dmaasland

No, you can use your own CA for everything if you want. Though it can be a bit challenging to find out how ;). If you're not really familiar with the wonderful world of PKI i'd recommend taking a look at easy-rsa: https://easy-rsa.readthedocs.io/en/latest/ Two gotcha's you might want to consider: 1. Import the CA certificate into ESET PROTECT ( / ESET Security Management Center) 2. When generating certificates, make sure agent certificates have the word "agent" in the CN, and server certificates have the word "server" in the CN. Also, check out this help page: https://help.eset.com/protect_admin/latest/en-US/custom_certificates.html

Try something like this: <?xml version="1.0" encoding="utf-8"?> <rule> <definition> <operations> <operation type="WriteFile"> <operator type="or"> <condition component="FileItem" property="Path" condition="starts" value="%APPDATA%\microsoft\windows\themes\cachedfiles\" /> <condition component="FileItem" property="FullPath" condition="is" value="%APPDATA%\microsoft\windows\themes\transcodedwallpaper" /> </operator> </operation> <operation type="RegSetValue"> <condition component="RegistryItem" property="Key" condition="starts" value="HKCU\software\microsoft\windows\currentversion\explorer\wallpapers\backgroundhistorypath" /> </operation> <operation type="RegDeleteValue"> <condition component="RegistryItem" property="Key" condition="starts" value="HKCU\software\microsoft\windows\currentversion\explorer\wallpapers\backgroundhistorypath" /> </operation> </operations> </definition> <description> <name>Wallpaper was altered</name> <explanation> The wallpaper was altered </explanation> <category> Default </category> </description> </rule>

Sorry for the late reply, but, you can actually already do this. If you create an "Advanced" exclusion you can use all conditions that are available to the rule engine. So something like: <definition> <process> <operator type="OR"> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="OUTLOOK"/> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="EXCEL"/> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="WINWORD"/> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="POWERPNT"/> </operator> </process> <operations> <operation type="WriteFile"> <operator type="AND"> <condition component="FileItem" property="Path" condition="starts" value="%LOCALAPPDATA%\microsoft\windows\inetcache\content.mso" /> <operator type="OR"> <condition component="FileItem" property="Extension" condition="is" value="com" /> <condition component="FileItem" property="Extension" condition="is" value="exe" /> </operator> </operator> </operation> </operations> </definition> I've not tested it but something like that should probably work. Alternatively you can use the "ModuleDrop" operation instead of "WriteFile" if you're only interested in executables. Makes the rule a bit faster.

You can add an action to a rule. If you want to edit a built-in rule, duplicate it first. Then, add the desired action to it: The action you're looking for would be "BlockProcessExecutable" or "CleanAndBlockProcessExecutable". Check out page 6 in the EEI rule guide: https://help.eset.com/tools/eei/eei_rules_guide_1.6.pdf Don't forget to also specify the "TriggerDetection". This is the default action if no action is specified, but gets overwritten as soon as you specify your custom action. This causes the rule to not create a detection but only block the executable if you don't add that action as well.

Just as a test, does it work if you remove the "signer name" condition? Could you click on "Advanced" and post the exclusion's XML?