j91321
-
Posts
11 -
Joined
-
Last visited
-
Days Won
1
Kudos
-
j91321 received kudos from JamesR in Low reputation LiveGrid file - rule.
The easiest way how to safely test executable being low popularity is to just take some known executable e.g. notepad.exe and append a random byte at the end of the file with hex editor. It should still remain a valid PE and usually have 0 popularity and low reputation.
-
j91321 received kudos from JokerTux1337 in Low reputation LiveGrid file - rule.
The easiest way how to safely test executable being low popularity is to just take some known executable e.g. notepad.exe and append a random byte at the end of the file with hex editor. It should still remain a valid PE and usually have 0 popularity and low reputation.
-
j91321 received kudos from Ufoto in Advanced exclusion - please help
I think you are a bit confused by the Event being ProcessCreated %WINDIR\ltsvc\ltsvc.exe%. If I understand it right the B1004 is connected to the bcedit.exe process. The process tree should look something like this:
wininit.exe |-------> services.exe |-------> %WINDIR%\ltsvc\ltsvc.exe |-------> %SYSTEM%\bcdedit.exe +-------> Setting a dangerous boot configuration [B1004] What your exclusion is trying to do is exclude behavior when bcedit.exe would spawn ltsvc.exe, but it's the other way around, ltsvc.exe spawns bcedit.exe. You need to use parentprocess like this:
<definition> <parentprocess> <operator type="AND"> <condition component="Module" condition="is" property="OriginalFileName" value="LTSVC.exe"/> <condition component="Module" condition="is" property="SignerName" value="Connectwise, LLC"/> <condition component="FileItem" condition="starts" property="FullPath" value="%WINDIR%\ltsvc\"/> </operator> </parentprocess> </definition>
-
j91321 received kudos from Peter Randziak in ESET INSPECT Best practice guide?
I'd recommend to enable rules with tag Essential. Next it's worth reviewing rules that have automatic actions assigned. You can filter these by using the "Rule Actions" filter in the Rules list. You can also use other tags to better filter categories you're interested in and enabled rules based on that.
-
j91321 received kudos from Ufoto in ESET INSPECT Best practice guide?
I'd recommend to enable rules with tag Essential. Next it's worth reviewing rules that have automatic actions assigned. You can filter these by using the "Rule Actions" filter in the Rules list. You can also use other tags to better filter categories you're interested in and enabled rules based on that.
