Jamil-soc

Can you provide a screenshot of the detection? Which version of Windows OS is the system running?

Without detection details of the vulnerability exploitation attempt and the current created IDS exclusions it is difficult to pin-point the problem. A properly configured IDS exclusion should solve the problem. Please note that detection by the ESET Endpoint cannot be excluded in a Inspect exclusion. This should be done in the Endpoint manually or via policy via ESET Protect.

This is indeed also useful, but only assuming that the application is installed on the system. Note that most remote access tools also has a potable version that does not require installation. This report template won't work for those processes

Here you go, a rule to detect UltraViewer: <definition> <process> <operator type="or"> <operator type="AND"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <condition component="Module" property="SignerName" condition="contains" value="DUC FABULOUS CO.,LTD" /> </operator> <operator type="and"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <operator type="or"> <condition component="Module" property="InternalName" condition="starts" value="UltraViewer" /> <condition component="Module" property="OriginalFileName" condition="starts" value="UltraViewer" /> <condition component="Module" property="CompanyName" condition="starts" value="DucFabulous" /> <condition component="Module" property="ProductName" condition="starts" value="UltraViewer" /> </operator> </operator> </operator> </process> </definition>

I Think the OdoArdTus is referring to sha256 calculation for files, as in .docx, .xlsx, jpeg, etc. and not executables and DLL's, Please correct me if I'm wrong

An alternative would be to log in via Terminal and execute Powershell command "Get-FileHash". PS: add "|Format-List" to format the output as a list:

Have you already checked the EEI server logs? Any additional details in these logs? C:\ProgramData\ESET\EnterpriseInspector\server\logs Do you also have enough disk space on de C drive? in some cases mysql will write temp data to that disk during purging (this can be changed in my.ini). If this is not the case, consider setting server Trace log verbosity to "Debug" under EEI server settings in the dashboard so you have more information in the server logs when the next purge fails.

If you have the application details such as Signature, executable name etc. you can create a rule base on this information. Do you have a specific application in mind you want to detect with a rule?

Was the Detection engine version 23635 (20210716) at the time of detection? you can check this under detection details in ESET Protect.

Which specific version of 7zip is it? The versions from the official website does not seem to have this issue. Update: could you provide the hashes of the objects being detected?

No problem! I'm glad I could help 😃

Hi Jeffry, Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion. Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process: <definition> <operations> <operation type="CodeInjection"> <operator type="and"> <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" /> <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" /> </operator> </operation> </operations> </definition> Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections. I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket Best regards,

Hi, What you are describing sounds like a DB performance issue. What are the server specs?