Jump to content

Jamil-soc

Members
  • Posts

    16
  • Joined

Kudos

  1. Upvote
    Jamil-soc received kudos from MichalJ in Detect user install new application   
    Here you go, a rule to detect UltraViewer:
            <definition>             <process>                 <operator type="or">                     <operator type="AND"> <condition component="FileItem" property="Extension" condition="is" value="exe" />                         <condition component="Module" property="SignerName" condition="contains" value="DUC FABULOUS CO.,LTD" />                     </operator>                     <operator type="and">                         <condition component="FileItem" property="Extension" condition="is" value="exe" />                         <operator type="or">                             <condition component="Module" property="InternalName" condition="starts" value="UltraViewer" />                             <condition component="Module" property="OriginalFileName" condition="starts" value="UltraViewer" />                             <condition component="Module" property="CompanyName" condition="starts" value="DucFabulous" />                             <condition component="Module" property="ProductName" condition="starts" value="UltraViewer" />                         </operator>                     </operator>                 </operator>             </process>         </definition>  
  2. Upvote
    Jamil-soc received kudos from Jeffry in Create exclusion for code injection rule   
    Hi Jeffry,
     
    Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.
    Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:
    <definition>
                <operations>
                    <operation type="CodeInjection">
                        <operator type="and">
                            <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
                            <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
                            <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
                        </operator>
                    </operation>
                </operations>
    </definition>
     
    Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.
    I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket
    Best regards,

  3. Upvote
    Jamil-soc received kudos from MichalJ in Create exclusion for code injection rule   
    Hi Jeffry,
     
    Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.
    Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:
    <definition>
                <operations>
                    <operation type="CodeInjection">
                        <operator type="and">
                            <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
                            <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
                            <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
                        </operator>
                    </operation>
                </operations>
    </definition>
     
    Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.
    I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket
    Best regards,

×
×
  • Create New...