ShaneDT 13 Posted September 17, 2018 Posted September 17, 2018 ESMC7 with EES/EFS7 on Windows. Is there any way to create a PUA scan without clean enabled, ie detect only, without changing settings for every other scan type? Currently the only place to enable/disable PUA in policy is in the Detection Engine / Basic settings. This then applies for all scan types. I want to be able to disable PUA detection without compromising all the scan settings for all other threat types, ie viruses. And then run a detection only scan for PUA's to check for false positives before setting PUA to be 'cleaned'. I can't see any way to do this, even by creating a Client Task, as everything refers back to whether PUA is enabled or disabled in Basic settings. So the only option I can see is enable PUA detection and enable 'No Cleaning' for all threat types, or disable PUA's altogether permanently. Why do I want to be able to scan PUA's separately? Because sometimes business or wanted applications are detected as PUA's and deleted. I want to be able to detect these first, then exclude any that the customer doesn't want removed.
Administrators Marcos 5,741 Posted September 17, 2018 Administrators Posted September 17, 2018 There is only a global settings for PUAs. What you could do is run a scan with the command line scanner ecls.exe and disable PUA detection using the appropriate switch. Moreover, PUAs are cleaned automatically in a managed environment. However, you can restore particular PUAs from quarantine via ESMC and exclude them from detection, if needed.
ShaneDT 13 Posted September 17, 2018 Author Posted September 17, 2018 Can I somehow create a Client Task to run that on remote computers from the ESMC server?
Administrators Marcos 5,741 Posted September 17, 2018 Administrators Posted September 17, 2018 It is possible to run ecls via a "run command" task but since it logs only to a text log that is not transferred to ESMC, that's probably not what you want. In my opinion, it's safer to have PUAs cleaned automatically and restore / exclude a particular one if really needed than letting a user run it for some time and only then evaluate whether it's ok to use it or not.
ShaneDT 13 Posted September 17, 2018 Author Posted September 17, 2018 Marcos I totally agree, but when you've just signed up a new customer and the first thing eset does is deletes the CEOs beloved Google Toolbar, 1: its not a good start to the relationship, and 2: it creates additional unnecessary work for me that the customers probably not going to want to pay me for. a lot of what PUA detects is mostly crapware. I'd rather scan for this first so I can create a list to discuss and then exclude before enabling for strict cleaning.
ESET Staff MichalJ 434 Posted September 18, 2018 ESET Staff Posted September 18, 2018 @ShaneDT I do agree, that it might be beneficial to have separate cleaning / handling level for PUAs and for standard detections. We are tracking improvements to adjust this behavior towards the future versions.
ShaneDT 13 Posted September 18, 2018 Author Posted September 18, 2018 Thanks Michal, yes be useful to add this in a future release. Possibly as a stand alone Client Task even. Cheers.
Recommended Posts