Jump to content

Archived

This topic is now archived and is closed to further replies.

TheDeeGee

Problems excluding files from detection.

Recommended Posts

I'm trying to exclude a couple of unattended installers from being detected and deleted, but without luck so far.

I have added the said files in the exclusion lists at 4 different locations, in Detection Engine, Real-Time and HIPS. But whenever i copy and paste the file to another location it get's caught and deleted. I even added the SHA1 HASHes, but that doesn't seem to work either. The only option seems to be disabling the entire Antivirus while doing backups and moving files around, which is not a good solution.

I have been using ESET NOD32 Antivirus for almost 15 years and never had this issue before.

Share this post


Link to post
Share on other sites

Nothing has changed in exclusions recently. Have you tried excluding the detected PUA by the detection name? I assume the problem is that it's a file in an installer that is detected, ie. excluding the hash of the whole installer cannot work.

Share this post


Link to post
Share on other sites

I tried adding the PUA to the exclusions, but then the files still get deleted when copied elsewhere.

The PUA in question is "Win32/Packed.AutoIt.UG". It must have been added to the database recently, because it never acted like this.

The only solution i found so far is adding every single location i often copy these files to to the exclusion list.

Share this post


Link to post
Share on other sites

I just wish it was possible to exclude a single file from the entire scanning process, regardless of location on the system.

Share this post


Link to post
Share on other sites
13 minutes ago, TheDeeGee said:

I just wish it was possible to exclude a single file from the entire scanning process, regardless of location on the system.

That's possible by excluding a file by hash. Please provide logs collected with ESET Log Collector.

Share this post


Link to post
Share on other sites

Add file hashes to installers you wish to exclude Eset real-time scanning exclusion as shown below:

Eset_Hash.png.3bc51eb46ca4583d5c3d7976b61341f3.png

If this doesn't work, what is occurring is Eset is detecting the AutoIT files within the the installers when they are being copied to a new location; i.e. being created. You will have to exclude by hash the AutoIt files Eset is detecting. Note that by doing this, you are exposing yourself to a security risk if these files are included within a malicious download.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

That's possible by excluding a file by hash. Please provide logs collected with ESET Log Collector.

Is this what you're looking for?
 

Quote

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Tijd">1-3-2020 17:21:18</COLUMN>
      <COLUMN NAME="Scanner">Real-timebeveiliging van bestandssysteem</COLUMN>
      <COLUMN NAME="Objecttype">bestand</COLUMN>
      <COLUMN NAME="Object">C:\Users\TheDeeGee\Desktop\DAEMON Tools Ultra 5.5.0.1048.exe</COLUMN>
      <COLUMN NAME="Detectie">een variant van Win32/Packed.AutoIt.UG trojaans paard</COLUMN>
      <COLUMN NAME="Actie">opgeschoond door te verwijderen</COLUMN>
      <COLUMN NAME="Gebruiker">XXXXX\TheDeeGee</COLUMN>
      <COLUMN NAME="Informatie">Gebeurtenis opgetreden bij bestand dat is gewijzigd door programma: C:\Windows\explorer.exe (E0FCF4EB0835234FA1009824080F3F453AD9C9F0).</COLUMN>
      <COLUMN NAME="Hash">D693AA7598EF6C28653AC9BBD8217A6E14906466</COLUMN>
      <COLUMN NAME="Eerst gezien hier"></COLUMN>
    </RECORD>
 </LOG>
</ESET>


 

That's what shows up in the log files after i copy the file from it's excluded place to my desktop for example.

This didn't happen until, well... yesterday when i was going to backup my files, which i do monthly.

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

Add file hashes to installers you wish to exclude Eset real-time scanning exclusion as shown below:

Eset_Hash.png.3bc51eb46ca4583d5c3d7976b61341f3.png

If this doesn't work, what is occurring is Eset is detecting the AutoIT files within the the installers when they are being copied to a new location; i.e. being created. You will have to exclude by hash the AutoIt files Eset is detecting. Note that by doing this, you are exposing yourself to a security risk if these files are included within a malicious download.

