hashes. But popularity ratings? Does it rely on LiveGrid Feedback system, where the actual executables are uploaded for further analysis ? Does EEI ever send the actual executables to LiveGrid , or just the hashes only?
-
Understanding EEI Dashboard
ILoveESET replied to ILoveESET's topic in ESET Inspect On-prem (Detection and Response)
Thank you Marcos, but in this case, why does the 2 computer bubble show the value 512 for unresolved alarms, and 1 for resolved alarms? Does this mean, we just ignore the value behind the ","? Or there is a meaning to those values ? -
Understanding EEI Dashboard
ILoveESET replied to ILoveESET's topic in ESET Inspect On-prem (Detection and Response)
Thank you Marcos, your explaination is very clear! How about the other graph about resolved and unresolved alarms? -
ILoveESET reacted to a post in a topic: Understanding EEI Dashboard
-
Hello friends, I was fiddling around with EEI, and i came across 2 graphs which i cant really comprehend, and seek a better explaination here: Reference to the above image, what network popularity? Documentation from https://help.eset.com/eei/1.3/en-US/dashboard_executables.html?zoom_highlightsub=network+popularity states as "Hhe number of computers which have the module in the enterprise". What exactly does that mean ? How do i install network popularity modules at the endpoints? Reference to the above image, how can i actually understand the bubbles?https://help.eset.com/eei/1.3/en-US/dashboard_executables.html?dashboard_computers.html explaination doesn't help in understanding at all , or is it just me?