Jump to content

ESET antivirus no longer recognizes exclusion list


Recommended Posts

I am currently running ESET Internet Security 11.0.159.0, and I have two file exclusions that previously prevented ESET from removing them. However, they are no longer being excluded from my computer scans. Whenever I open an application that uses the excluded file, it is quarantined. No matter how many times I right click "restore and exclude ...", it is detected and removed again. Any thoughts as to what I can do? Should I try a fresh reinstall of ESET?

Link to comment
Share on other sites

On ‎01‎/‎28‎/‎2018 at 2:21 PM, Marcos said:

Please provide:

- a screen shot of your exclusion list
- a complete record of the detection from the Detected threats log

I can confirm this issue on version 11.0.159.0 EIS

 

if you specify both the path and threat type (like the one auto-generated by selecting exclude threat in the threat prompt), the exclusion will not work

if you only specify the path (enable "exclude all threats"), the exclusion will work

 

Edited by 0xDEADBEEF
Link to comment
Share on other sites

  • Administrators
3 hours ago, 0xDEADBEEF said:

if you specify both the path and threat type (like the one auto-generated by selecting exclude threat in the threat prompt), the exclusion will not work
if you only specify the path (enable "exclude all threats"), the exclusion will work

Please provide a screen shot of the exclusion list. Is the detection name prepended with "@NAME="? You can also try excluding a potentially unwanted or unsafe application right from the yellow alert window upon detection. Also note that this only works for pot. unwanted and unsafe applications, not for malware detections.

Link to comment
Share on other sites

6 hours ago, Marcos said:

Please provide a screen shot of the exclusion list. Is the detection name prepended with "@NAME="? You can also try excluding a potentially unwanted or unsafe application right from the yellow alert window upon detection. Also note that this only works for pot. unwanted and unsafe applications, not for malware detections.

well, the entry shown in the attached screenshot is the one created by the yellow alert window. But I still get yellow prompt after adding this exclusion

bit2.jpg

Link to comment
Share on other sites

Signed up just to confirm that I face the exact same issue as described by 0xDEADBEEF 

21 hours ago, 0xDEADBEEF said:

if you specify both the path and threat type (like the one auto-generated by selecting exclude threat in the threat prompt), the exclusion will not work

if you only specify the path (enable "exclude all threats"), the exclusion will work

 

Exactly this. This problem only showed up recently

 

Edit: I too, am running an upgraded ESET instead of one that was freshly installed.

Edited by E7ak9fIEfB
More information added.
Link to comment
Share on other sites

  • Administrators
3 hours ago, 0xDEADBEEF said:

well, the entry shown in the attached screenshot is the one created by the yellow alert window. But I still get yellow prompt after adding this exclusion

bit2.jpg

Please provide a complete record from the Detected threats log. Is the file detected upon an attempt to launch it or when copying it to the same location? I was unable to reproduce it.

Link to comment
Share on other sites

1 hour ago, Marcos said:

Please provide a complete record from the Detected threats log. Is the file detected upon an attempt to launch it or when copying it to the same location? I was unable to reproduce it.

OK so I successfully reproduce it on another machine running the same EIS version on same type of system (Windows 10 x64).

My steps:

1) disable EIS and download bitcomet installer from official website

2) enable EIS protection, copy the installer to some path (in my case, D:\c\bitcomet_setup.exe)

     This will trigger ESET yellow prompt

3) select "Exclude from Detection" and click ignore

    A rule is confirmed to be added to the exclusion list with correct path

rule.thumb.jpg.330c83bb6d584cdf5c5b28339a525aae.jpg

4) simply right click the file again, the yellow prompt shows again

Detection log: 

Quote

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
01/30/2018 1:37:13 PM;Real-time file system protection;file;D:\c\bitcomet_setup.exe;Win32/InstallCore.Gen.A potentially unwanted application;cleaned by deleting;Machine\User;Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (1C975DFA73F8C9389975A2ECE34AD74B165DD1C6).;6BDFD84B166038D76E5C5ECAF0A1AB5F8D6B4EFE;01/30/2018 1:35:49 PM

The similarity of the two machines I reproduced the issue is that they both run ESET upgraded from a previous v11 version, instead of a fresh install. As indicated by the original author of this thread, he/she got rid of this issue after a fresh reinstall. So perhaps this is a factor you need to consider.
 

 

Edited by 0xDEADBEEF
Link to comment
Share on other sites

4 hours ago, Marcos said:

Please check the attached video and find out what you did differently.

exclusion.rar

 

stepa.thumb.jpg.8dd0dde13a2c697c61b822796a834907.jpg

The only difference is I selected "Exclude from detection" while the video has "Exclude signature from detection" selected

Selecting "Exclude from detection" will add a rule specifying both the path and the threat type, while selection "Exclude signature from detection" specifies the threat type only.

If I select "Exclude signature from detection", the exclusion works

I also tried to modify the working rule generated by selecting  "Exclude signature from detection". I tried to modify the path wildcard "*" into a specific path like "D:\*" and the exclusion no longer works.

Generally I feel like the exclusion will work if you specify either the path or the threat type, but will not work if you specify both. Let me know if you need more information.

Link to comment
Share on other sites

  • Administrators

This turned out to be a known issue which was fixed in December and a fix will be included in v11.1 which is going to be released soon.

Link to comment
Share on other sites

  • 1 month later...

@0xDEADBEEF  thanks a lot. I was getting sooo frustrated by new v11 version (11.0.159.9 as of now) as since I upgraded from v10 exclusions wasn't working 95% of times. I thought they just decided to ignore user request for exclusion if it is coin miner...When I checked exclusion list in settings there were multiple entries for the same file.

What fixed it, was to edit existing rule and remove threat type as you said. Thanks.

 

@Marcos what exactly soon means? we are plus one month...

 

EDIT: also why some threats cannot be excluded? Just found some Trojan threat (red window) and exclude options are greyed out. What are you trying to do? Prevent us to use our computers the way we want?

Edited by Fil
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...