Jump to content

Hash Blocked by ESET Inspect


Go to solution Solved by Mitchell,

Recommended Posts

Hi,

a legitimate executable gets incorrectly flagged as malicious and blocked by eset inspect. Firstly I cannot find the rule to disable the detection altogether (not on the detections list) , because we use inspect only for detection purposes and secondly even after marking the executable as safe and unblcoking for the whole enviornment (All) the executable gets detected after a couple of days or months on the same machine or other machines which the executable resides (same hash). Moreover I could not find any way to create an exclusion for the executable. I have already submitted the executable via eset inspect WebUI but it has been more than 3 months and nothing has changed.

appreciate any help.

hash_blocked_inspect.PNG

Link to comment
Share on other sites

  • Solution

The following buit-in rules have an action that can result in a blocked hash. (i'm not sure which of these are enabled by-default however):

 

<name>Process has started from Recycle Bin folder [A0412]</name>
<name>Suspicious executable created in %startup% folder [A0127b]</name>
<name>Regsvr32 has dropped a suspicious executable [A0311]</name>
<name>Certutil has dropped a suspicious executable [A0313]</name>
<name>Process executed from ADS [A0417]</name>
<name>Process with mimikatz-like executable metadata executed [A0423]</name>
<name>Ransomware-like data written to file [A0603]</name>
<name>Multiple file writes from a compromised process [A0606]</name>
<name>Multiple file renames from a compromised process [A0607]</name>
<name>Remote execution using renamed PsExec service [A0905]</name>
<name>Canary File was Triggered [D0334]</name>
<name>Suspicious Nvidia Signed module was dropped [E0464]</name>
<name>Suspicious Nvidia Signed module was loaded [E0465]</name>
<name>Explorer.exe Loading Suspicious .Net Assembly [E0472]</name>
<name>Suspicious Compromised Process Loading .Net CLR DLL [E0473]</name>
<name>Rundll32 loaded DLL with unusual extension [F0461]</name>
<name>Windows Print Spooler loaded suspicious DLL from remote folder [A0441] </name>
<name>Suspicious LoLBaS Execution: Control.exe loading DLL from ADS (Alternate Data Streams) [E0437]</name>
<name>Suspicious DLL loaded from Alternate Data Stream [E0438]</name>

Most likely on of these rules triggered and the hash of the file is now added to the "blocked hashes" list in the Inspect Web Console under "More > Blocked Hashes" 

Link to comment
Share on other sites

awesome reply, it was the first rule on your list. I have unblcoked it under blocked hashes too. 

Thank you so much for the quick response. 

Edited by Mohsen Ghaffari
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...