-
Posts
16 -
Joined
Kudos
-
Jamil-soc received kudos from MichalJ in Detect user install new application
Here you go, a rule to detect UltraViewer:
<definition> <process> <operator type="or"> <operator type="AND"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <condition component="Module" property="SignerName" condition="contains" value="DUC FABULOUS CO.,LTD" /> </operator> <operator type="and"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <operator type="or"> <condition component="Module" property="InternalName" condition="starts" value="UltraViewer" /> <condition component="Module" property="OriginalFileName" condition="starts" value="UltraViewer" /> <condition component="Module" property="CompanyName" condition="starts" value="DucFabulous" /> <condition component="Module" property="ProductName" condition="starts" value="UltraViewer" /> </operator> </operator> </operator> </process> </definition>
-
Jamil-soc received kudos from Jeffry in Create exclusion for code injection rule
Hi Jeffry,
Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.
Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:
<definition>
<operations>
<operation type="CodeInjection">
<operator type="and">
<condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
<condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
<condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
</operator>
</operation>
</operations>
</definition>
Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.
I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket
Best regards,
-
Jamil-soc received kudos from MichalJ in Create exclusion for code injection rule
Hi Jeffry,
Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion.
Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process:
<definition>
<operations>
<operation type="CodeInjection">
<operator type="and">
<condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" />
<condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" />
<condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" />
</operator>
</operation>
</operations>
</definition>
Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections.
I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket
Best regards,