Jump to content

Recommended Posts

Posted (edited)

Hello guys,

We're in the final stage with this customer and EEI. They like the software but have the following questions:

1) They want to know if it's possible to automatically block certain malicious actions like Filecoder behavior or any behavior that EEI consider critical (the rules that are marked as critical in red color). The others not because they can generate a lot of FPs. They ask this because if an attack occurs at night and nobody is looking at the alerts in the console or via email no action will be taken in the right time. They prefer to have some FPs than an attack that was not stopped because at that time nobody realized it happened. 

2) We know that we can kill and also add MD5 to a black list in order to avoid the spread of the attack. It's possible to make this automatically? For example, if a critical rule is triggered the process is killed automatically and the MD5 blacklisted without user interaction.

If these features are not available, will those functions implemented in next versions? When?

We appreciate all the arguments you can give us in order to close the deal with the customer.

Thank you.

Edited by Lockbits

Share this post


Link to post
Share on other sites
Posted (edited)
1 hour ago, Lockbits said:

1) They want to know if it's possible to automatically block certain malicious actions like Filecoder behavior or any behavior that EEI consider critical (the rules that are marked as critical in red color). The others not because they can generate a lot of FPs. They ask this because if an attack occurs at night and nobody is looking at the alerts in the console or via email no action will be taken in the right time. They prefer to have some FPs than an attack that was not stopped because at that time nobody realized it happened. 

Based on what is posted in online help, the answer is no. Simply because EEI has no real-time interface as far as client to server communication goes:

Quote

Rules are matched on the server. They are matched asynchronously so there is some time interval when recent events are sent from client to server and then processed by rules. Therefore, a rule cannot block execution of a process or operation. A matched rule can only notify security engineers by raising an alarm. The alarm is displayed in Alarms view but it is also exported to ESMC (or SIEM) or an email can be automatically sent when the alarm is triggered.

https://help.eset.com/eei/1/en-US/?rules_only_in_pdf.html

Edited by itman

Share this post


Link to post
Share on other sites

I'd say that adding such automation would be risky at least at this point. Imagine that a backup was being performed by a freshly updated backup software and there were encrypted files being backed up. This could trigger an alarm and the backup process would be terminated automatically.

Share this post


Link to post
Share on other sites

Hello guys,

Thank you for the input. 

The last question I've is the possibility to create a new template for a Dynamic Group and assign there the computers that have some type of activity that triggered certain rules and to assign a policy to block all traffic from ESET's firewall. Is this a viable approach?

I only found the possibility to sort and group computers that have some type of functionality error or issue in EEI's agent.

Thank you.

Share this post


Link to post
Share on other sites

As the dynamic group evaluation is happening on the client, however EEI rules evaluation happen on the EEI server, such automation is currently not possible. We are however tracking future improvements to address the issue, and allow automated incident response workflows within the product. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...