Jump to content

EEI false positive on every 7zip action and can't be turned into an exception!


Recommended Posts

As said above
EEI is unable to get the right exception to ignore any 7zip work (7zg.exe file) 

attaching photos of the file name and exceptions created

Hash: C8044344C8DD9EB135E86D257946DE9777C14453

 

I tried creating exceptions to catch the actual process name \ any ancestor process \ process directory \ hash. 
Nothing triggers the auto-resolve 

image.png.41589af2094e7e89f68fe4a62e7351d3.png
image.thumb.png.c01e4aac66ed953926761c7a73b7c9ee.png

Link to comment
Share on other sites

  • ESET Staff

Hi Avielc,

Sorry to hear you are having troubles with creating the needed Exclusion. What version/build number of EEI are you currently using please?

 

I will also verify the exclusion in the screenshot with our team.

Link to comment
Share on other sites

Hi @Adam Luzsicza

Sorry for the late reply, Must've slipped my todo's.  
Using the latest version of EEI Server\Agent

There are a few more that I fail to clear. 
Here is another:
image.thumb.png.401ef521ea7319e545fa052f43864f63.png

I made an automated exclusion here using the "Create exclusion" which automatically adds the process and certificate level + Detection type to avoid - 
In the list of the exclusions I still get "Hit count" on 0
image.thumb.png.d32bc4a4826bc9d2922376ece4187d06.png 

(Hope you can see it, it's really small)
I found a few others that the auto exclusion doesn't do anything.  any ideas about that?

Link to comment
Share on other sites

Hello guys,

We're experiencing a similar issue with one of our customers that is using EEI and we had created a lot of exclusions and some of them aren't working, for example, this:

image.thumb.png.03fc569d441bee0a7dfe5f697006553e.png

We tried to create this exclusion several times without success and we also changed the variables and everyday the same alert appears. This started from latest version 1.6.1764.

Link to comment
Share on other sites

  • 3 weeks later...
  • ESET Staff

Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further.

 

Thanks and have a great day,

 

Adam

Link to comment
Share on other sites

  • 2 weeks later...
On 2/15/2022 at 10:41 AM, Adam Luzsicza said:

Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further.

 

Thanks and have a great day,

 

Adam

Hi @Adam Luzsicza - I have a few more examples:
First is "memory compression", another is "registry" 
image.png.c2bda3df28211ff63c0d25dc38d5197d.pngimage.png.daea0dd0674d3fb58d9c2fdf34e71c84.png

(accidentally resolved registry, so I can't find it. )

Also, the hotfix did solve many exclusions  that didn't take effect.

Thanks!

Link to comment
Share on other sites

Adding another: 

This one is on Mac, and this is Microsoft onenote
image.png.eaf1bfddb748ca25ae09ae6e08916441.pngimage.png.46a14441af4b8e32e8f9a936ebff2822.png

Can't seem to resolve this no matter what I exclude.

Link to comment
Share on other sites

  • Administrators
On 2/24/2022 at 10:39 AM, avielc said:

Adding another: 

This one is on Mac, and this is Microsoft onenote
image.png.eaf1bfddb748ca25ae09ae6e08916441.pngimage.png.46a14441af4b8e32e8f9a936ebff2822.png

Can't seem to resolve this no matter what I exclude.

What is the SHA1 of "microsoft onenote" ? The file is not marked as safe, its reputation is relatively low and also the number of user who have the file is quite low which is not typical for a file by Microsoft.

Last but not least, please ask unrelated questions in a new topic. If you put many different questions in one topic, it's easy to get lost and overlook some questions.

Link to comment
Share on other sites

  • Administrators
On 2/24/2022 at 10:15 AM, avielc said:

Hi @Adam Luzsicza - I have a few more examples:
First is "memory compression", another is "registry" 
image.png.c2bda3df28211ff63c0d25dc38d5197d.pngimage.png.daea0dd0674d3fb58d9c2fdf34e71c84.png

(accidentally resolved registry, so I can't find it. )

Also, the hotfix did solve many exclusions  that didn't take effect.

Thanks!

We'll update the rule so that this kind of detection is not triggered.

P_EEI-11150

Link to comment
Share on other sites

@Marcos- Thanks mate - any chance to add the "registry" I added before. 
It's on the same concept as Memory Compression. 

 

Thanks again

Link to comment
Share on other sites

30 minutes ago, Marcos said:

What is the SHA1 of "microsoft onenote" ? The file is not marked as safe, its reputation is relatively low and also the number of user who have the file is quite low which is not typical for a file by Microsoft.

Last but not least, please ask unrelated questions in a new topic. If you put many different questions in one topic, it's easy to get lost and overlook some questions.

image.png.fb085a451ce62d583c0ae4e087414c21.pngimage.png.ad69ee9e723c6f8d0fcd0f2dc6f782b4.png
Here it is. 
Also, here is the SHA-1 of it in text: 

  • 529879593AD7558334EDBA847C6C0B074F722C78
     
     
Link to comment
Share on other sites

image.png.7d024e380231a6cda07d2043ac2197d1.png

Another one.  I think this is related to WSL (WIndows Subsystems Linux) 

898CCB370A257A483237137AD1DB60191EDD6199

 

Thanks

Link to comment
Share on other sites

  • 2 weeks later...

@Marcos @Adam Luzsicza - adding another one that just exploded lately

this one is a cmd.exe one 

image.thumb.png.e00015fb21e3c0311102eaa00f41d364.png

This one is very odd - out of nowhere these just exploded. 

I tried adding an exclusion to cmd.exe on that rule #  - didn't do anything.

If I'm missing any info you need, let me know.

Link to comment
Share on other sites

  • Administrators

Could you please post a screenshot of the whole process tree pertaining to one of the detections?

Link to comment
Share on other sites

Posted (edited)
6 minutes ago, Marcos said:

Could you please post a screenshot of the whole process tree pertaining to one of the detections?

Assuming this is what you meant. 
Here are a few examples I have already resolved:
image.png.12b96fb7c65c57acd9126843ad874480.pngimage.png.89adf282e29637c73f931ddab5f6340a.pngimage.png.ef6ef1308e5b047cdcfd1f649ca2a082.png

 

If you need any  more data, let me know

 

*update*
decided to add a few more screenshots if it'll help:
image.png.5d7392ec689c6f3848a3d50b074d9f3a.pngimage.png.0645b391b2ff88e0238c9372d9c86044.png

Edited by avielc
Link to comment
Share on other sites

  • 2 weeks later...

Hi again
Adding another problematic process: 
image.png.4415e938ba83ae89308a9e1b9b53b78e.png

image.png.d6bd7f614dc4e041a8e8f14f493b9516.png

 

I tried making various exclusions it didn't work.

 

Thanks!

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...