Jump to content

[SOLVED] ESMC 7: Excluding a certain PUA signature


carmik
 Share

Recommended Posts

I'm trying to create a policy to exclude by threat name, regardless of file location. Let's say that the threat I want to exclude from detection is Win32/uTorrent.C

1) In the ESMC policy for Endpoint security, I understand that one should modify Settings -> Detection Engine -> Basic -> Exclusions, is that correct?

2) Assuming that it is, I presume that I should select "Exclude threat" here. Exactly how do I specify the threat? I would expect that one should enter the exact threat name, ie Win32/uTorrent.C, however if one presses the question mark on this dialog box he/she is directed to https://help.eset.com/ees/7/en-US/idh_exclude.html whereas it is stated as an example that the threat should be specified as (example) @NAME=Win32/Adware.Optmedia@TYPE=ApplicUnwnt

Are the @NAME= and @TYPE declarations mandatory and, if not, what is their purpose? For Win32/uTorrent.C how can I know the TYPE beforehand?

BTW, there is some inconsistency in the documentation. That is, if one elects to create a policy for File Security for Windows Servers (v6+) instead, then the help file in this dialog box https://help.eset.com/efsw/7.0/en-US/idh_exclude.html does not specify the @TYPE specifier at all.

Which of the specifiers above can be used? Win32/uTorrent.C , @NAME=Win32/uTorrent.C@TYPE=Something or @NAME=Win32/uTorrent.C ?

3) Finally, how can I specify that I want this to apply for all disks. Should I leave the path mask empty? Remember that this is a policy to be enforced on systems with an unknown number of drives, so how can I whitelist on global filesystem?

 

Link to comment
Share on other sites

Perfect, thanks!

BTW, do you have any links describing the @NAME as well as any other descriptors one can use in the threat name field.

Link to comment
Share on other sites

One more question, can one wildcard the threat name? Ie use something like @NAME=uTorrent.* or @NAME=Win32/Hack* ?

Edited by carmik
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...