Jump to content

Archived

This topic is now archived and is closed to further replies.

ILoveESET

What may override the blocking of hashes by EEI?

Recommended Posts

Hello,

As the title of this thread sounds, what configurations may result in bypass of the blocking of hashes set in EEI?

I was able to successfully execute a ransomware without trigger from the antivirus through configuration of detection name exclusions. I could see the alarms coming into the EEI.

I then configured blocking of that ransomware hash , and tried to execute in another machine. The execution was not blocked.

And best part is that the "Blocked Hashes" entries under "Admin" still shows that it was blocked based on the timestamp displayed at "Blocked on" column.

This is confusing because administrator will think it is blocked, but at the user side it was not. Could there be functions in ESMC/EEI that supercedes blocking of hashes? How can i verify if the blocking of hashes was indeed sent to the endpoints?

Share this post


Link to post
Share on other sites

attaching screenshots for clarity (see orange rectangles), as u can see the executable was blocked but it still occur. Why? The hash matches exactly.  

eei1.png

eei2.png

Share this post


Link to post
Share on other sites

Do you have any exclusions set? If so, is a file with a blocked hash executed if no exclusions are set?

Share this post


Link to post
Share on other sites

only Detections exclusions were created. I was able to block other executables, like teamviewer quick support, remote desktop, just interestingly not this ransomware. Does detection exclusions supercede over hash blocking?

image.thumb.png.4fbdb72e2e7166c7744c20014dcd8e87.png

Share this post


Link to post
Share on other sites

It's the purpose of exclusions to supercede any detection.

Share this post


Link to post
Share on other sites
16 hours ago, Marcos said:

It's the purpose of exclusions to supercede any detection.

i don't think so, are you sure? If i crafted a detection say ("Filecoder.Wannacryptod.C"), and  configured hash blocking of a known executable matching to this detection, it will not be blocked?

It is one thing to be excluded, but another to be blocked from execution, ain't it?

Share this post


Link to post
Share on other sites

Hello, as stated by Marcos, exclusions super-cede any blocking rule, regardless whether it is by hash, or the detection is triggered by Live Grid, our updated detection database. The same would apply for the case, where it would be present in the excluded folder. 

Share this post


Link to post
Share on other sites
19 hours ago, MichalJ said:

Hello, as stated by Marcos, exclusions super-cede any blocking rule, regardless whether it is by hash, or the detection is triggered by Live Grid, our updated detection database. The same would apply for the case, where it would be present in the excluded folder. 

thank you michal for the precise clarification. I understand the logic better now .

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...