avielc 56 Posted January 20, 2022 Posted January 20, 2022 As said aboveEEI is unable to get the right exception to ignore any 7zip work (7zg.exe file) attaching photos of the file name and exceptions created Hash: C8044344C8DD9EB135E86D257946DE9777C14453 I tried creating exceptions to catch the actual process name \ any ancestor process \ process directory \ hash. Nothing triggers the auto-resolve
Former ESET Employees Adam Luzsicza 2 Posted January 21, 2022 Former ESET Employees Posted January 21, 2022 Hi Avielc, Sorry to hear you are having troubles with creating the needed Exclusion. What version/build number of EEI are you currently using please? I will also verify the exclusion in the screenshot with our team.
avielc 56 Posted January 26, 2022 Author Posted January 26, 2022 Hi @Adam Luzsicza Sorry for the late reply, Must've slipped my todo's. Using the latest version of EEI Server\Agent There are a few more that I fail to clear. Here is another: I made an automated exclusion here using the "Create exclusion" which automatically adds the process and certificate level + Detection type to avoid - In the list of the exclusions I still get "Hit count" on 0 (Hope you can see it, it's really small) I found a few others that the auto exclusion doesn't do anything. any ideas about that?
Lockbits 13 Posted January 26, 2022 Posted January 26, 2022 Hello guys, We're experiencing a similar issue with one of our customers that is using EEI and we had created a lot of exclusions and some of them aren't working, for example, this: We tried to create this exclusion several times without success and we also changed the variables and everyday the same alert appears. This started from latest version 1.6.1764.
ESET Moderators Peter Randziak 1,223 Posted February 11, 2022 ESET Moderators Posted February 11, 2022 Hello guys, Just yesterday we released EEI 1.6.1766.0 and one of the changelog entries is "Fixed: EEI exclusions for new detections". https://www.eset.com/int/business/download/enterprise-inspector/ Peter j-gray and avielc 2
j-gray 52 Posted February 11, 2022 Posted February 11, 2022 @Peter Randziak Thanks for posting this. It has resolved our issues with exclusions being ignored. avielc 1
avielc 56 Posted February 11, 2022 Author Posted February 11, 2022 Thanks for the update Peter, I'll be testing it out starting Sunday through our company. Peter Randziak 1
ESET Moderators Peter Randziak 1,223 Posted February 14, 2022 ESET Moderators Posted February 14, 2022 Hello @j-gray, thank you for the confirmation, glad to hear that it resolved the issue for you. Peter
Former ESET Employees Adam Luzsicza 2 Posted February 15, 2022 Former ESET Employees Posted February 15, 2022 Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further. Thanks and have a great day, Adam avielc and Peter Randziak 2
avielc 56 Posted February 24, 2022 Author Posted February 24, 2022 On 2/15/2022 at 10:41 AM, Adam Luzsicza said: Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further. Thanks and have a great day, Adam Hi @Adam Luzsicza - I have a few more examples: First is "memory compression", another is "registry" (accidentally resolved registry, so I can't find it. ) Also, the hotfix did solve many exclusions that didn't take effect. Thanks!
avielc 56 Posted February 24, 2022 Author Posted February 24, 2022 Adding another: This one is on Mac, and this is Microsoft onenote Can't seem to resolve this no matter what I exclude.
avielc 56 Posted March 1, 2022 Author Posted March 1, 2022 Hi @Adam Luzsicza @Peter Randziak Another one that hasn't been fixed: All computers + server were updated to 1.1766. Thank you
Administrators Marcos 5,732 Posted March 2, 2022 Administrators Posted March 2, 2022 On 2/24/2022 at 10:39 AM, avielc said: Adding another: This one is on Mac, and this is Microsoft onenote Can't seem to resolve this no matter what I exclude. What is the SHA1 of "microsoft onenote" ? The file is not marked as safe, its reputation is relatively low and also the number of user who have the file is quite low which is not typical for a file by Microsoft. Last but not least, please ask unrelated questions in a new topic. If you put many different questions in one topic, it's easy to get lost and overlook some questions.
Administrators Marcos 5,732 Posted March 2, 2022 Administrators Posted March 2, 2022 On 2/24/2022 at 10:15 AM, avielc said: Hi @Adam Luzsicza - I have a few more examples: First is "memory compression", another is "registry" (accidentally resolved registry, so I can't find it. ) Also, the hotfix did solve many exclusions that didn't take effect. Thanks! We'll update the rule so that this kind of detection is not triggered. P_EEI-11150
avielc 56 Posted March 2, 2022 Author Posted March 2, 2022 @Marcos- Thanks mate - any chance to add the "registry" I added before. It's on the same concept as Memory Compression. Thanks again
avielc 56 Posted March 2, 2022 Author Posted March 2, 2022 30 minutes ago, Marcos said: What is the SHA1 of "microsoft onenote" ? The file is not marked as safe, its reputation is relatively low and also the number of user who have the file is quite low which is not typical for a file by Microsoft. Last but not least, please ask unrelated questions in a new topic. If you put many different questions in one topic, it's easy to get lost and overlook some questions. Here it is. Also, here is the SHA-1 of it in text: 529879593AD7558334EDBA847C6C0B074F722C78
avielc 56 Posted March 2, 2022 Author Posted March 2, 2022 Another one. I think this is related to WSL (WIndows Subsystems Linux) 898CCB370A257A483237137AD1DB60191EDD6199 Thanks
avielc 56 Posted March 13, 2022 Author Posted March 13, 2022 @Marcos @Adam Luzsicza - adding another one that just exploded lately this one is a cmd.exe one This one is very odd - out of nowhere these just exploded. I tried adding an exclusion to cmd.exe on that rule # - didn't do anything. If I'm missing any info you need, let me know.
Administrators Marcos 5,732 Posted March 13, 2022 Administrators Posted March 13, 2022 Could you please post a screenshot of the whole process tree pertaining to one of the detections?
avielc 56 Posted March 13, 2022 Author Posted March 13, 2022 (edited) 6 minutes ago, Marcos said: Could you please post a screenshot of the whole process tree pertaining to one of the detections? Assuming this is what you meant. Here are a few examples I have already resolved: If you need any more data, let me know *update* decided to add a few more screenshots if it'll help: Edited March 13, 2022 by avielc
avielc 56 Posted March 28, 2022 Author Posted March 28, 2022 Hi again Adding another problematic process: I tried making various exclusions it didn't work. Thanks!
Recommended Posts