avielc 19 Posted January 20 Share Posted January 20 As said aboveEEI is unable to get the right exception to ignore any 7zip work (7zg.exe file) attaching photos of the file name and exceptions created Hash: C8044344C8DD9EB135E86D257946DE9777C14453 I tried creating exceptions to catch the actual process name \ any ancestor process \ process directory \ hash. Nothing triggers the auto-resolve Quote Link to comment Share on other sites More sharing options...
ESET Staff Adam Luzsicza 2 Posted January 21 ESET Staff Share Posted January 21 Hi Avielc, Sorry to hear you are having troubles with creating the needed Exclusion. What version/build number of EEI are you currently using please? I will also verify the exclusion in the screenshot with our team. Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted January 26 Author Share Posted January 26 Hi @Adam Luzsicza Sorry for the late reply, Must've slipped my todo's. Using the latest version of EEI Server\Agent There are a few more that I fail to clear. Here is another: I made an automated exclusion here using the "Create exclusion" which automatically adds the process and certificate level + Detection type to avoid - In the list of the exclusions I still get "Hit count" on 0 (Hope you can see it, it's really small) I found a few others that the auto exclusion doesn't do anything. any ideas about that? Quote Link to comment Share on other sites More sharing options...
Lockbits 10 Posted January 26 Share Posted January 26 Hello guys, We're experiencing a similar issue with one of our customers that is using EEI and we had created a lot of exclusions and some of them aren't working, for example, this: We tried to create this exclusion several times without success and we also changed the variables and everyday the same alert appears. This started from latest version 1.6.1764. Quote Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 751 Posted February 11 ESET Moderators Share Posted February 11 Hello guys, Just yesterday we released EEI 1.6.1766.0 and one of the changelog entries is "Fixed: EEI exclusions for new detections". https://www.eset.com/int/business/download/enterprise-inspector/ Peter j-gray and avielc 2 Quote Link to comment Share on other sites More sharing options...
j-gray 20 Posted February 11 Share Posted February 11 @Peter Randziak Thanks for posting this. It has resolved our issues with exclusions being ignored. avielc 1 Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted February 11 Author Share Posted February 11 Thanks for the update Peter, I'll be testing it out starting Sunday through our company. Peter Randziak 1 Quote Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 751 Posted February 14 ESET Moderators Share Posted February 14 Hello @j-gray, thank you for the confirmation, glad to hear that it resolved the issue for you. Peter Quote Link to comment Share on other sites More sharing options...
ESET Staff Adam Luzsicza 2 Posted February 15 ESET Staff Share Posted February 15 Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further. Thanks and have a great day, Adam avielc and Peter Randziak 2 Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted February 24 Author Share Posted February 24 On 2/15/2022 at 10:41 AM, Adam Luzsicza said: Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further. Thanks and have a great day, Adam Hi @Adam Luzsicza - I have a few more examples: First is "memory compression", another is "registry" (accidentally resolved registry, so I can't find it. ) Also, the hotfix did solve many exclusions that didn't take effect. Thanks! Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted February 24 Author Share Posted February 24 Adding another: This one is on Mac, and this is Microsoft onenote Can't seem to resolve this no matter what I exclude. Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted March 1 Author Share Posted March 1 Hi @Adam Luzsicza @Peter Randziak Another one that hasn't been fixed: All computers + server were updated to 1.1766. Thank you Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,186 Posted March 2 Administrators Share Posted March 2 On 2/24/2022 at 10:39 AM, avielc said: Adding another: This one is on Mac, and this is Microsoft onenote Can't seem to resolve this no matter what I exclude. What is the SHA1 of "microsoft onenote" ? The file is not marked as safe, its reputation is relatively low and also the number of user who have the file is quite low which is not typical for a file by Microsoft. Last but not least, please ask unrelated questions in a new topic. If you put many different questions in one topic, it's easy to get lost and overlook some questions. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,186 Posted March 2 Administrators Share Posted March 2 On 2/24/2022 at 10:15 AM, avielc said: Hi @Adam Luzsicza - I have a few more examples: First is "memory compression", another is "registry" (accidentally resolved registry, so I can't find it. ) Also, the hotfix did solve many exclusions that didn't take effect. Thanks! We'll update the rule so that this kind of detection is not triggered. P_EEI-11150 Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted March 2 Author Share Posted March 2 @Marcos- Thanks mate - any chance to add the "registry" I added before. It's on the same concept as Memory Compression. Thanks again Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted March 2 Author Share Posted March 2 30 minutes ago, Marcos said: What is the SHA1 of "microsoft onenote" ? The file is not marked as safe, its reputation is relatively low and also the number of user who have the file is quite low which is not typical for a file by Microsoft. Last but not least, please ask unrelated questions in a new topic. If you put many different questions in one topic, it's easy to get lost and overlook some questions. Here it is. Also, here is the SHA-1 of it in text: 529879593AD7558334EDBA847C6C0B074F722C78 Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted March 2 Author Share Posted March 2 Also adding Registry here: Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted March 2 Author Share Posted March 2 Another one. I think this is related to WSL (WIndows Subsystems Linux) 898CCB370A257A483237137AD1DB60191EDD6199 Thanks Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted March 13 Author Share Posted March 13 @Marcos @Adam Luzsicza - adding another one that just exploded lately this one is a cmd.exe one This one is very odd - out of nowhere these just exploded. I tried adding an exclusion to cmd.exe on that rule # - didn't do anything. If I'm missing any info you need, let me know. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,186 Posted March 13 Administrators Share Posted March 13 Could you please post a screenshot of the whole process tree pertaining to one of the detections? Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted March 13 Author Share Posted March 13 (edited) 6 minutes ago, Marcos said: Could you please post a screenshot of the whole process tree pertaining to one of the detections? Assuming this is what you meant. Here are a few examples I have already resolved: If you need any more data, let me know *update* decided to add a few more screenshots if it'll help: Edited March 13 by avielc Quote Link to comment Share on other sites More sharing options...
avielc 19 Posted March 28 Author Share Posted March 28 Hi again Adding another problematic process: I tried making various exclusions it didn't work. Thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.