Jump to content

Separate PUA settings / scan


ShaneDT
 Share

Recommended Posts

ESMC7 with EES/EFS7 on Windows.

Is there any way to create a PUA scan without clean enabled, ie detect only, without changing settings for every other scan type?

Currently the only place to enable/disable PUA in policy is in the Detection Engine / Basic settings. This then applies for all scan types.

I want to be able to disable PUA detection without compromising all the scan settings for all other threat types, ie viruses. And then run a detection only scan for PUA's to check for false positives before setting PUA to be 'cleaned'. I can't see any way to do this, even by creating a Client Task, as everything refers back to whether PUA is enabled or disabled in Basic settings.

So the only option I can see is enable PUA detection and enable 'No Cleaning' for all threat types, or disable PUA's altogether permanently.

Why do I want to be able to scan PUA's separately?

Because sometimes business or wanted applications are detected as PUA's and deleted. I want to be able to detect these first, then exclude any that the customer doesn't want removed.

Link to comment
Share on other sites

  • Administrators

There is only a global settings for PUAs. What you could do is run a scan with the command line scanner ecls.exe and disable PUA detection using the appropriate switch. Moreover, PUAs are cleaned automatically in a managed environment. However, you can restore particular PUAs from quarantine via ESMC and exclude them from detection, if needed.

Link to comment
Share on other sites

  • Administrators

It is possible to run ecls via a "run command" task but since it logs only to a text log that is not transferred to ESMC, that's probably not what you want.

In my opinion, it's safer to have PUAs cleaned automatically and restore / exclude a particular one if really needed than letting a user run it for some time and only then evaluate whether it's ok to use it or not.

Link to comment
Share on other sites

Marcos I totally agree, but when you've just signed up a new customer and the first thing eset does is deletes the CEOs beloved Google Toolbar, 1: its not a good start to the relationship, and 2: it creates additional unnecessary work for me that the customers probably not going to want to pay me for.

a lot of what PUA detects is mostly crapware. I'd rather scan for this first so I can create a list to discuss and then exclude before enabling for strict cleaning.

Link to comment
Share on other sites

  • ESET Staff

@ShaneDT I do agree, that it might be beneficial to have separate cleaning / handling level for PUAs and for standard detections. We are tracking improvements to adjust this behavior towards the future versions.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...