EEI false positive on every 7zip action and can't be turned into an exception!

[avielc 20]

As said above
EEI is unable to get the right exception to ignore any 7zip work (7zg.exe file) 

attaching photos of the file name and exceptions created

Hash: C8044344C8DD9EB135E86D257946DE9777C14453

 

I tried creating exceptions to catch the actual process name \ any ancestor process \ process directory \ hash. 
Nothing triggers the auto-resolve 

[Adam Luzsicza 2]

Hi Avielc,

Sorry to hear you are having troubles with creating the needed Exclusion. What version/build number of EEI are you currently using please?

 

I will also verify the exclusion in the screenshot with our team.

[avielc 20]

Hi @Adam Luzsicza

Sorry for the late reply, Must've slipped my todo's.  
Using the latest version of EEI Server\Agent

There are a few more that I fail to clear. 
Here is another:

I made an automated exclusion here using the "Create exclusion" which automatically adds the process and certificate level + Detection type to avoid - 
In the list of the exclusions I still get "Hit count" on 0
 

(Hope you can see it, it's really small)
I found a few others that the auto exclusion doesn't do anything.  any ideas about that?

[Lockbits 10]

Hello guys,

We're experiencing a similar issue with one of our customers that is using EEI and we had created a lot of exclusions and some of them aren't working, for example, this:

We tried to create this exclusion several times without success and we also changed the variables and everyday the same alert appears. This started from latest version 1.6.1764.

[Peter Randziak 815]

Hello guys,

Just yesterday we released EEI 1.6.1766.0 and one of the changelog entries is "Fixed: EEI exclusions for new detections".

https://www.eset.com/int/business/download/enterprise-inspector/

Peter

[j-gray 20]

@Peter Randziak Thanks for posting this. It has resolved our issues with exclusions being ignored.

[avielc 20]

Thanks for the update Peter, I'll be testing it out starting Sunday through our company.

[Peter Randziak 815]

Hello @j-gray,

thank you for the confirmation, glad to hear that it resolved the issue for you.

Peter

[Adam Luzsicza 2]

Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further.

 

Thanks and have a great day,

 

Adam

[avielc 20]

On 2/15/2022 at 10:41 AM, Adam Luzsicza said:

Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further.

 

Thanks and have a great day,

 

Adam

Hi @Adam Luzsicza - I have a few more examples:
First is "memory compression", another is "registry" 

(accidentally resolved registry, so I can't find it. )

Also, the hotfix did solve many exclusions  that didn't take effect.

Thanks!

[avielc 20]

Adding another: 

This one is on Mac, and this is Microsoft onenote

Can't seem to resolve this no matter what I exclude.

[avielc 20]

Hi @Adam Luzsicza @Peter Randziak

Another one that hasn't been fixed:

 

All computers + server were updated to 1.1766. 
Thank you

[Marcos 4,351]

On 2/24/2022 at 10:39 AM, avielc said:

Adding another: 

This one is on Mac, and this is Microsoft onenote

Can't seem to resolve this no matter what I exclude.

What is the SHA1 of "microsoft onenote" ? The file is not marked as safe, its reputation is relatively low and also the number of user who have the file is quite low which is not typical for a file by Microsoft.

Last but not least, please ask unrelated questions in a new topic. If you put many different questions in one topic, it's easy to get lost and overlook some questions.

[Marcos 4,351]

On 2/24/2022 at 10:15 AM, avielc said:

Hi @Adam Luzsicza - I have a few more examples:
First is "memory compression", another is "registry" 

(accidentally resolved registry, so I can't find it. )

Also, the hotfix did solve many exclusions  that didn't take effect.

Thanks!

We'll update the rule so that this kind of detection is not triggered.

P_EEI-11150

[avielc 20]

@Marcos- Thanks mate - any chance to add the "registry" I added before. 
It's on the same concept as Memory Compression. 

 

Thanks again

[avielc 20]

30 minutes ago, Marcos said:

What is the SHA1 of "microsoft onenote" ? The file is not marked as safe, its reputation is relatively low and also the number of user who have the file is quite low which is not typical for a file by Microsoft.

Last but not least, please ask unrelated questions in a new topic. If you put many different questions in one topic, it's easy to get lost and overlook some questions.

Here it is. 
Also, here is the SHA-1 of it in text: 

• 529879593AD7558334EDBA847C6C0B074F722C78

   

   

[avielc 20]

Also adding Registry here:

[avielc 20]

Another one.  I think this is related to WSL (WIndows Subsystems Linux) 

898CCB370A257A483237137AD1DB60191EDD6199

 

Thanks

[avielc 20]

@Marcos @Adam Luzsicza - adding another one that just exploded lately

this one is a cmd.exe one 

This one is very odd - out of nowhere these just exploded. 

I tried adding an exclusion to cmd.exe on that rule #  - didn't do anything.

If I'm missing any info you need, let me know.

[Marcos 4,351]

Could you please post a screenshot of the whole process tree pertaining to one of the detections?

[avielc 20]

6 minutes ago, Marcos said:

Could you please post a screenshot of the whole process tree pertaining to one of the detections?

Assuming this is what you meant. 
Here are a few examples I have already resolved:

 

If you need any  more data, let me know

 

*update*
decided to add a few more screenshots if it'll help:

Edited March 13 by avielc

[avielc 20]

Hi again
Adding another problematic process: 

 

I tried making various exclusions it didn't work.

 

Thanks!