mwhalenhtc

Exlcusion not working

Recommended Posts

Hello,

Full disclosure: We have ConnectWise and buy our licenses through them. However, ConnectWise takes... what? ... a week to get back to people for technical support issues. I am posting here in the hopes that it won't be slower. ;-)

Just recently, ESET agents started flagging Win64/PSWTool.ProductKey.A as an Unsafe Application. This tool is one that our remote management system uses and I'm aware of what it does. I've also put in the 32-bit variety as an exclusion and that's been there for some time. I've not had any trouble with.

However, I can't seem to exclude the one for some reason. What's more, I already have excluded the directory that the executable lives in so I am unsure why two exceptions are failing.

I have a base agent policy. In there, I've defined Exclusions with the drop down for the Exclusions section listed as "Replace."

The 32-bit variety exclusion is defined like so:
Exclude for this computer has a three check.
Exclude all threats does not have a check.
Threat name is defined as: @NAME=Win32/PSWTool.ProductKey.D@TYPE=ApplicUnsaf

The 64-bit variety is defined like so:
Exclude for this computer has a three check.
Exclude all threats does not have a check.
Threat name is defined as: @NAME=Win64/PSWTool.ProductKey.A@TYPE=ApplicUnsaf

I have checked agents and see that the exclusion definitions have made it to the agents themselves but they're still flagging @NAME=Win64/PSWTool.ProductKey.A@TYPE=ApplicUnsaf.

I've attached screenshots in the hopes that will help.

64bit Exclusion.png

Exclusions as definted in policy editor.png

Replace Flag in Policy.png

Exclusions on Agent.png

32bit Exclusion.png

nasaeed likes this

Share this post


Link to post
Share on other sites

Please post the appropriate detection record from the Detected threats log (the whole line) so that we know what was detected and in what folder.

There's is currently a bug in the program when a specific path to a file or folder is entered in the exclusion list and a threat name is specified as well, however, enabling "Exclude for this computer" appears to be a workaround (ie. the path reads * ).

Share this post


Link to post
Share on other sites

Hi Marcos,

Thanks so much for your response.

I seem to have a lot of users who click buttons. :-)

I can't find that particular line since the detection threats log is currently clear. The item I can find is below.

C:\Windows\LTSVC\scripts\ProduKey.exe - a variant of Win64/PSWTool.ProductKey.A potentially unsafe application - action selection postponed until scan completion

Does that help? Or do you need something else? I ran the log collector on the Detected Threats with a 30-day window. Would that contain information you'd need?

Most agents are running 6.6.2052.0.

nasaeed likes this

Share this post


Link to post
Share on other sites

Hi mwhalenhtc,

I'm experiencing the exact same issue. We use Connectwise/Labtech as well and this is only happening for four of our clients. All four clients were recently upgraded from v 5 or so to 6.6. I've ensured the global policy that we use that also whitelists all the necessary LT related folders/executables are showing on the workstations. The odd thing is it's not happening for every workstation for those companies, it's almost sporadic. It started mid last week for us. I've opened a ticket with ESET as well and I've been told to run the log collector as well, but it's been tricky as I have to schedule with the client first.

Do you have any updates?

Capture.PNG

Edited by nasaeed

Share this post


Link to post
Share on other sites

Thanks, nasaeed. Good to know I am not the only one at any rate! :-)

ConnectWise support told me that the ProduKey scanning method for keys is deprecated and had me install their update for product key scanning via the LabTech Solution Center. It can't hurt to do that. You have to run the solution center on the Labtech server directly. (We are hosting LT "on-prem." The method may be different for hosted LT.)

I haven't been crushed with client calls (yet) and I have at least one workstation in which I can run a log collector without much fuss.

Share this post


Link to post
Share on other sites

The amount of instances trigerring have decreased drastically for me without any actions being taken.

From ESET I've only heard the following:

"We recommend adding an exclusion for the specific file path that the threat detection is occurring at and include the threat name in the following format.

@NAME=Win32/PSWTool.ProductKey.D@TYPE=ApplicUnsaf 

If this is unable to help with the issues that you are encountering please contact us at the information listed below."

I'm not entirely sure how to accomplish this. We already have the exclusion set up so I'm unsure how to set it up with said format.

Share this post


Link to post
Share on other sites

Well, that's how I have it setup and it's not working.

Fortunately, I've got a ticket open with ESET and I have a call scheduled with them tomorrow. I'll update here when I have an answer. :-)

Share this post


Link to post
Share on other sites

That's great. I have a ticket open with them too and this was the answer I got from an escalated tech. 

If you get more help, I'm dying to know what's going on.

Share this post


Link to post
Share on other sites

Also, derp. This issue has been going on so long I forgot you had shown examples of how your exclusions were set up. 

Share this post


Link to post
Share on other sites

I'm hopeful to have a better answer soon.

ESET has given me one of the best experiences I've ever had with tech support. Unfortunately, I only have experience with one person who was on the ConnectWise/ESET migration team. I hung on to that ticket for dear life because the tech was so good. I don't know what I'm going to get this time.

Share this post


Link to post
Share on other sites

I'll be keeping my fingers crossed. My experiences have all been rather... mixed.

Share this post


Link to post
Share on other sites

That's disappointing, but knowing that and having a live phone call means I'll lean hard to get this resolved. I am especially inrigued Marcos's note:

On 2/13/2018 at 5:52 AM, Marcos said:

Please post the appropriate detection record from the Detected threats log (the whole line) so that we know what was detected and in what folder.

There's is currently a bug in the program when a specific path to a file or folder is entered in the exclusion list and a threat name is specified as well, however, enabling "Exclude for this computer" appears to be a workaround (ie. the path reads * ).

 

Share this post


Link to post
Share on other sites

Update on my end, a few more have randomly trickled in today. But nowhere near the influx of before. It's so odd that it's inconsistent and random.

Share this post


Link to post
Share on other sites

I have been speaking with my favorite tech at ESET.

He says to update the endpoints to 6.6.2072.4. I am doing that now. Is that what you're running?

Share this post


Link to post
Share on other sites

The problem with exclusions when the full path to a file as well as the detection name is specified will be addressed in the upcoming service release of Endpoint 6.6.

Share this post


Link to post
Share on other sites
1 minute ago, Marcos said:

The problem with exclusions when the full path to a file as well as the detection name is specified will be addressed in the upcoming service release of Endpoint 6.6.

Marcos,

That is _not_ what I've heard from another agent at ESET. He tells me that 6.6.2072.4 will fix the problem. Are you saying that's not accurate?

Share this post


Link to post
Share on other sites

6.6.2072.4 - is only repacked installer with new modules - meaning it does not have any capacity to fix any issues. Maybe he was mistaken in taking 6.6.2072.4 as the "next service release".

Share this post


Link to post
Share on other sites

All the workstations experiencing the issue are on a plethora... including the newest 6.6 version. Additionally, we have thousands of workstations and we would have to schedule each upgrade with each client. This isn't a feasible solution to the issue.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.