Jump to content

File in the whitelist but still beeing deleted by Endpoint Antivirus


Recommended Posts

We are using clover to ease the life of everyone until Microsoft finally release a tabbed version of Explorer with all the goodies of clover like bookmarks.

But we have a problem.  It keep beeing deleted when someone try to download it or copy the install file from our server.

We have some rules in place within ERA:

  • to allow setup_clover*.exe (usually the install files are named setup_clover@<version>.exe)
  • to exclude this folder from the scan: C:\Program Files (x86)\Clover\*.*

But we also have another rule which might get in conflict with the previous one:

  • Enable detection of potentially unwanted applications
  • Enable detection of potentially unsafe applications

My first thought would be that "Files and folders to be excluded from scanning" would override te potentially unwanted/unsafe applications, otherwise we would be stucked with what ESET consider to be "safe".  Even our inhouse application could give us a false positive, and we would make these unwanted/unsafe switches useless since we would have to turn them off.

How can i really have ESET to whitelist some application?

Thanks for your help

Link to comment
Share on other sites

  • Administrators

Please post the appropriate records from the Detected threats log as well as a screen shot of your exclusion setup.

Link to comment
Share on other sites

Here's the screenshots.

Note that V: drive on the 3rd screenshot is a local hard drive (destination where i want to copy the file).

Note: I confirm that the remote computers (mine and few others) already received the updated policies and they see the same exclusions list in their ESET.

ExclusionPolicies_2.PNG.be38a1c731d5bd169d52b9f2868ce67f.PNGExclusionPolicies_1.thumb.PNG.1a28e15732e273a6fe4c55d954ccefa0.PNG5b3cf93deb441_DetectedThreats.thumb.png.3d0facc5cbd96c8d9a88a914770a7b00.png

Link to comment
Share on other sites

  • Administrators

Please remove all exclusions seen they are entered incorrectly. A full path must be used and exclusions like *.log will not work but may rather cause issues. The ERA CE validator will need to be adjusted to prevent such exclusions from being entered.

If you want to exclude the mentioned PUA from detection completely, use an exclusion like this:

image.png

Link to comment
Share on other sites

Thanks for pointing me that it need a full path for exclusions.  Not only ERA allow to enter only something like "*.log".   ESET Endpoint Antivirus will allos this action too.  If i remove the lock in ERA so i can set the Files & Folders Exclusion on a single PC, it won't give me any warning and accept *.log.

But Allowing Win32/Softcnapp.l at large is not really an option.  Softcnapp.l is a plague showing Ad's.   Maybe it's a false positive, because i've never seen any Ad's from Clover. I've scanned the file with VirusTotal.  Except 1 trustable Firewall (Fortinet), all the reports come from "obscure antivirus" that i've never heard about.  All the big players in the AV industry show it as clean.  

I've tried what you suggested anyway, but it kept deleting the file.  The setup look ok to me.

Capture.PNG.e0eb3c664a40c20eb872bd025cf2a5f3.PNG

I've tried few others things:

  • Since you said that i need to provide a full path, i've decided to include the source of the file like \\ourserver\programs\clover\setup_clover@3.4.3.exe, but it deleted the file when i've tried to copy it locally.
  • I've tried to add this exclusion: v:\temp\setup_clover@3.4.3.exe, and it worked.   But that mean that i've to know exactly Where the user expect to copy the file on his computer, which doesn't make sense at all.
  • I've tried this exclusion: v:\*\Setup_Clover@3.4.3.exe and V:\*\Setup_Clover*.exe, both are working... file not deleted.  I could potentially decided to create exclusions for C: and D: But i see so many cases where it wouldn't work (file picked from another source for example).

i'll try to find where i can submit clover for another examination.  There was a well known false positive in version older than 3.3.8 but its been fixed

 

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...