ILoveESET 0 Posted May 18, 2020 Share Posted May 18, 2020 (edited) Hello, As the title of this thread sounds, what configurations may result in bypass of the blocking of hashes set in EEI? I was able to successfully execute a ransomware without trigger from the antivirus through configuration of detection name exclusions. I could see the alarms coming into the EEI. I then configured blocking of that ransomware hash , and tried to execute in another machine. The execution was not blocked. And best part is that the "Blocked Hashes" entries under "Admin" still shows that it was blocked based on the timestamp displayed at "Blocked on" column. This is confusing because administrator will think it is blocked, but at the user side it was not. Could there be functions in ESMC/EEI that supercedes blocking of hashes? How can i verify if the blocking of hashes was indeed sent to the endpoints? Edited May 18, 2020 by ILoveESET Link to comment Share on other sites More sharing options...
ILoveESET 0 Posted May 18, 2020 Author Share Posted May 18, 2020 attaching screenshots for clarity (see orange rectangles), as u can see the executable was blocked but it still occur. Why? The hash matches exactly. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 18, 2020 Administrators Share Posted May 18, 2020 Do you have any exclusions set? If so, is a file with a blocked hash executed if no exclusions are set? Link to comment Share on other sites More sharing options...
ILoveESET 0 Posted May 18, 2020 Author Share Posted May 18, 2020 only Detections exclusions were created. I was able to block other executables, like teamviewer quick support, remote desktop, just interestingly not this ransomware. Does detection exclusions supercede over hash blocking? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 18, 2020 Administrators Share Posted May 18, 2020 It's the purpose of exclusions to supercede any detection. Link to comment Share on other sites More sharing options...
ILoveESET 0 Posted May 19, 2020 Author Share Posted May 19, 2020 16 hours ago, Marcos said: It's the purpose of exclusions to supercede any detection. i don't think so, are you sure? If i crafted a detection say ("Filecoder.Wannacryptod.C"), and configured hash blocking of a known executable matching to this detection, it will not be blocked? It is one thing to be excluded, but another to be blocked from execution, ain't it? Link to comment Share on other sites More sharing options...
ILoveESET 0 Posted May 26, 2020 Author Share Posted May 26, 2020 no news? Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted May 26, 2020 ESET Staff Share Posted May 26, 2020 Hello, as stated by Marcos, exclusions super-cede any blocking rule, regardless whether it is by hash, or the detection is triggered by Live Grid, our updated detection database. The same would apply for the case, where it would be present in the excluded folder. Link to comment Share on other sites More sharing options...
ILoveESET 0 Posted May 27, 2020 Author Share Posted May 27, 2020 19 hours ago, MichalJ said: Hello, as stated by Marcos, exclusions super-cede any blocking rule, regardless whether it is by hash, or the detection is triggered by Live Grid, our updated detection database. The same would apply for the case, where it would be present in the excluded folder. thank you michal for the precise clarification. I understand the logic better now . Link to comment Share on other sites More sharing options...
Recommended Posts