Jump to content

EEI | specific exclusion not working on 1.7.1991

avielc
 Share

Recommended Posts

avielc

avielc 54

Posted
Posted

Hi, 
So I went ahead and updated to the new EEI as I saw one of the new fixes is fixing exclusions (some of them)

So I'm opening this post to add any exclusions I find that didn't work, whatever I find that doesn't work, I'll post here. 
I am trying to create a specific exclusion using the default options (removing the limit to computer name) 
and \ or try to add it to my pre-made exclusions which hold the same paramters on a larger scale (e.g. process name with no signature, and specific error type (M1010A (made up))
Here is the first one:
image.png.07aa770f83a7e5634b5e937089483f09.png

 

let me know if you need more details (in this case I verified with the employee, he created that executable file himself.) 

Thanks

Link to comment
Share on other sites
avielc

avielc 54

Posted
  • Author
Posted

Here is anoher (python related too) 
image.png.416f6601ed2e2dde33b97beab7aff3fb.png

the default exclusion says it has trusted signature (even though it doesn't say it here) but I tried adding it with no signature (not NONE, just nothing selected) still fails to clear the warning

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 52

Posted
  • ESET Staff
Posted

@avielc,

 

While supplying these screenshots, can you ensure you capture all 4 of the information panes on the left like the example below?

This will ensure we can see the process tree and the event data which may have lead to the detection.  Also, it will be important to share a copy of the exclusion which is not working as expected (exporting the exclusion as XML will be best).  Also, please double check the exclusion is enabled.  I'm certain it is, but its best to double check and rule that out.

There is a chance we might need an export of the Raw Events, but that is only if the screenshots, with all 4 panes of info, is not enough to see what is happening.

 

 

image.png

Link to comment
Share on other sites
avielc

avielc 54

Posted
  • Author
Posted
25 minutes ago, JamesR said:

@avielc,

 

While supplying these screenshots, can you ensure you capture all 4 of the information panes on the left like the example below?

This will ensure we can see the process tree and the event data which may have lead to the detection.  Also, it will be important to share a copy of the exclusion which is not working as expected (exporting the exclusion as XML will be best).  Also, please double check the exclusion is enabled.  I'm certain it is, but its best to double check and rule that out.

There is a chance we might need an export of the Raw Events, but that is only if the screenshots, with all 4 panes of info, is not enough to see what is happening.

 

 

image.png

Hi James, I would prefer to avoid sharing the computer box info online if you don't mind :)
any other means you would prefer me to share this info with you?

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 52

Posted
  • ESET Staff
Posted

I can send you a private DM.  Then only I would see any info you share.  Would this be OK?

You can blur out or omit the computer name section, but there is always a chance of other username/computer name data in the box containing "Event", "Command Line", "Username" having some info you may want to omit as well.

The piece of the puzzle that is most important for exclusion problems, is typically the "Event" data.  But it can also be other things like "Command Line" or "parent/ancestor process".

Link to comment
Share on other sites
avielc

avielc 54

Posted
  • Author
Posted

Got it, 
well whatever you find necessarry, I can flood you with events starting next week, as I cleared them out for this week.  (didn't expect to need more info) 

Also, I have filtered the exclusion to show only those enabled, so I only see those I have made.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...