Jump to content

ILoveESET

Members
  • Content Count

    21
  • Joined

  • Last visited

Profile Information

  • Location
    Malaysia

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. thank you michal for the precise clarification. I understand the logic better now .
  2. i don't think so, are you sure? If i crafted a detection say ("Filecoder.Wannacryptod.C"), and configured hash blocking of a known executable matching to this detection, it will not be blocked? It is one thing to be excluded, but another to be blocked from execution, ain't it?
  3. only Detections exclusions were created. I was able to block other executables, like teamviewer quick support, remote desktop, just interestingly not this ransomware. Does detection exclusions supercede over hash blocking?
  4. attaching screenshots for clarity (see orange rectangles), as u can see the executable was blocked but it still occur. Why? The hash matches exactly.
  5. Hello, As the title of this thread sounds, what configurations may result in bypass of the blocking of hashes set in EEI? I was able to successfully execute a ransomware without trigger from the antivirus through configuration of detection name exclusions. I could see the alarms coming into the EEI. I then configured blocking of that ransomware hash , and tried to execute in another machine. The execution was not blocked. And best part is that the "Blocked Hashes" entries under "Admin" still shows that it was blocked based on the timestamp displayed at "Blocked on" column. This is confusing because administrator will think it is blocked, but at the user side it was not. Could there be functions in ESMC/EEI that supercedes blocking of hashes? How can i verify if the blocking of hashes was indeed sent to the endpoints?
×
×
  • Create New...