Jump to content

ESET Inspect exclude targets


Ufoto
 Share

Go to solution Solved by JamesR,

Recommended Posts

Hello,

I am working with ESET Inspect for a while now and I am often struggling with exclusions as I can't find a way to exclude targets so I decided to ask you guys if I am missing something. For example, we are getting a lot of events related to the following rule:

999931460_comextensions.PNG.ba822fe908419d17b57dfe85041c901f.PNG

Being the source process, all exclusion options are related to Outlook.exe, however excluding it will defeat the purpose of the rule. Instead I want to exclude detections from the 'inetcache' folder, and this seems to be impossible to do. The only viable workaround I found was to exclude '.com' files from the rule as I believe very few attacks will involve this file type. 

I know that there is advanced editor in the exclusions interface, however I am not very familiar with its capabilities. Are you aware whether excluding a target file is possible through it?

Thank you in advance!

Link to comment
Share on other sites

  • ESET Staff
  • Solution

What you are trying to accomplish, will require an Advanced Exclusion that makes use of an <operations> section.  The <operations> section, can be a bit tricky to become used to.  Its formatting is as follows:

    <operations>  <!-- This "operations" tag is plural -->
        <operation type="WriteFile">  <!-- This "operation" tag is singular, and defines the type of operation you want to exclude -->
            <operator type="and">  <!-- Define any needed operator of and/or/not -->
                <condition component="FileItem" property="FullPath" condition="is" value="%Path%\Of\Interest\to\fileName.xyz"/>  <!-- Define any/all conditions of ineterest to describe the actions being taken by a process. -->
            </operator>
        </operation>
    </operations>

 

Your detection is being caused by a "FileTruncated" event.  This is part of the "WriteFile" operation.

Here is my recommended style of exclusion is to specify the specific Process, and the specific "WriteFile" operation for a specific location and file extension (modify any file paths needed):

<definition>
    <!-- First we define the process we want to not trigger the detection.  This will restrict the exclusion to specific executables causing the incorrect detections -->
    <process>
        <operator type="AND">
            <!-- SignatureType of 90 = Trusted -->
            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/>
            <!-- Following will allow for both possible locations of outlook.exe -->
            <operator type="or">
                <condition component="FileItem" property="FullPath" condition="is" value="%PROGRAMFILES(X86)%\microsoft office\root\office16\outlook.exe"/>
                <condition component="FileItem" property="FullPath" condition="is" value="%PROGRAMFILES%\microsoft office\root\office16\outlook.exe"/>
            </operator>
            <!-- Signer Name must be "Microsoft Coroporation -->
            <condition component="Module" property="SignerName" condition="is" value="Microsoft Corporation"/>
        </operator>
    </process>
    <!-- Next we define which type of operation or target we want to allow the above process to do, without triggering a detection -->
    <!-- Logic here will state that we do not want detections on .com files created inside of the "...\inetcach\content.mso\" directory -->
    <operations>
        <operation type="WriteFile">
            <operator type="and">
                <!-- Full File Path must start with expected location -->
                <condition component="FileItem" property="FullPath" condition="starts" value="%LOCALAPPDATA%\microsoft\windows\inetcache\content.mso\"/>
                <!-- Full File Path must end with .com to ensure we are only excluding the .com files. -->
                <condition component="FileItem" property="FullPath" condition="ends" value=".com"/>
            </operator>
        </operation>
    </operations>
</definition>

 

Please note that I am using the property "FullPath" for my "<condition..." statements.  FullPath is a combination of "FileName" and "Path" properties.  I like to use this so that I can easily use "Starts" or "Ends" condition properties as needed.

  • FileName = File name with extension like, "HowdyThere.exe"
  • Path = file path ending with a "\" like, "C:\some\path\of\interest\"
  • FullPath = both Path and FileName in one complete string like, "C:\some\path\of\interest\HowdyThere.exe"
Link to comment
Share on other sites

Thank you! Such information is very valuable. It would have been great if there were some similar how-to's in the official documentation.

Best Regards,

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...