avielc 55 Posted May 12, 2022 Share Posted May 12, 2022 Hi, So I went ahead and updated to the new EEI as I saw one of the new fixes is fixing exclusions (some of them) So I'm opening this post to add any exclusions I find that didn't work, whatever I find that doesn't work, I'll post here. I am trying to create a specific exclusion using the default options (removing the limit to computer name) and \ or try to add it to my pre-made exclusions which hold the same paramters on a larger scale (e.g. process name with no signature, and specific error type (M1010A (made up)) Here is the first one: let me know if you need more details (in this case I verified with the employee, he created that executable file himself.) Thanks Link to comment Share on other sites More sharing options...
avielc 55 Posted May 12, 2022 Author Share Posted May 12, 2022 Here is anoher (python related too) the default exclusion says it has trusted signature (even though it doesn't say it here) but I tried adding it with no signature (not NONE, just nothing selected) still fails to clear the warning Link to comment Share on other sites More sharing options...
avielc 55 Posted May 12, 2022 Author Share Posted May 12, 2022 I'm starting to wonder, any chance that it might not be working at all? Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted May 12, 2022 ESET Staff Share Posted May 12, 2022 @avielc, While supplying these screenshots, can you ensure you capture all 4 of the information panes on the left like the example below? This will ensure we can see the process tree and the event data which may have lead to the detection. Also, it will be important to share a copy of the exclusion which is not working as expected (exporting the exclusion as XML will be best). Also, please double check the exclusion is enabled. I'm certain it is, but its best to double check and rule that out. There is a chance we might need an export of the Raw Events, but that is only if the screenshots, with all 4 panes of info, is not enough to see what is happening. Link to comment Share on other sites More sharing options...
avielc 55 Posted May 12, 2022 Author Share Posted May 12, 2022 25 minutes ago, JamesR said: @avielc, While supplying these screenshots, can you ensure you capture all 4 of the information panes on the left like the example below? This will ensure we can see the process tree and the event data which may have lead to the detection. Also, it will be important to share a copy of the exclusion which is not working as expected (exporting the exclusion as XML will be best). Also, please double check the exclusion is enabled. I'm certain it is, but its best to double check and rule that out. There is a chance we might need an export of the Raw Events, but that is only if the screenshots, with all 4 panes of info, is not enough to see what is happening. Hi James, I would prefer to avoid sharing the computer box info online if you don't mind any other means you would prefer me to share this info with you? Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted May 12, 2022 ESET Staff Share Posted May 12, 2022 I can send you a private DM. Then only I would see any info you share. Would this be OK? You can blur out or omit the computer name section, but there is always a chance of other username/computer name data in the box containing "Event", "Command Line", "Username" having some info you may want to omit as well. The piece of the puzzle that is most important for exclusion problems, is typically the "Event" data. But it can also be other things like "Command Line" or "parent/ancestor process". avielc 1 Link to comment Share on other sites More sharing options...
avielc 55 Posted May 12, 2022 Author Share Posted May 12, 2022 Got it, well whatever you find necessarry, I can flood you with events starting next week, as I cleared them out for this week. (didn't expect to need more info) Also, I have filtered the exclusion to show only those enabled, so I only see those I have made. Link to comment Share on other sites More sharing options...
Recommended Posts