Jump to content

ESET Inspect exclude targets


Go to solution Solved by JamesR,

Recommended Posts

Hello,

I am working with ESET Inspect for a while now and I am often struggling with exclusions as I can't find a way to exclude targets so I decided to ask you guys if I am missing something. For example, we are getting a lot of events related to the following rule:

999931460_comextensions.PNG.ba822fe908419d17b57dfe85041c901f.PNG

Being the source process, all exclusion options are related to Outlook.exe, however excluding it will defeat the purpose of the rule. Instead I want to exclude detections from the 'inetcache' folder, and this seems to be impossible to do. The only viable workaround I found was to exclude '.com' files from the rule as I believe very few attacks will involve this file type. 

I know that there is advanced editor in the exclusions interface, however I am not very familiar with its capabilities. Are you aware whether excluding a target file is possible through it?

Thank you in advance!

Link to comment
Share on other sites

  • ESET Staff
  • Solution

What you are trying to accomplish, will require an Advanced Exclusion that makes use of an <operations> section.  The <operations> section, can be a bit tricky to become used to.  Its formatting is as follows:

    <operations>  <!-- This "operations" tag is plural -->
        <operation type="WriteFile">  <!-- This "operation" tag is singular, and defines the type of operation you want to exclude -->
            <operator type="and">  <!-- Define any needed operator of and/or/not -->
                <condition component="FileItem" property="FullPath" condition="is" value="%Path%\Of\Interest\to\fileName.xyz"/>  <!-- Define any/all conditions of ineterest to describe the actions being taken by a process. -->
            </operator>
        </operation>
    </operations>

 

Your detection is being caused by a "FileTruncated" event.  This is part of the "WriteFile" operation.

Here is my recommended style of exclusion is to specify the specific Process, and the specific "WriteFile" operation for a specific location and file extension (modify any file paths needed):

<definition>
    <!-- First we define the process we want to not trigger the detection.  This will restrict the exclusion to specific executables causing the incorrect detections -->
    <process>
        <operator type="AND">
            <!-- SignatureType of 90 = Trusted -->
            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/>
            <!-- Following will allow for both possible locations of outlook.exe -->
            <operator type="or">
                <condition component="FileItem" property="FullPath" condition="is" value="%PROGRAMFILES(X86)%\microsoft office\root\office16\outlook.exe"/>
                <condition component="FileItem" property="FullPath" condition="is" value="%PROGRAMFILES%\microsoft office\root\office16\outlook.exe"/>
            </operator>
            <!-- Signer Name must be "Microsoft Coroporation -->
            <condition component="Module" property="SignerName" condition="is" value="Microsoft Corporation"/>
        </operator>
    </process>
    <!-- Next we define which type of operation or target we want to allow the above process to do, without triggering a detection -->
    <!-- Logic here will state that we do not want detections on .com files created inside of the "...\inetcach\content.mso\" directory -->
    <operations>
        <operation type="WriteFile">
            <operator type="and">
                <!-- Full File Path must start with expected location -->
                <condition component="FileItem" property="FullPath" condition="starts" value="%LOCALAPPDATA%\microsoft\windows\inetcache\content.mso\"/>
                <!-- Full File Path must end with .com to ensure we are only excluding the .com files. -->
                <condition component="FileItem" property="FullPath" condition="ends" value=".com"/>
            </operator>
        </operation>
    </operations>
</definition>

 

Please note that I am using the property "FullPath" for my "<condition..." statements.  FullPath is a combination of "FileName" and "Path" properties.  I like to use this so that I can easily use "Starts" or "Ends" condition properties as needed.

  • FileName = File name with extension like, "HowdyThere.exe"
  • Path = file path ending with a "\" like, "C:\some\path\of\interest\"
  • FullPath = both Path and FileName in one complete string like, "C:\some\path\of\interest\HowdyThere.exe"
Link to comment
Share on other sites

Thank you! Such information is very valuable. It would have been great if there were some similar how-to's in the official documentation.

Best Regards,

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...