Ufoto 14 Posted August 3, 2022 Share Posted August 3, 2022 Hello, I am trying to configure ancestor process exclusions for a while now and they never seem to work so I decided to raise a topic here and ask whether I am doing something wrong or the feature is not working properly. The example below is just one of many times when ancestor exclusions were not working for me. In this case I want to exclude ltsvc.exe: First I tried to use the user interface as per the screenshot below which did not work: I realized that I will have to create an advanced exclusion so I tried with the following syntax: <definition> <process> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <condition component="FileItem" property="FileName" condition="is" value="find.exe" /> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" /> <condition component="Enterprise" property="ComputerGroupHierarchy" condition="contains" value="Servers" /> </operator> </process> <ancestor distance="2"> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="ltsvc.exe" /> <condition component="Module" property="SignerName" condition="is" value=""CONNECTWISE, LLC"" /> </operator> </ancestor> </definition> This did not work too, so I tried to remove the distance, to increase it by 1, to remove some of the properties, but nothing seems to be working as the alerts are not clearing when I save the exclusion (the checkbox to close related alerts is enabled). I am really lost at this point, do you see any mistakes in my exclusions? Am I missing something? Thank you in advance! Link to comment Share on other sites More sharing options...
ESET Staff JamesR 50 Posted August 3, 2022 ESET Staff Share Posted August 3, 2022 Your "Advanced" exclusion looks good to me. The ltsvc.exe process has a distance of 2 from the triggering process of find.exe There is a chance that the task to resolve matching detections is not working, and that the exclusion is working fine. I would suggest saving the advanced exclusion you posted above, and then manually resolve the current detections and wait to see if more of the same detections come in. And also check the "Hit Count" for the exclusion after letting it sit for a day or 2. "Hit Count" - For exclusions, this is how many detections the exclusion has prevented since it was last edited. Editing the exclusion will zero out the hit count. Where to find hit count: Ufoto 1 Link to comment Share on other sites More sharing options...
Ufoto 14 Posted August 3, 2022 Author Share Posted August 3, 2022 Hi James, Thank you for the prompt response, I followed your advice and closed them manually. Hopefully the exclusion will pick them up if new incidents occur. I never realized what the purpose of this hit count is, Looking at it now, I have exclusions with over 36,000 hits! One last thing, have you used ancestor exclusions that actually closed the targeted alarms once configured? I just need someone to give me confidence that they work properly at the moment Link to comment Share on other sites More sharing options...
Recommended Posts