Jump to content


  • Posts

  • Joined

  • Last visited

About dmaasland

  • Rank

Profile Information

  • Location

Recent Profile Visitors

336 profile views
  1. Try something like this: <?xml version="1.0" encoding="utf-8"?> <rule> <definition> <operations> <operation type="WriteFile"> <operator type="or"> <condition component="FileItem" property="Path" condition="starts" value="%APPDATA%\microsoft\windows\themes\cachedfiles\" /> <condition component="FileItem" property="FullPath" condition="is" value="%APPDATA%\microsoft\windows\themes\transcodedwallpaper" /> </operator> </operation> <operation type="RegSetValue"> <condition component="RegistryItem" property="Key" condition="starts" value="HKCU\software\microsoft\windows\currentversion\explorer\wallpapers\backgroundhistorypath" /> </operation> <operation type="RegDeleteValue"> <condition component="RegistryItem" property="Key" condition="starts" value="HKCU\software\microsoft\windows\currentversion\explorer\wallpapers\backgroundhistorypath" /> </operation> </operations> </definition> <description> <name>Wallpaper was altered</name> <explanation> The wallpaper was altered </explanation> <category> Default </category> </description> </rule>
  2. Sorry for the late reply, but, you can actually already do this. If you create an "Advanced" exclusion you can use all conditions that are available to the rule engine. So something like: <definition> <process> <operator type="OR"> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="OUTLOOK"/> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="EXCEL"/> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="WINWORD"/> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="POWERPNT"/> </operator> </process> <operations> <operation type="WriteFile"> <operator type="AND"> <condition component="FileItem" property="Path" condition="starts" value="%LOCALAPPDATA%\microsoft\windows\inetcache\content.mso" /> <operator type="OR"> <condition component="FileItem" property="Extension" condition="is" value="com" /> <condition component="FileItem" property="Extension" condition="is" value="exe" /> </operator> </operator> </operation> </operations> </definition> I've not tested it but something like that should probably work. Alternatively you can use the "ModuleDrop" operation instead of "WriteFile" if you're only interested in executables. Makes the rule a bit faster.
  3. You can add an action to a rule. If you want to edit a built-in rule, duplicate it first. Then, add the desired action to it: The action you're looking for would be "BlockProcessExecutable" or "CleanAndBlockProcessExecutable". Check out page 6 in the EEI rule guide: https://help.eset.com/tools/eei/eei_rules_guide_1.6.pdf Don't forget to also specify the "TriggerDetection". This is the default action if no action is specified, but gets overwritten as soon as you specify your custom action. This causes the rule to not create a detection but only block the executable if you don't add that action as well.
  4. Just as a test, does it work if you remove the "signer name" condition? Could you click on "Advanced" and post the exclusion's XML?
  • Create New...