Jump to content

dmaasland

Members
  • Posts

    5
  • Joined

  • Last visited

Posts posted by dmaasland

  1. No, you can use your own CA for everything if you want. Though it can be a bit challenging to find out how ;). If you're not really familiar with the wonderful world of PKI i'd recommend taking a look at easy-rsa:

    https://easy-rsa.readthedocs.io/en/latest/

    Two gotcha's you might want to consider:

    1. Import the CA certificate into ESET PROTECT ( / ESET Security Management Center)

    2. When generating certificates, make sure agent certificates have the word "agent" in the CN, and server certificates have the word "server" in the CN.

    Also, check out this help page: https://help.eset.com/protect_admin/latest/en-US/custom_certificates.html

  2. Try something like this:

     

    <?xml version="1.0" encoding="utf-8"?>
    <rule>
        <definition>
            <operations>
                <operation type="WriteFile">
                    <operator type="or">
                        <condition component="FileItem" property="Path" condition="starts" value="%APPDATA%\microsoft\windows\themes\cachedfiles\" />
                        <condition component="FileItem" property="FullPath" condition="is" value="%APPDATA%\microsoft\windows\themes\transcodedwallpaper" />
                    </operator>
                </operation>
                <operation type="RegSetValue">
                    <condition component="RegistryItem" property="Key" condition="starts" value="HKCU\software\microsoft\windows\currentversion\explorer\wallpapers\backgroundhistorypath" />
                </operation>
                <operation type="RegDeleteValue">
                    <condition component="RegistryItem" property="Key" condition="starts" value="HKCU\software\microsoft\windows\currentversion\explorer\wallpapers\backgroundhistorypath" />
                </operation>
            </operations>
        </definition>
        <description>
            <name>Wallpaper was altered</name>
            <explanation>
                The wallpaper was altered
            </explanation>
            <category>
                Default
            </category>
        </description>
    </rule>

     

  3. On 2/8/2021 at 10:16 PM, Lockbits said:

     

    2) The possibility to add granular exclusions for some rules like MS Office application has saved executable [D0806]. We get about 5 daily alerts of this type and all are benign. Apparently Office creates a lot of temporal with .com extension like this:

    image.thumb.png.541fb9c7b95fdb4b8dd9499ed4034981.png

    Currently I can create an exclusion to this rule but I prefer to don't do this because in case a real malware creates a .com or .exe I'll miss this alert. Maybe an option to exclude per folder? So I can exclude the path that always start with the same pattern. Of course that if I do this in this folder I can miss a real malware being written to such path but the possibility is quite less that creating an entire exclusion for this rule or modifying the rule to not include .com extension.

    Thanks.

     

    Sorry for the late reply, but, you can actually already do this. If you create an "Advanced" exclusion you can use all conditions that are available to the rule engine. So something like:

     

    <definition>
        <process>
            <operator type="OR">
                <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="OUTLOOK"/>
                <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="EXCEL"/>
                <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="WINWORD"/>
                <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="POWERPNT"/>
            </operator>
        </process>
        <operations>
        	<operation type="WriteFile">
        		<operator type="AND">
        			<condition component="FileItem" property="Path" condition="starts" value="%LOCALAPPDATA%\microsoft\windows\inetcache\content.mso" />
        			<operator type="OR">
        				<condition component="FileItem" property="Extension" condition="is" value="com" />
        				<condition component="FileItem" property="Extension" condition="is" value="exe" />
        			</operator>
        		</operator>
        	</operation>
        </operations>
    </definition>

    I've not tested it but something like that should probably work. Alternatively you can use the "ModuleDrop" operation instead of "WriteFile" if you're only interested in executables. Makes the rule a bit faster.

  4. You can add an action to a rule. If you want to edit a built-in rule, duplicate it first. Then, add the desired action to it:

     

    Quote

    actions

    allow to block an executable immediately after rule triggering. Action names are:
    · TriggerDetection—if no actions specified in the actions tag field, this action is executed by default, and the detection is
    triggered in EEI. If other actions are specified, and the user still wants to trigger detection, this action has to be added
    · MarkAsScript—marks an executable as script
    · MarkAsCompromised—the process triggering the rule, will be marked as compromised. This status is visible in the
    process details view in web console.
    · HideCommandLine—removes command line string from a process
    · BlockProcessExecutable—blocks a process hash (ban hash via the rule, only if not trusted or LiveGrid® info is missing)
    · CleanAndBlockProcessExecutable—cleans and blocks a process hash (only if not trusted or LiveGrid® info is missing)
    · BlockParentProcessExecutable—blocks a parent process hash (only if not trusted or LiveGrid® info is missing)
    · CleanAndBlockParentProcessExecutable—cleans and blocks a parent process hash (only if not trusted or LiveGrid® info is
    missing)
    · IsolateFromNetwork—isolates the computer from network
    · DropEvent—drops an event which triggered the rule
    Actions can be put into single action element:
    <action name=”BlockProcessExecutable”/>
    or be stacked in actions element (this approach shows a hint, what can be put in a place of the name):
    <actions>
    <action name="BlockProcessExecutable"/>

    </actions>
    Multiple actions can be invoked from a single rule

     

    The action you're looking for would be "BlockProcessExecutable" or "CleanAndBlockProcessExecutable". Check out page 6 in the EEI rule guide: https://help.eset.com/tools/eei/eei_rules_guide_1.6.pdf

     

    Don't forget to also specify the "TriggerDetection". This is the default action if no action is specified, but gets overwritten as soon as you specify your custom action. This causes the rule to not create a detection but only block the executable if you don't add that action as well.

×
×
  • Create New...