Jump to content
ILoveESET

What may override the blocking of hashes by EEI?

Recommended Posts

Posted (edited)

Hello,

As the title of this thread sounds, what configurations may result in bypass of the blocking of hashes set in EEI?

I was able to successfully execute a ransomware without trigger from the antivirus through configuration of detection name exclusions. I could see the alarms coming into the EEI.

I then configured blocking of that ransomware hash , and tried to execute in another machine. The execution was not blocked.

And best part is that the "Blocked Hashes" entries under "Admin" still shows that it was blocked based on the timestamp displayed at "Blocked on" column.

This is confusing because administrator will think it is blocked, but at the user side it was not. Could there be functions in ESMC/EEI that supercedes blocking of hashes? How can i verify if the blocking of hashes was indeed sent to the endpoints?

Edited by ILoveESET

Share this post


Link to post
Share on other sites

attaching screenshots for clarity (see orange rectangles), as u can see the executable was blocked but it still occur. Why? The hash matches exactly.  

eei1.png

eei2.png

Share this post


Link to post
Share on other sites

Do you have any exclusions set? If so, is a file with a blocked hash executed if no exclusions are set?

Share this post


Link to post
Share on other sites

only Detections exclusions were created. I was able to block other executables, like teamviewer quick support, remote desktop, just interestingly not this ransomware. Does detection exclusions supercede over hash blocking?

image.thumb.png.4fbdb72e2e7166c7744c20014dcd8e87.png

Share this post


Link to post
Share on other sites

It's the purpose of exclusions to supercede any detection.

Share this post


Link to post
Share on other sites
16 hours ago, Marcos said:

It's the purpose of exclusions to supercede any detection.

i don't think so, are you sure? If i crafted a detection say ("Filecoder.Wannacryptod.C"), and  configured hash blocking of a known executable matching to this detection, it will not be blocked?

It is one thing to be excluded, but another to be blocked from execution, ain't it?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...