Jump to content

Archived

This topic is now archived and is closed to further replies.

.Tommy.

Exclusions not Working !

Recommended Posts

....... I'm on the latest ESET NOD32 ANTIVIRUS which is a new installation and I imported my saved settings into the application.

Now my exclusions are not respected anymore, I deleted them and re-added  them without any change.

Here an example of an exclusion which I had working for many years without any issues:

G:\Software\*.*

If I now execute a program or a certain BAT file which is in one of the sub folders I get a thread warning (false positive by the way).

Hopefully someone here can help me sort this out and get the exclusions working as they used to .......

 

Share this post


Link to post
Share on other sites

Please provide me with logs gathered with ESET Log Collector as per the instructions at https://support.eset.com/kb3466. Before you start to collect logs, also select "quarantined files" in the list.

Share this post


Link to post
Share on other sites
2 hours ago, .Tommy. said:

If I now execute a program or a certain BAT file which is in one of the sub folders I get a thread warning (false positive by the way).

Post a screen shot of the alert you are receiving.

Share this post


Link to post
Share on other sites

....... I used the Eset Log Collector in default mode (log collector mode: filtered binary) and got an error.

Operation logs are attached to this message as well as the eav_logs.zip which was created with warnings (log collector mode: original binary from disk).

Here the requested screenshot:

xiink9C.png

Operation Log (Filtered Binary).txt

Operation Log (Original Binary From Disk).txt

eav_logs.zip

Share this post


Link to post
Share on other sites

Interesting.

What Eset is "objecting" to is an unknown process, Clear Event Viewer Logs.exe, running a .bat file that appears you use to clear your event logs? It also appears that Eset considers this a PUA process. Finally, it appears that Eset's PUA detection process is perhaps overriding any realtime file exclusions which is a desirable protection feature.

What you have to do is click on the alert's Advanced options and:

Quote

To allow the application to run on your computer in the future without interruption, click Advanced Options and select the check box next to Exclude from detection.

https://support.eset.com/kb2629/?locale=en_EN&segment=business

Share this post


Link to post
Share on other sites

The BAT file is not excluded. You have created exclusions for: G:\Software\*.*, C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\amtlib.dll and G:\Software\Microsoft\Windows\Windows 10\Batch Files & Registry Tweaks\Clear Event Viewer Logs\Clear Event Viewer Logs.exe.

However, the batch file was detected in C:\Users\Tommy\AppData\Local\Temp\932F.tmp\9330.tmp\9331.bat and this folder was not excluded (don't exclude it since temp folders are a typical location of where malware resides).

It is in fact a potentially unsafe application because what the batch file does is that it clears system logs via wevtutil.exe. This is often done by attackers to clear traces after compromising a remote system, typically servers after conducting an RDP bruteforce attack.

Detection of potentially unsafe applications is disabled by default. They cover legitimate applications and tools that can be misused in the wrong hands.  If you don't want this detection to be triggered at all, exclude the signature from detection, e.g. as follows:

image.png

Share this post


Link to post
Share on other sites
4 minutes ago, Marcos said:

It is in fact a potentially unsafe application because what the batch file does is that it clears system logs via wevtutil.exe. This is often done by attackers to clear traces after compromising a remote system, typically servers after conducting an RDP bruteforce attack.

:)

Share this post


Link to post
Share on other sites

....... sorry, my mistake.

I didn't look properly to notice that the thread warning came from \AppData\Local\Temp\

After importing my old settings file again it seems that the exclusion for this folder is working again like before - I don't know what I did wrong the 1st time.

Before when I tried to execute the BAT file from my software folder I got a thread warning, not anymore - Eset is excepting my exclusion again.

I'm sorry for the confusion I caused and thanks a lot to all you guys taking the time to look into this .......

Share this post


Link to post
Share on other sites

@Marcos, I have a question about this .bat file detection.

If the same .bat script was run via cmd.exe from a PowerShell script, would Eset alert upon its attempted execution?

Share this post


Link to post
Share on other sites
3 hours ago, .Tommy. said:

....... I didn't try it.

If you want to check it out here the batch command attached as a txt file .......

Clear_Event_Viewer_Logs.txt

Interesting.

Renamed your .bat script and tried to save it in %LocalAppData%\Temp using Notepad. Eset flagged Notepad as PUA, BAT/CleanLog.A potentially unsafe application, which obviously it is not and deleted the .bat file.

This indicates Eset's realtime scanner is detecting the code within the .bat script via a code signature. So in your instance, Eset wasn't blocking Clear Event Viewer.exe per se. Rather it was blocking the opening of Clear Event Viewer.bat by cmd.exe which I assumed Clear Event Viewer.exe spawned as a child process.

Share this post


Link to post
Share on other sites
9 hours ago, itman said:

Eset flagged Notepad as PUA, BAT/CleanLog.A potentially unsafe application, which obviously it is not and deleted the .bat file.

I don't think that we flagged Notepad as PUA. Otherwise it would have been Notepad which would have been deleted and not the .bat file.

Share this post


Link to post
Share on other sites

....... I tried to run the script in Powershell, but couldn't get it to work.

Then I tried it in CMD and it executed just fine, no thread warning at all .......

Share this post


Link to post
Share on other sites

If you run the batch file via the commandline console, it must be detected on access. Of course if you don't run the batch file directly but only use some of the commands inside, that won't be detected since we cannot detect legitimate system tools.

Share this post


Link to post
Share on other sites
9 hours ago, Marcos said:

I don't think that we flagged Notepad as PUA. Otherwise it would have been Notepad which would have been deleted and not the .bat file.

Below is a screenshot of the log entry. The problem as I see it is the alert I received is identical in format as that posted previously in this thread. When one sees a PUA alert, they immediately associate that with a PUA process. Further the Eset PUA alert shows notepad.exe as actor process. My recommendation is the alert be changed to a file detection one with wording stating the file contains PUA content.

Eset_PUA_Notepad.png.d9619d52863822b44c9f77f8d16a9050.png

Share this post


Link to post
Share on other sites
4 hours ago, Marcos said:

Of course if you don't run the batch file directly but only use some of the commands inside, that won't be detected since we cannot detect legitimate system tools.

In other words, if its run via a shell. Or, in-line via use of ECHO command.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×