vanroy 0 Posted June 21, 2023 Share Posted June 21, 2023 Hello, what is bad? <definition> <parentprocess> <operator type="AND"> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="php-cgi.exe" /> <condition component="FileItem" property="FileName" condition="is" value="php.exe" /> </operator> <condition component="FileItem" property="Path" condition="starts" value="c:\php\" /> </operator> </parentprocess> <process> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe" /> <condition component="FileItem" property="FileName" condition="is" value="conhost.exe" /> </operator> <operator type="OR"> <condition component="FileItem" property="Path" condition="starts" value="%SYSTEM%" /> <condition component="FileItem" property="Path" condition="starts" value="%WINDIR%\syswow64\" /> </operator> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" /> </operator> </process> <operations> <operation type="CreateProcess"> <operator type="and"> <condition component="FileItem" property="FullPath" condition="is" value="c:\php\php.exe" /> <condition component="FileItem" property="FullPath" condition="is" value="c:\php\php-cgi.exe" /> </operator> </operation> </operations> </definition> Link to comment Share on other sites More sharing options...
vanroy 0 Posted June 22, 2023 Author Share Posted June 22, 2023 @JamesR can you help me please? Link to comment Share on other sites More sharing options...
ESET Staff Solution JamesR 58 Posted June 26, 2023 ESET Staff Solution Share Posted June 26, 2023 Here is my suggestion with comments to explain what I changed in your exclusion <definition> <!-- <parentprocess> seciton not needed, as it is already built in to rule [F0404] --> <process> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <operator type="OR"> <!-- restricted CMD to only expected command lines. May want to modify to 'condition="is"' and use full command line. --> <operator type="AND"> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe" /> <condition component="ProcessInfo" property="CommandLine" condition="starts" value="/c "start php.exe eject"/> </operator> <condition component="FileItem" property="FileName" condition="is" value="conhost.exe" /> </operator> <operator type="OR"> <condition component="FileItem" property="Path" condition="starts" value="%SYSTEM%" /> <condition component="FileItem" property="Path" condition="starts" value="%WINDIR%\syswow64\" /> </operator> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" /> </operator> </process> <!-- If exclusion is still not working, remove entire operations section and test. --> <operations> <operation type="CreateProcess"> <!-- Was using an "and", but a created process will only ever have a single full path --> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="c:\php\php.exe" /> <condition component="FileItem" property="FullPath" condition="is" value="c:\php\php-cgi.exe" /> </operator> </operation> </operations> </definition> Link to comment Share on other sites More sharing options...
vanroy 0 Posted June 27, 2023 Author Share Posted June 27, 2023 Hi, James thanks for your time.\ Best Link to comment Share on other sites More sharing options...
Recommended Posts