Yeah, that doesn't work because NOD32 detects the PUA.

Share this post


Link to post
Share on other sites

Adding SHA1 28561BBF776576530360F8006DB314941C347B61 to the list of detection exclusions should do the trick.

Share this post


Link to post
Share on other sites

Sadly that doesn't work for the said file.

It get's detected and deleted shortly after it's being copied outside it's safe zone.

Right now i settled with this, it seems to be the easiest way to deal with it:

865923197_Schermopname(91).jpg.37f076e5deed8525041273803bcc0872.jpg

Share this post


Link to post
Share on other sites

Actually it does work, but how did you get the SHA1 HASH from that file?

Whenever i check it with Powershell it outputs a different code.

Share this post


Link to post
Share on other sites

 

1 hour ago, TheDeeGee said:

Actually it does work, but how did you get the SHA1 HASH from that file?

Suspect this is the hash for the packed AutoIt file contained within DAEMON Tools Ultra 5.5.0.1048.exe

Share this post


Link to post
Share on other sites

Hopefully Marcos can share some more information about this, because there are two other files like that, that also need to be excluded.

Share this post


Link to post
Share on other sites
20 minutes ago, TheDeeGee said:

because there are two other files like that, that also need to be excluded.

Are you receiving Eset PUA alerts on those?

Share this post


Link to post
Share on other sites
12 hours ago, itman said:

Are you receiving Eset PUA alerts on those?

Yes, the same "Win32/Packed.AutoIt.UG".

I had these files for quite a while and they never caused any problems for NOD32.

Share this post


Link to post
Share on other sites

You should be able to exclude the detection name, ideally with a path as well:

image.png

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

You should be able to exclude the detection name, ideally with a path as well:

It appears that path name must be specified for the Detection name to be effective?

Eset_Path.thumb.png.9df9eb1f9d170312634f21cd7435f5f8.png

Share this post


Link to post
Share on other sites

The path is not mandatory. A detection name can be excluded globally without specifying the path. If specified, the detection exclusion will be restricted to files at the given path.

image.png

Share this post


Link to post
Share on other sites

I personally believe that a global exclusion for AutoIt is a bad idea since it is bundled with a lot of installers. But "each to their own" on this subject.

Share this post


Link to post
Share on other sites

Yeah, i'd rather be able to exclude the 3 files i have. I don't feel comfortable whitelisting the AutoIt for my entire system.

Bit of a shame that whitelisting files is so cumbersome in NOD32.

Guess i'll keep digging the internet until i find a way on how to Marcos made that SHA1 HASH.

Share this post


Link to post
Share on other sites
57 minutes ago, itman said:

I personally believe that a global exclusion for AutoIt is a bad idea since it is bundled with a lot of installers. But "each to their own" on this subject.

That's correct, however, this is not a general exclusion for any Autoit detection but only for the specific one called Win32/Packed.Autoit.UG. In this case it appears to be a crack so excluding it by the detection name is relatively safe.

In the future we'll try to improve this by enabling exclusions by parent's hash.

Share this post


Link to post
Share on other sites

The hash can be determined after double-clicking the record in the Detection log:

image.png

Share this post


Link to post
Share on other sites
22 minutes ago, Marcos said:

In this case it appears to be a crack so excluding it by the detection name is relatively safe.

This was my suspicion also. That cracked software was being installed ...............

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

The hash can be determined after double-clicking the record in the Detection log:

image.png

Aaaah now i see.

It's the one from the second line, not the actual HASH from the program itself.

And to confirm, yes they're cracked programs. It's just that the source they come is a trusted one, since it's a very small community i been part of for a long time.

Don't worry, i actually pay for my NOD32 License. As i said, i been using it for atleast 15 years now 😁

Share this post


Link to post
Share on other sites

With the recent update "Win32/Packed.AutoIt.UG" was detected as "Win32/Packed.Autoit.NBT" in the same files.

So i lost a bunch of files again and had to update the HASHs... lovely >_>

Never in the 15 years i use NOD32 i had so much hassle with it.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...