ILoveESET

Hello, Can I know the logic behind EEI capability in identifying the source of origin for executables? I tried downloading this executable antivirus.exe from websites, but i do not see it reflected here.

thank you michal for the precise clarification. I understand the logic better now .

no news?

i don't think so, are you sure? If i crafted a detection say ("Filecoder.Wannacryptod.C"), and configured hash blocking of a known executable matching to this detection, it will not be blocked? It is one thing to be excluded, but another to be blocked from execution, ain't it?

only Detections exclusions were created. I was able to block other executables, like teamviewer quick support, remote desktop, just interestingly not this ransomware. Does detection exclusions supercede over hash blocking?

attaching screenshots for clarity (see orange rectangles), as u can see the executable was blocked but it still occur. Why? The hash matches exactly.

Hello, As the title of this thread sounds, what configurations may result in bypass of the blocking of hashes set in EEI? I was able to successfully execute a ransomware without trigger from the antivirus through configuration of detection name exclusions. I could see the alarms coming into the EEI. I then configured blocking of that ransomware hash , and tried to execute in another machine. The execution was not blocked. And best part is that the "Blocked Hashes" entries under "Admin" still shows that it was blocked based on the timestamp displayed at "Blocked on" column. This is confusing because administrator will think it is blocked, but at the user side it was not. Could there be functions in ESMC/EEI that supercedes blocking of hashes? How can i verify if the blocking of hashes was indeed sent to the endpoints?

ah ha! that worked, thank you very much

Hello, i was trying to create a rule which detects registry changes made by powershell that was generated from excel. Below is my rule sets. it passed the syntax check. The activity was re-produced by creating the registry HKCU:\Software\myEEIEx on endpoints with EEI agent installed. Detecting of registry key change worked, but when adding the logic of detecting process changes, it doesnt seem to trigger... <definition> <Process> <operator type="OR"> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="powershell" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cscript" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="wscript" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cmd" /> </operator> </Process> <operations> <operation type="RegSetValue"> <operator type="OR"> <condition component="RegistryItem" condition="starts" property="Key" value="HKCU:\Software\myEEIEx" /> </operator> </operation> </operations> </definition>

Any update on this please?

thank you Michal, you are awesome as always!

Hello my fellow comrades in ESET, May i know which component of LiveGrid is used in EEI to obtain reputation and popularity ratings for executables found in EEI console? For the reputation ratings, i deduce it should rightfully rely on LiveGrid Reputation system, which sends hashes of the executables for matching to database of hashes. But popularity ratings? Does it rely on LiveGrid Feedback system, where the actual executables are uploaded for further analysis ? Does EEI ever send the actual executables to LiveGrid , or just the hashes only?

Thank you Marcos, but in this case, why does the 2 computer bubble show the value 512 for unresolved alarms, and 1 for resolved alarms? Does this mean, we just ignore the value behind the ","? Or there is a meaning to those values ?

Thank you Marcos, your explaination is very clear! How about the other graph about resolved and unresolved alarms?

Hello friends, I was fiddling around with EEI, and i came across 2 graphs which i cant really comprehend, and seek a better explaination here: Reference to the above image, what network popularity? Documentation from https://help.eset.com/eei/1.3/en-US/dashboard_executables.html?zoom_highlightsub=network+popularity states as "Hhe number of computers which have the module in the enterprise". What exactly does that mean ? How do i install network popularity modules at the endpoints? Reference to the above image, how can i actually understand the bubbles?https://help.eset.com/eei/1.3/en-US/dashboard_executables.html?dashboard_computers.html explaination doesn't help in understanding at all , or is it just me?