Jump to content

What may override the blocking of hashes by EEI?

ILoveESET
 Share

Recommended Posts

ILoveESET

ILoveESET 0

Posted
Posted (edited)

Hello,

As the title of this thread sounds, what configurations may result in bypass of the blocking of hashes set in EEI?

I was able to successfully execute a ransomware without trigger from the antivirus through configuration of detection name exclusions. I could see the alarms coming into the EEI.

I then configured blocking of that ransomware hash , and tried to execute in another machine. The execution was not blocked.

And best part is that the "Blocked Hashes" entries under "Admin" still shows that it was blocked based on the timestamp displayed at "Blocked on" column.

This is confusing because administrator will think it is blocked, but at the user side it was not. Could there be functions in ESMC/EEI that supercedes blocking of hashes? How can i verify if the blocking of hashes was indeed sent to the endpoints?

Edited by ILoveESET
Link to comment
Share on other sites
ILoveESET

ILoveESET 0

Posted
  • Author
Posted

attaching screenshots for clarity (see orange rectangles), as u can see the executable was blocked but it still occur. Why? The hash matches exactly.  

eei1.png

eei2.png

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

Do you have any exclusions set? If so, is a file with a blocked hash executed if no exclusions are set?

Link to comment
Share on other sites
ILoveESET

ILoveESET 0

Posted
  • Author
Posted

only Detections exclusions were created. I was able to block other executables, like teamviewer quick support, remote desktop, just interestingly not this ransomware. Does detection exclusions supercede over hash blocking?

image.thumb.png.4fbdb72e2e7166c7744c20014dcd8e87.png

Link to comment
Share on other sites
ILoveESET

ILoveESET 0

Posted
  • Author
Posted
16 hours ago, Marcos said:

It's the purpose of exclusions to supercede any detection.

i don't think so, are you sure? If i crafted a detection say ("Filecoder.Wannacryptod.C"), and  configured hash blocking of a known executable matching to this detection, it will not be blocked?

It is one thing to be excluded, but another to be blocked from execution, ain't it?

Link to comment
Share on other sites
  • ESET Staff
MichalJ

MichalJ 434

Posted
  • ESET Staff
Posted

Hello, as stated by Marcos, exclusions super-cede any blocking rule, regardless whether it is by hash, or the detection is triggered by Live Grid, our updated detection database. The same would apply for the case, where it would be present in the excluded folder. 

Link to comment
Share on other sites
ILoveESET

ILoveESET 0

Posted
  • Author
Posted
19 hours ago, MichalJ said:

Hello, as stated by Marcos, exclusions super-cede any blocking rule, regardless whether it is by hash, or the detection is triggered by Live Grid, our updated detection database. The same would apply for the case, where it would be present in the excluded folder. 

thank you michal for the precise clarification. I understand the logic better now .

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...