Jump to content

Ancestor process exclusions not working


Recommended Posts

Hello, 

I am trying to configure ancestor process exclusions for a while now and they never seem to work so I decided to raise a topic here and ask whether I am doing something wrong or the feature is not working properly. The example below is just one of many times when ancestor exclusions were not working for me. In this case I want to exclude ltsvc.exe:

image.png.efc2b2286673c1c9dd208e1c4013c6e3.png

First I tried to use the user interface as per the screenshot below which did not work:

image.png.98c576f8a552d1babc94d4489fff9bdb.png

I realized that I will have to create an advanced exclusion so I tried with the following syntax:

<definition>
    <process>
        <operator type="AND">
            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" />
            <condition component="FileItem" property="FileName" condition="is" value="find.exe" />
            <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" />
            <condition component="Enterprise" property="ComputerGroupHierarchy" condition="contains" value="Servers" />
        </operator>
    </process>
    <ancestor distance="2">
        <operator type="AND">
            <condition component="FileItem" property="FileName" condition="is" value="ltsvc.exe" />
            <condition component="Module" property="SignerName" condition="is" value="&quot;CONNECTWISE, LLC&quot;" />
        </operator>
    </ancestor>
</definition>

 

This did not work too, so I tried to remove the distance, to increase it by 1, to remove some of the properties, but nothing seems to be working as the alerts are not clearing when I save the exclusion (the checkbox to close related alerts is enabled). I am really lost at this point, do you see any mistakes in my exclusions? Am I missing something? 

Thank you in advance!

 

Link to comment
Share on other sites

  • ESET Staff

Your "Advanced" exclusion looks good to me.  The ltsvc.exe process has a distance of 2 from the triggering process of find.exe  There is a chance that the task to resolve matching detections is not working, and that the exclusion is working fine.  I would suggest saving the advanced exclusion you posted above, and then manually resolve the current detections and wait to see if more of the same detections come in.  And also check the "Hit Count" for the exclusion after letting it sit for a day or 2.

"Hit Count" - For exclusions, this is how many detections the exclusion has prevented since it was last edited.  Editing the exclusion will zero out the hit count.

 

Where to find hit count:

image.png

Link to comment
Share on other sites

Hi James,

Thank you for the prompt response, I followed your advice and closed them manually. Hopefully the exclusion will pick them up if new incidents occur. 

I never realized what the purpose of this hit count is, Looking at it now, I have exclusions with over 36,000 hits!

One last thing, have you used ancestor exclusions that actually closed the targeted alarms once configured? I  just need someone to give me confidence that they work properly at the moment :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...