Jump to content

Recommended Posts

Posted

I'm trying to create a policy to exclude by threat name, regardless of file location. Let's say that the threat I want to exclude from detection is Win32/uTorrent.C

1) In the ESMC policy for Endpoint security, I understand that one should modify Settings -> Detection Engine -> Basic -> Exclusions, is that correct?

2) Assuming that it is, I presume that I should select "Exclude threat" here. Exactly how do I specify the threat? I would expect that one should enter the exact threat name, ie Win32/uTorrent.C, however if one presses the question mark on this dialog box he/she is directed to https://help.eset.com/ees/7/en-US/idh_exclude.html whereas it is stated as an example that the threat should be specified as (example) @NAME=Win32/Adware.Optmedia@TYPE=ApplicUnwnt

Are the @NAME= and @TYPE declarations mandatory and, if not, what is their purpose? For Win32/uTorrent.C how can I know the TYPE beforehand?

BTW, there is some inconsistency in the documentation. That is, if one elects to create a policy for File Security for Windows Servers (v6+) instead, then the help file in this dialog box https://help.eset.com/efsw/7.0/en-US/idh_exclude.html does not specify the @TYPE specifier at all.

Which of the specifiers above can be used? Win32/uTorrent.C , @NAME=Win32/uTorrent.C@TYPE=Something or @NAME=Win32/uTorrent.C ?

3) Finally, how can I specify that I want this to apply for all disks. Should I leave the path mask empty? Remember that this is a policy to be enforced on systems with an unknown number of drives, so how can I whitelist on global filesystem?

 

  • Administrators
Posted

It should look like as follows:

image.png

Posted

Perfect, thanks!

BTW, do you have any links describing the @NAME as well as any other descriptors one can use in the threat name field.

  • Administrators
Posted

Only @NAME is supported. In the future we would like to get rid of it so that only the detection name is entered.

Posted (edited)

One more question, can one wildcard the threat name? Ie use something like @NAME=uTorrent.* or @NAME=Win32/Hack* ?

Edited by carmik
  • Administrators
Posted

No, wildcards are not supported in detection names.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...