Jump to content

Exlcusion not working


Recommended Posts

Hello,

Full disclosure: We have ConnectWise and buy our licenses through them. However, ConnectWise takes... what? ... a week to get back to people for technical support issues. I am posting here in the hopes that it won't be slower. ;-)

Just recently, ESET agents started flagging Win64/PSWTool.ProductKey.A as an Unsafe Application. This tool is one that our remote management system uses and I'm aware of what it does. I've also put in the 32-bit variety as an exclusion and that's been there for some time. I've not had any trouble with.

However, I can't seem to exclude the one for some reason. What's more, I already have excluded the directory that the executable lives in so I am unsure why two exceptions are failing.

I have a base agent policy. In there, I've defined Exclusions with the drop down for the Exclusions section listed as "Replace."

The 32-bit variety exclusion is defined like so:
Exclude for this computer has a three check.
Exclude all threats does not have a check.
Threat name is defined as: @NAME=Win32/PSWTool.ProductKey.D@TYPE=ApplicUnsaf

The 64-bit variety is defined like so:
Exclude for this computer has a three check.
Exclude all threats does not have a check.
Threat name is defined as: @NAME=Win64/PSWTool.ProductKey.A@TYPE=ApplicUnsaf

I have checked agents and see that the exclusion definitions have made it to the agents themselves but they're still flagging @NAME=Win64/PSWTool.ProductKey.A@TYPE=ApplicUnsaf.

I've attached screenshots in the hopes that will help.

64bit Exclusion.png

Exclusions as definted in policy editor.png

Replace Flag in Policy.png

Exclusions on Agent.png

32bit Exclusion.png

Link to comment
Share on other sites

  • Administrators

Please post the appropriate detection record from the Detected threats log (the whole line) so that we know what was detected and in what folder.

There's is currently a bug in the program when a specific path to a file or folder is entered in the exclusion list and a threat name is specified as well, however, enabling "Exclude for this computer" appears to be a workaround (ie. the path reads * ).

Link to comment
Share on other sites

Hi Marcos,

Thanks so much for your response.

I seem to have a lot of users who click buttons. :-)

I can't find that particular line since the detection threats log is currently clear. The item I can find is below.

C:\Windows\LTSVC\scripts\ProduKey.exe - a variant of Win64/PSWTool.ProductKey.A potentially unsafe application - action selection postponed until scan completion

Does that help? Or do you need something else? I ran the log collector on the Detected Threats with a 30-day window. Would that contain information you'd need?

Most agents are running 6.6.2052.0.

Link to comment
Share on other sites

Hi mwhalenhtc,

I'm experiencing the exact same issue. We use Connectwise/Labtech as well and this is only happening for four of our clients. All four clients were recently upgraded from v 5 or so to 6.6. I've ensured the global policy that we use that also whitelists all the necessary LT related folders/executables are showing on the workstations. The odd thing is it's not happening for every workstation for those companies, it's almost sporadic. It started mid last week for us. I've opened a ticket with ESET as well and I've been told to run the log collector as well, but it's been tricky as I have to schedule with the client first.

Do you have any updates?

Capture.PNG

Edited by nasaeed
Link to comment
Share on other sites

Thanks, nasaeed. Good to know I am not the only one at any rate! :-)

ConnectWise support told me that the ProduKey scanning method for keys is deprecated and had me install their update for product key scanning via the LabTech Solution Center. It can't hurt to do that. You have to run the solution center on the Labtech server directly. (We are hosting LT "on-prem." The method may be different for hosted LT.)

I haven't been crushed with client calls (yet) and I have at least one workstation in which I can run a log collector without much fuss.

Link to comment
Share on other sites

The amount of instances trigerring have decreased drastically for me without any actions being taken.

From ESET I've only heard the following:

"We recommend adding an exclusion for the specific file path that the threat detection is occurring at and include the threat name in the following format.

@NAME=Win32/PSWTool.ProductKey.D@TYPE=ApplicUnsaf 

If this is unable to help with the issues that you are encountering please contact us at the information listed below."

I'm not entirely sure how to accomplish this. We already have the exclusion set up so I'm unsure how to set it up with said format.

Link to comment
Share on other sites

Well, that's how I have it setup and it's not working.

Fortunately, I've got a ticket open with ESET and I have a call scheduled with them tomorrow. I'll update here when I have an answer. :-)

Link to comment
Share on other sites

That's great. I have a ticket open with them too and this was the answer I got from an escalated tech. 

If you get more help, I'm dying to know what's going on.

Link to comment
Share on other sites

I'm hopeful to have a better answer soon.

ESET has given me one of the best experiences I've ever had with tech support. Unfortunately, I only have experience with one person who was on the ConnectWise/ESET migration team. I hung on to that ticket for dear life because the tech was so good. I don't know what I'm going to get this time.

Link to comment
Share on other sites

That's disappointing, but knowing that and having a live phone call means I'll lean hard to get this resolved. I am especially inrigued Marcos's note:

On 2/13/2018 at 5:52 AM, Marcos said:

Please post the appropriate detection record from the Detected threats log (the whole line) so that we know what was detected and in what folder.

There's is currently a bug in the program when a specific path to a file or folder is entered in the exclusion list and a threat name is specified as well, however, enabling "Exclude for this computer" appears to be a workaround (ie. the path reads * ).

