-
Posts
16 -
Joined
About Jamil-soc
-
Rank
Newbie
Profile Information
-
Gender
Male
-
Location
Netherlands
-
Without detection details of the vulnerability exploitation attempt and the current created IDS exclusions it is difficult to pin-point the problem. A properly configured IDS exclusion should solve the problem. Please note that detection by the ESET Endpoint cannot be excluded in a Inspect exclusion. This should be done in the Endpoint manually or via policy via ESET Protect.
-
Detect user install new application
Jamil-soc replied to CKs's topic in ESET Inspect On-prem (Detection and Response)
This is indeed also useful, but only assuming that the application is installed on the system. Note that most remote access tools also has a potable version that does not require installation. This report template won't work for those processes -
MichalJ reacted to a post in a topic: Detect user install new application
-
Detect user install new application
Jamil-soc replied to CKs's topic in ESET Inspect On-prem (Detection and Response)
Here you go, a rule to detect UltraViewer: <definition> <process> <operator type="or"> <operator type="AND"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <condition component="Module" property="SignerName" condition="contains" value="DUC FABULOUS CO.,LTD" /> </operator> <operator type="and"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <operator type="or"> <condition component="Module" property="InternalName" condition="starts" value="UltraViewer" /> <condition component="Module" property="OriginalFileName" condition="starts" value="UltraViewer" /> <condition component="Module" property="CompanyName" condition="starts" value="DucFabulous" /> <condition component="Module" property="ProductName" condition="starts" value="UltraViewer" /> </operator> </operator> </operator> </process> </definition> -
Hash file => SHA-256
Jamil-soc replied to OdoArdTus's topic in ESET Inspect On-prem (Detection and Response)
I Think the OdoArdTus is referring to sha256 calculation for files, as in .docx, .xlsx, jpeg, etc. and not executables and DLL's, Please correct me if I'm wrong -
Hash file => SHA-256
Jamil-soc replied to OdoArdTus's topic in ESET Inspect On-prem (Detection and Response)
An alternative would be to log in via Terminal and execute Powershell command "Get-FileHash". PS: add "|Format-List" to format the output as a list: -
Have you already checked the EEI server logs? Any additional details in these logs? C:\ProgramData\ESET\EnterpriseInspector\server\logs Do you also have enough disk space on de C drive? in some cases mysql will write temp data to that disk during purging (this can be changed in my.ini). If this is not the case, consider setting server Trace log verbosity to "Debug" under EEI server settings in the dashboard so you have more information in the server logs when the next purge fails.
-
Detect user install new application
Jamil-soc replied to CKs's topic in ESET Inspect On-prem (Detection and Response)
If you have the application details such as Signature, executable name etc. you can create a rule base on this information. Do you have a specific application in mind you want to detect with a rule? -
Create exclusion for code injection rule
Jamil-soc replied to Jeffry's topic in ESET Inspect On-prem (Detection and Response)
No problem! I'm glad I could help 😃 -
Jeffry reacted to a post in a topic: Create exclusion for code injection rule
-
MichalJ reacted to a post in a topic: Create exclusion for code injection rule
-
Create exclusion for code injection rule
Jamil-soc replied to Jeffry's topic in ESET Inspect On-prem (Detection and Response)
Hi Jeffry, Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion. Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process: <definition> <operations> <operation type="CodeInjection"> <operator type="and"> <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" /> <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" /> </operator> </operation> </operations> </definition> Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections. I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket Best regards,