Jamil-soc
-
Posts
16 -
Joined
Posts posted by Jamil-soc
-
-
Without detection details of the vulnerability exploitation attempt and the current created IDS exclusions it is difficult to pin-point the problem. A properly configured IDS exclusion should solve the problem.
Please note that detection by the ESET Endpoint cannot be excluded in a Inspect exclusion. This should be done in the Endpoint manually or via policy via ESET Protect. -
On 2/16/2022 at 10:05 PM, schuetzdentalCB said:
maybe helpfull:
i'm doing this over the eset protect console with report template which can be shown on the Dasboard:
> Reports > And then add:
Table Columns
Installed software . Application name
Installed software . Time of occurrence
Installed software . Application vendor
Computer . Computer name
Computer . Computer description
...And Sort by
Installed software . Time of occurrence OR > just sort by application name- So I can see all Software which has got installed on Clients.
This is indeed also useful, but only assuming that the application is installed on the system. Note that most remote access tools also has a potable version that does not require installation. This report template won't work for those processes
-
On 1/21/2022 at 6:05 AM, Ted Join said:
@Jamil-soc I have the same question, how we can detect if user install the application name "UltraViewer_setup_6.5_vi.exe"
Here you go, a rule to detect UltraViewer:
<definition> <process> <operator type="or"> <operator type="AND"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <condition component="Module" property="SignerName" condition="contains" value="DUC FABULOUS CO.,LTD" /> </operator> <operator type="and"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <operator type="or"> <condition component="Module" property="InternalName" condition="starts" value="UltraViewer" /> <condition component="Module" property="OriginalFileName" condition="starts" value="UltraViewer" /> <condition component="Module" property="CompanyName" condition="starts" value="DucFabulous" /> <condition component="Module" property="ProductName" condition="starts" value="UltraViewer" /> </operator> </operator> </operator> </process> </definition>
-
9 hours ago, Adam Luzsicza said:
Hello OdoArdTus,
In the latest version 1.6 of ESET Enterprise Inspector it is possible to view not only SHA1 hash values as the default but also their SHA256 values of executables in the executable details view.
Additionally if you require also MD5 hash values to be calculated for executables then this can be configured via EI Agent policy from ESET PROTECT (see screenshot below).
If your are using an older version of EEI it is possible to enable SHA256 calculation via policy just like for MD5.
If you wish to block executables via EEI it is currently only possible to do so based on SHA1 values. SHA256 is planned for the future but I do not have a precise date for you yet.
Adam, EEI Product Manager
I Think the OdoArdTus is referring to sha256 calculation for files, as in .docx, .xlsx, jpeg, etc. and not executables and DLL's, Please correct me if I'm wrong
-
An alternative would be to log in via Terminal and execute Powershell command "Get-FileHash".
PS: add "|Format-List" to format the output as a list:
-
Have you already checked the EEI server logs? Any additional details in these logs?
C:\ProgramData\ESET\EnterpriseInspector\server\logs
Do you also have enough disk space on de C drive? in some cases mysql will write temp data to that disk during purging (this can be changed in my.ini). If this is not the case, consider setting server Trace log verbosity to "Debug" under EEI server settings in the dashboard so you have more information in the server logs when the next purge fails.
-
If you have the application details such as Signature, executable name etc. you can create a rule base on this information.
Do you have a specific application in mind you want to detect with a rule?
-
Was the Detection engine version 23635 (20210716) at the time of detection? you can check this under detection details in ESET Protect.
-
Which specific version of 7zip is it? The versions from the official website does not seem to have this issue.
Update: could you provide the hashes of the objects being detected?
-
No problem! I'm glad I could help 😃
-
Hi Jeffry,
Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.
Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:
<definition>
<operations>
<operation type="CodeInjection">
<operator type="and">
<condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
<condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
<condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
</operator>
</operation>
</operations>
</definition>Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.
I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket
Best regards,
-
Hi,
What you are describing sounds like a DB performance issue. What are the server specs?
Injection into (trusted/email client) process
in ESET Inspect On-prem (Detection and Response)
Posted · Edited by Jamil-soc
Can you provide a screenshot of the detection? Which version of Windows OS is the system running?