carmik 0 Posted October 25, 2018 Posted October 25, 2018 I'm trying to create a policy to exclude by threat name, regardless of file location. Let's say that the threat I want to exclude from detection is Win32/uTorrent.C 1) In the ESMC policy for Endpoint security, I understand that one should modify Settings -> Detection Engine -> Basic -> Exclusions, is that correct? 2) Assuming that it is, I presume that I should select "Exclude threat" here. Exactly how do I specify the threat? I would expect that one should enter the exact threat name, ie Win32/uTorrent.C, however if one presses the question mark on this dialog box he/she is directed to https://help.eset.com/ees/7/en-US/idh_exclude.html whereas it is stated as an example that the threat should be specified as (example) @NAME=Win32/Adware.Optmedia@TYPE=ApplicUnwnt Are the @NAME= and @TYPE declarations mandatory and, if not, what is their purpose? For Win32/uTorrent.C how can I know the TYPE beforehand? BTW, there is some inconsistency in the documentation. That is, if one elects to create a policy for File Security for Windows Servers (v6+) instead, then the help file in this dialog box https://help.eset.com/efsw/7.0/en-US/idh_exclude.html does not specify the @TYPE specifier at all. Which of the specifiers above can be used? Win32/uTorrent.C , @NAME=Win32/uTorrent.C@TYPE=Something or @NAME=Win32/uTorrent.C ? 3) Finally, how can I specify that I want this to apply for all disks. Should I leave the path mask empty? Remember that this is a policy to be enforced on systems with an unknown number of drives, so how can I whitelist on global filesystem?
Administrators Marcos 5,468 Posted October 25, 2018 Administrators Posted October 25, 2018 It should look like as follows:
carmik 0 Posted October 25, 2018 Author Posted October 25, 2018 Perfect, thanks! BTW, do you have any links describing the @NAME as well as any other descriptors one can use in the threat name field.
Administrators Marcos 5,468 Posted October 25, 2018 Administrators Posted October 25, 2018 Only @NAME is supported. In the future we would like to get rid of it so that only the detection name is entered.
carmik 0 Posted October 25, 2018 Author Posted October 25, 2018 (edited) One more question, can one wildcard the threat name? Ie use something like @NAME=uTorrent.* or @NAME=Win32/Hack* ? Edited October 25, 2018 by carmik
Administrators Marcos 5,468 Posted October 25, 2018 Administrators Posted October 25, 2018 No, wildcards are not supported in detection names.
Recommended Posts