Search the Community
Showing results for tags 'rules'.
Hi there, I'm trying to understand how the <action> </action> feature works . According to the official rule manual implementation you can use several actions that will be triggered along with your rule: "actions—allow to block an executable immediately after rule triggering. Action names are: · TriggerDetection—if no actions specified in the actions tag field, this action is executed by default, and the detection is triggered in EEI. If other actions are specified, and the user still wants to trigger detection, this action has to be added · MarkAsScript—marks an executable as script · HideCommandLine—removes command line string from a process · BlockProcessExecutable—blocks a process hash (ban hash via the rule) · CleanAndBlockProcessExecutable—cleans and blocks a process hash · BlockParentProcessExecutable—blocks a parent process hash · CleanAndBlockParentProcessExecutable—cleans and blocks a parent process hash · DropEvent—drops an event which triggered the rule" This was extracted from from PDF ESET ENTERPRISE INSPECTOR RULES guide that comes with the INSPECTOR, however browsing for more information on a web I found this statement: "A rule is defined using XML-based language. Rules are matched on the server asynchronously, so there is some time interval when recent events are sent from client to server and then processed by rules. Therefore, a rule cannot block execution of a process or operation (rules are intended for ex-post detection of any suspicious/malicious activity, not for their prevention). A matched rule can only notify security engineers by raising the detection." This was taken from https://help.eset.com/eei/1.4/en-US/rule_edit.html?rules.html So I'm kinda confused. I have tried to implement actions of my rules using these patterns: <action name="BlockProcessExecutable" /> AND <actions> <action name="TriggerDetection" /> <action name="DropEvent" /> <action name="BlockProcessExecutable" /> </actions> No matter where I place these lines my rules generate detections but the actions are not working. Is this feature already implemented or am I misunderstanding its usage? Thanks in advance,