Problems excluding files from detection.

[TheDeeGee 0]

I'm trying to exclude a couple of unattended installers from being detected and deleted, but without luck so far.

I have added the said files in the exclusion lists at 4 different locations, in Detection Engine, Real-Time and HIPS. But whenever i copy and paste the file to another location it get's caught and deleted. I even added the SHA1 HASHes, but that doesn't seem to work either. The only option seems to be disabling the entire Antivirus while doing backups and moving files around, which is not a good solution.

I have been using ESET NOD32 Antivirus for almost 15 years and never had this issue before.

[Marcos 5,074]

Nothing has changed in exclusions recently. Have you tried excluding the detected PUA by the detection name? I assume the problem is that it's a file in an installer that is detected, ie. excluding the hash of the whole installer cannot work.

[TheDeeGee 0]

I tried adding the PUA to the exclusions, but then the files still get deleted when copied elsewhere.

The PUA in question is "Win32/Packed.AutoIt.UG". It must have been added to the database recently, because it never acted like this.

The only solution i found so far is adding every single location i often copy these files to to the exclusion list.

[TheDeeGee 0]

I just wish it was possible to exclude a single file from the entire scanning process, regardless of location on the system.

[Marcos 5,074]

13 minutes ago, TheDeeGee said:

I just wish it was possible to exclude a single file from the entire scanning process, regardless of location on the system.

That's possible by excluding a file by hash. Please provide logs collected with ESET Log Collector.

[itman 1,659]

Add file hashes to installers you wish to exclude Eset real-time scanning exclusion as shown below:

If this doesn't work, what is occurring is Eset is detecting the AutoIT files within the the installers when they are being copied to a new location; i.e. being created. You will have to exclude by hash the AutoIt files Eset is detecting. Note that by doing this, you are exposing yourself to a security risk if these files are included within a malicious download.

[TheDeeGee 0]

2 hours ago, Marcos said:

That's possible by excluding a file by hash. Please provide logs collected with ESET Log Collector.

Is this what you're looking for?
 

Quote

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Tijd">1-3-2020 17:21:18</COLUMN>
      <COLUMN NAME="Scanner">Real-timebeveiliging van bestandssysteem</COLUMN>
      <COLUMN NAME="Objecttype">bestand</COLUMN>
      <COLUMN NAME="Object">C:\Users\TheDeeGee\Desktop\DAEMON Tools Ultra 5.5.0.1048.exe</COLUMN>
      <COLUMN NAME="Detectie">een variant van Win32/Packed.AutoIt.UG trojaans paard</COLUMN>
      <COLUMN NAME="Actie">opgeschoond door te verwijderen</COLUMN>
      <COLUMN NAME="Gebruiker">XXXXX\TheDeeGee</COLUMN>
      <COLUMN NAME="Informatie">Gebeurtenis opgetreden bij bestand dat is gewijzigd door programma: C:\Windows\explorer.exe (E0FCF4EB0835234FA1009824080F3F453AD9C9F0).</COLUMN>
      <COLUMN NAME="Hash">D693AA7598EF6C28653AC9BBD8217A6E14906466</COLUMN>
      <COLUMN NAME="Eerst gezien hier"></COLUMN>
    </RECORD>
 </LOG>
</ESET>

 

That's what shows up in the log files after i copy the file from it's excluded place to my desktop for example.

This didn't happen until, well... yesterday when i was going to backup my files, which i do monthly.

Edited March 1, 2020 by TheDeeGee

[TheDeeGee 0]

1 hour ago, itman said:

Add file hashes to installers you wish to exclude Eset real-time scanning exclusion as shown below:

If this doesn't work, what is occurring is Eset is detecting the AutoIT files within the the installers when they are being copied to a new location; i.e. being created. You will have to exclude by hash the AutoIt files Eset is detecting. Note that by doing this, you are exposing yourself to a security risk if these files are included within a malicious download.

Yeah, that doesn't work because NOD32 detects the PUA.

[Marcos 5,074]

Adding SHA1 28561BBF776576530360F8006DB314941C347B61 to the list of detection exclusions should do the trick.

[TheDeeGee 0]

Sadly that doesn't work for the said file.

It get's detected and deleted shortly after it's being copied outside it's safe zone.

Right now i settled with this, it seems to be the easiest way to deal with it:

[TheDeeGee 0]

Actually it does work, but how did you get the SHA1 HASH from that file?

Whenever i check it with Powershell it outputs a different code.

[itman 1,659]

 

1 hour ago, TheDeeGee said:

Actually it does work, but how did you get the SHA1 HASH from that file?

Suspect this is the hash for the packed AutoIt file contained within DAEMON Tools Ultra 5.5.0.1048.exe

Edited March 1, 2020 by itman

[TheDeeGee 0]

Hopefully Marcos can share some more information about this, because there are two other files like that, that also need to be excluded.

[itman 1,659]

20 minutes ago, TheDeeGee said:

because there are two other files like that, that also need to be excluded.

Are you receiving Eset PUA alerts on those?

[TheDeeGee 0]

12 hours ago, itman said:

Are you receiving Eset PUA alerts on those?

Yes, the same "Win32/Packed.AutoIt.UG".

I had these files for quite a while and they never caused any problems for NOD32.

[Marcos 5,074]

You should be able to exclude the detection name, ideally with a path as well:

[itman 1,659]

1 hour ago, Marcos said:

You should be able to exclude the detection name, ideally with a path as well:

It appears that path name must be specified for the Detection name to be effective?

[Marcos 5,074]

The path is not mandatory. A detection name can be excluded globally without specifying the path. If specified, the detection exclusion will be restricted to files at the given path.

[itman 1,659]

I personally believe that a global exclusion for AutoIt is a bad idea since it is bundled with a lot of installers. But "each to their own" on this subject.

[TheDeeGee 0]

Yeah, i'd rather be able to exclude the 3 files i have. I don't feel comfortable whitelisting the AutoIt for my entire system.

Bit of a shame that whitelisting files is so cumbersome in NOD32.

Guess i'll keep digging the internet until i find a way on how to Marcos made that SHA1 HASH.

[Marcos 5,074]

57 minutes ago, itman said:

I personally believe that a global exclusion for AutoIt is a bad idea since it is bundled with a lot of installers. But "each to their own" on this subject.

That's correct, however, this is not a general exclusion for any Autoit detection but only for the specific one called Win32/Packed.Autoit.UG. In this case it appears to be a crack so excluding it by the detection name is relatively safe.

In the future we'll try to improve this by enabling exclusions by parent's hash.

[Marcos 5,074]

The hash can be determined after double-clicking the record in the Detection log:

[itman 1,659]

22 minutes ago, Marcos said:

In this case it appears to be a crack so excluding it by the detection name is relatively safe.

This was my suspicion also. That cracked software was being installed ...............

[TheDeeGee 0]

1 hour ago, Marcos said:

The hash can be determined after double-clicking the record in the Detection log:

Aaaah now i see.

It's the one from the second line, not the actual HASH from the program itself.

And to confirm, yes they're cracked programs. It's just that the source they come is a trusted one, since it's a very small community i been part of for a long time.

Don't worry, i actually pay for my NOD32 License. As i said, i been using it for atleast 15 years now 😁

Edited March 2, 2020 by TheDeeGee

[TheDeeGee 0]

With the recent update "Win32/Packed.AutoIt.UG" was detected as "Win32/Packed.Autoit.NBT" in the same files.

So i lost a bunch of files again and had to update the HASHs... lovely >_>

Never in the 15 years i use NOD32 i had so much hassle with it.