[SOLVED] ESMC 7: Excluding a certain PUA signature

[carmik 0]

I'm trying to create a policy to exclude by threat name, regardless of file location. Let's say that the threat I want to exclude from detection is Win32/uTorrent.C

1) In the ESMC policy for Endpoint security, I understand that one should modify Settings -> Detection Engine -> Basic -> Exclusions, is that correct?

2) Assuming that it is, I presume that I should select "Exclude threat" here. Exactly how do I specify the threat? I would expect that one should enter the exact threat name, ie Win32/uTorrent.C, however if one presses the question mark on this dialog box he/she is directed to https://help.eset.com/ees/7/en-US/idh_exclude.html whereas it is stated as an example that the threat should be specified as (example) @NAME=Win32/Adware.Optmedia@TYPE=ApplicUnwnt

Are the @NAME= and @TYPE declarations mandatory and, if not, what is their purpose? For Win32/uTorrent.C how can I know the TYPE beforehand?

BTW, there is some inconsistency in the documentation. That is, if one elects to create a policy for File Security for Windows Servers (v6+) instead, then the help file in this dialog box https://help.eset.com/efsw/7.0/en-US/idh_exclude.html does not specify the @TYPE specifier at all.

Which of the specifiers above can be used? Win32/uTorrent.C , @NAME=Win32/uTorrent.C@TYPE=Something or @NAME=Win32/uTorrent.C ?

3) Finally, how can I specify that I want this to apply for all disks. Should I leave the path mask empty? Remember that this is a policy to be enforced on systems with an unknown number of drives, so how can I whitelist on global filesystem?

 

[Marcos 5,070]

It should look like as follows:

[carmik 0]

Perfect, thanks!

BTW, do you have any links describing the @NAME as well as any other descriptors one can use in the threat name field.

[Marcos 5,070]

Only @NAME is supported. In the future we would like to get rid of it so that only the detection name is entered.

[carmik 0]

Thanks again!

[carmik 0]

One more question, can one wildcard the threat name? Ie use something like @NAME=uTorrent.* or @NAME=Win32/Hack* ?

Edited October 25, 2018 by carmik

[Marcos 5,070]

No, wildcards are not supported in detection names.