 

Link to comment
Share on other sites

  • Administrators

The problem with exclusions when the full path to a file as well as the detection name is specified will be addressed in the upcoming service release of Endpoint 6.6.

Link to comment
Share on other sites

1 minute ago, Marcos said:

The problem with exclusions when the full path to a file as well as the detection name is specified will be addressed in the upcoming service release of Endpoint 6.6.

Marcos,

That is _not_ what I've heard from another agent at ESET. He tells me that 6.6.2072.4 will fix the problem. Are you saying that's not accurate?

Link to comment
Share on other sites

  • ESET Staff

6.6.2072.4 - is only repacked installer with new modules - meaning it does not have any capacity to fix any issues. Maybe he was mistaken in taking 6.6.2072.4 as the "next service release".

Link to comment
Share on other sites

All the workstations experiencing the issue are on a plethora... including the newest 6.6 version. Additionally, we have thousands of workstations and we would have to schedule each upgrade with each client. This isn't a feasible solution to the issue.

Link to comment
Share on other sites

On 2/22/2018 at 1:32 PM, nasaeed said:

All the workstations experiencing the issue are on a plethora... including the newest 6.6 version. Additionally, we have thousands of workstations and we would have to schedule each upgrade with each client. This isn't a feasible solution to the issue.

Yeah, I can understand that. My client base is about 300 and I don't have this issue appearing everywhere. It only seems to come up _sometimes_ after a computer restart and ESET performs its startup scan. I haven't seen it in any other instance, but I'm also only seeing it on the ProduKey item. I don't have a lot of exclusions, honestly.

I also don't know what the actual problem is. Marcos above said it's about excluding a path _and_ a threat that falls within an excluded path. I haven't tested that. My tech hasn't commented on that, but has said:

Quote

Since my last email to you, I've reached out to more colleagues to see how many they have encountered. The malware team seems to be getting a few more tickets than we do on the business/MSP side but they are no closer to nailing down the cause. 

In some cases, the issue is a one-time occurrence that causes a headache and never returns. Naturally, this makes determining the cause nearly impossible and, also, the fix. In other cases, the detections did continue but upgrading to v6.6.2072.4 fixed the issue. In one other case, yet, it is ongoing with development for the past month. 

The nature of the issue, so far as we currently understand it, is a scan is being triggered under the title of 'First Time Scan' and this scan is completely disregarding the exclusions. All other scans abide by the exclusions just fine but this one, 'First Time Scan' does not. 

(I don't know what 'First Time Scan' means. If it's a scan that occurs one-time after installation, then I am sure that I've seen this issue in at least one different scan.)

Also, my tech has said to me that there's no way to test whether upgrading a faulting client to 6.6.2072.4 fixes the problem. This seems ridiculous, but I'm afraid that's all I can report at the moment. Clearly, somehow, this problem crept into existing builds. The machines that have started complaining haven't been upgraded in at least two months. So, something has changed that wasn't introduced by a whole new build.

ConnectWise has been advising to turn off detection of all PUPs. At first, that sounded crazy to me, but the ESET tech pointed out that PUPs that graduate to DUPs (Definitely Unwanted/Unsafe Programs) are classified in ESET accordingly. ("DUP" is my word. Don't go using that with Connectwise or ESET. They'll think you're DUM.) So, while you'd miss RealPlayer and MyWebSmileyFaces, you will hear about them if they become actual threats, security or otherwise.

I don't know how your ERA is setup, but I have every client segregated into groups. I can, for instance, create a policy that modifies the base and turns off PUP detection for one client but leaves it on for another. Maybe you can do that if this issue is affecting only PUP detection.

I definitely advise talking to ConnectWise about the new solution regarding ProduKey. They had me install it a couple of weeks back. Although the tech assured me that installing the new solution would remove ProduKey from anywhere it's been deployed that has not occurred. (I was skeptical of that claim anyway.) If ProduKey getting detected when you excluded it, you could create a script in Control to remove the program from each of your deployed Agents. At least, that'd cut down on some of the noise.

I'm sympathetic to your problem and wish I could relay better information.

Link to comment
Share on other sites

I think that the ticket I have with ESET has run its course. What I've learned is the following:

They don't know the root cause of the problem.

  • It's intermittent.
  • There's no ETA on a fix.
  • They have seen some instance in which going to 6.6.2072.4 resolves the issue but since the problem is intermittent, it's hard to know.

Thanks to everyone who responded.

Link to comment
Share on other sites

  • Administrators
20 minutes ago, mwhalenhtc said:

They don't know the root cause of the problem.

Please collect logs with ELC and send me the generated archive via a personal message. If too big to attach, upload it to a safe location and provide me with a download link. I'll try to reproduce it with the very same configuration.

Link to comment
Share on other sites

I'll give you what I can, but I've not been able to reproduce the problem which, as I understand it, is part of the reason why ESET hasn't been able to resolve it. I'll send what I have via PM, but it's probably not enough.

Link to comment
Share on other sites

  • Administrators
50 minutes ago, mwhalenhtc said:

I'll give you what I can, but I've not been able to reproduce the problem which, as I understand it, is part of the reason why ESET hasn't been able to resolve it. I'll send what I have via PM, but it's probably not enough.

Do you mean that the issue doesn't occur any more and it was resolved somehow?

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...