Mohsen Ghaffari 0 Posted August 1 Share Posted August 1 Hi, a legitimate executable gets incorrectly flagged as malicious and blocked by eset inspect. Firstly I cannot find the rule to disable the detection altogether (not on the detections list) , because we use inspect only for detection purposes and secondly even after marking the executable as safe and unblcoking for the whole enviornment (All) the executable gets detected after a couple of days or months on the same machine or other machines which the executable resides (same hash). Moreover I could not find any way to create an exclusion for the executable. I have already submitted the executable via eset inspect WebUI but it has been more than 3 months and nothing has changed. appreciate any help. Quote Link to comment Share on other sites More sharing options...
Solution Mitchell 13 Posted August 1 Solution Share Posted August 1 The following buit-in rules have an action that can result in a blocked hash. (i'm not sure which of these are enabled by-default however): <name>Process has started from Recycle Bin folder [A0412]</name> <name>Suspicious executable created in %startup% folder [A0127b]</name> <name>Regsvr32 has dropped a suspicious executable [A0311]</name> <name>Certutil has dropped a suspicious executable [A0313]</name> <name>Process executed from ADS [A0417]</name> <name>Process with mimikatz-like executable metadata executed [A0423]</name> <name>Ransomware-like data written to file [A0603]</name> <name>Multiple file writes from a compromised process [A0606]</name> <name>Multiple file renames from a compromised process [A0607]</name> <name>Remote execution using renamed PsExec service [A0905]</name> <name>Canary File was Triggered [D0334]</name> <name>Suspicious Nvidia Signed module was dropped [E0464]</name> <name>Suspicious Nvidia Signed module was loaded [E0465]</name> <name>Explorer.exe Loading Suspicious .Net Assembly [E0472]</name> <name>Suspicious Compromised Process Loading .Net CLR DLL [E0473]</name> <name>Rundll32 loaded DLL with unusual extension [F0461]</name> <name>Windows Print Spooler loaded suspicious DLL from remote folder [A0441] </name> <name>Suspicious LoLBaS Execution: Control.exe loading DLL from ADS (Alternate Data Streams) [E0437]</name> <name>Suspicious DLL loaded from Alternate Data Stream [E0438]</name> Most likely on of these rules triggered and the hash of the file is now added to the "blocked hashes" list in the Inspect Web Console under "More > Blocked Hashes" Mohsen Ghaffari 1 Quote Link to comment Share on other sites More sharing options...
Mohsen Ghaffari 0 Posted August 1 Author Share Posted August 1 (edited) awesome reply, it was the first rule on your list. I have unblcoked it under blocked hashes too. Thank you so much for the quick response. Edited August 1 by Mohsen Ghaffari Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,839 Posted August 1 Administrators Share Posted August 1 Why would a legitimate executable be run from the Recycle bin folder? Quote Link to comment Share on other sites More sharing options...
Mohsen Ghaffari 0 Posted August 1 Author Share Posted August 1 I'll post the answer as soon as I get it from the software vendor. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.