Ufoto 14 Posted July 6, 2022 Share Posted July 6, 2022 Hello, I am working with ESET Inspect for a while now and I am often struggling with exclusions as I can't find a way to exclude targets so I decided to ask you guys if I am missing something. For example, we are getting a lot of events related to the following rule: Being the source process, all exclusion options are related to Outlook.exe, however excluding it will defeat the purpose of the rule. Instead I want to exclude detections from the 'inetcache' folder, and this seems to be impossible to do. The only viable workaround I found was to exclude '.com' files from the rule as I believe very few attacks will involve this file type. I know that there is advanced editor in the exclusions interface, however I am not very familiar with its capabilities. Are you aware whether excluding a target file is possible through it? Thank you in advance! Link to comment Share on other sites More sharing options...
ESET Staff Solution JamesR 58 Posted July 6, 2022 ESET Staff Solution Share Posted July 6, 2022 What you are trying to accomplish, will require an Advanced Exclusion that makes use of an <operations> section. The <operations> section, can be a bit tricky to become used to. Its formatting is as follows: <operations> <!-- This "operations" tag is plural --> <operation type="WriteFile"> <!-- This "operation" tag is singular, and defines the type of operation you want to exclude --> <operator type="and"> <!-- Define any needed operator of and/or/not --> <condition component="FileItem" property="FullPath" condition="is" value="%Path%\Of\Interest\to\fileName.xyz"/> <!-- Define any/all conditions of ineterest to describe the actions being taken by a process. --> </operator> </operation> </operations> Your detection is being caused by a "FileTruncated" event. This is part of the "WriteFile" operation. Here is my recommended style of exclusion is to specify the specific Process, and the specific "WriteFile" operation for a specific location and file extension (modify any file paths needed): <definition> <!-- First we define the process we want to not trigger the detection. This will restrict the exclusion to specific executables causing the incorrect detections --> <process> <operator type="AND"> <!-- SignatureType of 90 = Trusted --> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <!-- Following will allow for both possible locations of outlook.exe --> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="%PROGRAMFILES(X86)%\microsoft office\root\office16\outlook.exe"/> <condition component="FileItem" property="FullPath" condition="is" value="%PROGRAMFILES%\microsoft office\root\office16\outlook.exe"/> </operator> <!-- Signer Name must be "Microsoft Coroporation --> <condition component="Module" property="SignerName" condition="is" value="Microsoft Corporation"/> </operator> </process> <!-- Next we define which type of operation or target we want to allow the above process to do, without triggering a detection --> <!-- Logic here will state that we do not want detections on .com files created inside of the "...\inetcach\content.mso\" directory --> <operations> <operation type="WriteFile"> <operator type="and"> <!-- Full File Path must start with expected location --> <condition component="FileItem" property="FullPath" condition="starts" value="%LOCALAPPDATA%\microsoft\windows\inetcache\content.mso\"/> <!-- Full File Path must end with .com to ensure we are only excluding the .com files. --> <condition component="FileItem" property="FullPath" condition="ends" value=".com"/> </operator> </operation> </operations> </definition> Please note that I am using the property "FullPath" for my "<condition..." statements. FullPath is a combination of "FileName" and "Path" properties. I like to use this so that I can easily use "Starts" or "Ends" condition properties as needed. FileName = File name with extension like, "HowdyThere.exe" Path = file path ending with a "\" like, "C:\some\path\of\interest\" FullPath = both Path and FileName in one complete string like, "C:\some\path\of\interest\HowdyThere.exe" Ufoto 1 Link to comment Share on other sites More sharing options...
Ufoto 14 Posted July 7, 2022 Author Share Posted July 7, 2022 Thank you! Such information is very valuable. It would have been great if there were some similar how-to's in the official documentation. Best Regards, Link to comment Share on other sites More sharing options...
Recommended Posts