avielc 55 Posted January 20, 2022 Share Posted January 20, 2022 As said aboveEEI is unable to get the right exception to ignore any 7zip work (7zg.exe file) attaching photos of the file name and exceptions created Hash: C8044344C8DD9EB135E86D257946DE9777C14453 I tried creating exceptions to catch the actual process name \ any ancestor process \ process directory \ hash. Nothing triggers the auto-resolve Link to comment Share on other sites More sharing options...
ESET Staff Adam Luzsicza 2 Posted January 21, 2022 ESET Staff Share Posted January 21, 2022 Hi Avielc, Sorry to hear you are having troubles with creating the needed Exclusion. What version/build number of EEI are you currently using please? I will also verify the exclusion in the screenshot with our team. Link to comment Share on other sites More sharing options...
avielc 55 Posted January 26, 2022 Author Share Posted January 26, 2022 Hi @Adam Luzsicza Sorry for the late reply, Must've slipped my todo's. Using the latest version of EEI Server\Agent There are a few more that I fail to clear. Here is another: I made an automated exclusion here using the "Create exclusion" which automatically adds the process and certificate level + Detection type to avoid - In the list of the exclusions I still get "Hit count" on 0 (Hope you can see it, it's really small) I found a few others that the auto exclusion doesn't do anything. any ideas about that? Link to comment Share on other sites More sharing options...
Lockbits 10 Posted January 26, 2022 Share Posted January 26, 2022 Hello guys, We're experiencing a similar issue with one of our customers that is using EEI and we had created a lot of exclusions and some of them aren't working, for example, this: We tried to create this exclusion several times without success and we also changed the variables and everyday the same alert appears. This started from latest version 1.6.1764. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,160 Posted February 11, 2022 ESET Moderators Share Posted February 11, 2022 Hello guys, Just yesterday we released EEI 1.6.1766.0 and one of the changelog entries is "Fixed: EEI exclusions for new detections". https://www.eset.com/int/business/download/enterprise-inspector/ Peter avielc and j-gray 2 Link to comment Share on other sites More sharing options...
j-gray 37 Posted February 11, 2022 Share Posted February 11, 2022 @Peter Randziak Thanks for posting this. It has resolved our issues with exclusions being ignored. avielc 1 Link to comment Share on other sites More sharing options...
avielc 55 Posted February 11, 2022 Author Share Posted February 11, 2022 Thanks for the update Peter, I'll be testing it out starting Sunday through our company. Peter Randziak 1 Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,160 Posted February 14, 2022 ESET Moderators Share Posted February 14, 2022 Hello @j-gray, thank you for the confirmation, glad to hear that it resolved the issue for you. Peter Link to comment Share on other sites More sharing options...
ESET Staff Adam Luzsicza 2 Posted February 15, 2022 ESET Staff Share Posted February 15, 2022 Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further. Thanks and have a great day, Adam avielc and Peter Randziak 2 Link to comment Share on other sites More sharing options...
avielc 55 Posted February 24, 2022 Author Share Posted February 24, 2022 On 2/15/2022 at 10:41 AM, Adam Luzsicza said: Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further. Thanks and have a great day, Adam Hi @Adam Luzsicza - I have a few more examples: First is "memory compression", another is "registry" (accidentally resolved registry, so I can't find it. ) Also, the hotfix did solve many exclusions that didn't take effect. Thanks! Link to comment Share on other sites More sharing options...
avielc 55 Posted February 24, 2022 Author Share Posted February 24, 2022 Adding another: This one is on Mac, and this is Microsoft onenote Can't seem to resolve this no matter what I exclude. Link to comment Share on other sites More sharing options...
avielc 55 Posted March 1, 2022 Author Share Posted March 1, 2022 Hi @Adam Luzsicza @Peter Randziak Another one that hasn't been fixed: All computers + server were updated to 1.1766. Thank you Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted March 2, 2022 Administrators Share Posted March 2, 2022 On 2/24/2022 at 10:39 AM, avielc said: Adding another: This one is on Mac, and this is Microsoft onenote Can't seem to resolve this no matter what I exclude. What is the SHA1 of "microsoft onenote" ? The file is not marked as safe, its reputation is relatively low and also the number of user who have the file is quite low which is not typical for a file by Microsoft. Last but not least, please ask unrelated questions in a new topic. If you put many different questions in one topic, it's easy to get lost and overlook some questions. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted March 2, 2022 Administrators Share Posted March 2, 2022 On 2/24/2022 at 10:15 AM, avielc said: Hi @Adam Luzsicza - I have a few more examples: First is "memory compression", another is "registry" (accidentally resolved registry, so I can't find it. ) Also, the hotfix did solve many exclusions that didn't take effect. Thanks! We'll update the rule so that this kind of detection is not triggered. P_EEI-11150 Link to comment Share on other sites More sharing options...
avielc 55 Posted March 2, 2022 Author Share Posted March 2, 2022 @Marcos- Thanks mate - any chance to add the "registry" I added before. It's on the same concept as Memory Compression. Thanks again Link to comment Share on other sites More sharing options...
avielc 55 Posted March 2, 2022 Author Share Posted March 2, 2022 30 minutes ago, Marcos said: What is the SHA1 of "microsoft onenote" ? The file is not marked as safe, its reputation is relatively low and also the number of user who have the file is quite low which is not typical for a file by Microsoft. Last but not least, please ask unrelated questions in a new topic. If you put many different questions in one topic, it's easy to get lost and overlook some questions. Here it is. Also, here is the SHA-1 of it in text: 529879593AD7558334EDBA847C6C0B074F722C78 Link to comment Share on other sites More sharing options...
avielc 55 Posted March 2, 2022 Author Share Posted March 2, 2022 Also adding Registry here: Link to comment Share on other sites More sharing options...
avielc 55 Posted March 2, 2022 Author Share Posted March 2, 2022 Another one. I think this is related to WSL (WIndows Subsystems Linux) 898CCB370A257A483237137AD1DB60191EDD6199 Thanks Link to comment Share on other sites More sharing options...
avielc 55 Posted March 13, 2022 Author Share Posted March 13, 2022 @Marcos @Adam Luzsicza - adding another one that just exploded lately this one is a cmd.exe one This one is very odd - out of nowhere these just exploded. I tried adding an exclusion to cmd.exe on that rule # - didn't do anything. If I'm missing any info you need, let me know. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted March 13, 2022 Administrators Share Posted March 13, 2022 Could you please post a screenshot of the whole process tree pertaining to one of the detections? Link to comment Share on other sites More sharing options...
avielc 55 Posted March 13, 2022 Author Share Posted March 13, 2022 (edited) 6 minutes ago, Marcos said: Could you please post a screenshot of the whole process tree pertaining to one of the detections? Assuming this is what you meant. Here are a few examples I have already resolved: If you need any more data, let me know *update* decided to add a few more screenshots if it'll help: Edited March 13, 2022 by avielc Link to comment Share on other sites More sharing options...
avielc 55 Posted March 28, 2022 Author Share Posted March 28, 2022 Hi again Adding another problematic process: I tried making various exclusions it didn't work. Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts