ESET Inspect exclude targets

Go to solution Solved by JamesR,

Recommended Posts

Hello,

I am working with ESET Inspect for a while now and I am often struggling with exclusions as I can't find a way to exclude targets so I decided to ask you guys if I am missing something. For example, we are getting a lot of events related to the following rule:

Being the source process, all exclusion options are related to Outlook.exe, however excluding it will defeat the purpose of the rule. Instead I want to exclude detections from the 'inetcache' folder, and this seems to be impossible to do. The only viable workaround I found was to exclude '.com' files from the rule as I believe very few attacks will involve this file type.

I know that there is advanced editor in the exclusions interface, however I am not very familiar with its capabilities. Are you aware whether excluding a target file is possible through it?

Share on other sites

• ESET Staff
• Solution

What you are trying to accomplish, will require an Advanced Exclusion that makes use of an <operations> section.  The <operations> section, can be a bit tricky to become used to.  Its formatting is as follows:

    <operations>  <!-- This "operations" tag is plural -->
<operation type="WriteFile">  <!-- This "operation" tag is singular, and defines the type of operation you want to exclude -->
<operator type="and">  <!-- Define any needed operator of and/or/not -->
<condition component="FileItem" property="FullPath" condition="is" value="%Path%\Of\Interest\to\fileName.xyz"/>  <!-- Define any/all conditions of ineterest to describe the actions being taken by a process. -->
</operator>
</operation>
</operations>

Your detection is being caused by a "FileTruncated" event.  This is part of the "WriteFile" operation.

Here is my recommended style of exclusion is to specify the specific Process, and the specific "WriteFile" operation for a specific location and file extension (modify any file paths needed):

<definition>
<!-- First we define the process we want to not trigger the detection.  This will restrict the exclusion to specific executables causing the incorrect detections -->
<process>
<operator type="AND">
<!-- SignatureType of 90 = Trusted -->
<condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/>
<!-- Following will allow for both possible locations of outlook.exe -->
<operator type="or">
<condition component="FileItem" property="FullPath" condition="is" value="%PROGRAMFILES(X86)%\microsoft office\root\office16\outlook.exe"/>
<condition component="FileItem" property="FullPath" condition="is" value="%PROGRAMFILES%\microsoft office\root\office16\outlook.exe"/>
</operator>
<!-- Signer Name must be "Microsoft Coroporation -->
<condition component="Module" property="SignerName" condition="is" value="Microsoft Corporation"/>
</operator>
</process>
<!-- Next we define which type of operation or target we want to allow the above process to do, without triggering a detection -->
<!-- Logic here will state that we do not want detections on .com files created inside of the "...\inetcach\content.mso\" directory -->
<operations>
<operation type="WriteFile">
<operator type="and">
<condition component="FileItem" property="FullPath" condition="starts" value="%LOCALAPPDATA%\microsoft\windows\inetcache\content.mso\"/>
<!-- Full File Path must end with .com to ensure we are only excluding the .com files. -->
<condition component="FileItem" property="FullPath" condition="ends" value=".com"/>
</operator>
</operation>
</operations>
</definition>

Please note that I am using the property "FullPath" for my "<condition..." statements.  FullPath is a combination of "FileName" and "Path" properties.  I like to use this so that I can easily use "Starts" or "Ends" condition properties as needed.

• FileName = File name with extension like, "HowdyThere.exe"
• Path = file path ending with a "\" like, "C:\some\path\of\interest\"
• FullPath = both Path and FileName in one complete string like, "C:\some\path\of\interest\HowdyThere.exe"
Share on other sites

Thank you! Such information is very valuable. It would have been great if there were some similar how-to's in the official documentation.

Best Regards,

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

×   Pasted as rich text.   Paste as plain text instead

Only 75 emoji are allowed.

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×

• Topics

×
×
• Create New...