Artemis AWAD

Hello everyone, My question should be a little trivial but I didn't obtain expected results when trying to use a "OR" condition between two different items (process and parent process) Here is the context : - We are dealing with a custom administration script which is detected by ESET Inspector. No issue on that point, we just want to exclude it. - The script could be launched from 2 different methods : powershell from a .ps1 file or cmd from a .bat file And here is my attempt to build a custom exclusion rule : <definition> <operator operator="OR"> <process> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="powershell.exe" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="MyScript.ps1" /> </operator> </process> <parentprocess> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="MyScript.bat" /> </operator> </parentprocess> </operator> </definition> Thank you for your help !

Hello JamesR, Thank you for your kind and complete answer. Indeed it is very clear that we have an optimisation issue... The product was deployed and lived his own life without being managed, so we just started to configure it. So we started to build our safe baseline, but what would be your recommendation between Exclusions or Event Filters ? For exemple for SCCM, do you preconize a process exclusion on policy or a event filter based on SCCM path ? Thank you ! Artemis.

Hello, We are looking for a procedure in order to manually purge all database contents on EEI (or if possible keep only the latest 15 days) and without impact on PROTECT side. Our problem is EEI console is not usable due to a large number of events (flood), we have this message on each console pages : Thank your for your help and have a nice day. Artemis