Jump to content

Advanced exclusion - please help

Go to solution Solved by j91321,

Recommended Posts


I've been struggling with this one for quite a while now and I would really appreciate if someone can point me in the right direction. 

We are getting a lot of false-positives by this rule and Connectwise:


Since all other items are too generic, I want to configure an exclusion based on the process creation since this is the ConnectWise software which is supposed to be involved in such activities. I configured the following exception hoping that it will cover this exact behavior, however today I logged in and I still see a ton of the same alerts and the exclusion sits at 0 hit count:

        <operation type="CreateProcess">
            <operator type="and">
                <condition component="FileItem" property="FullPath" condition="starts" value="%WINDIR%\ltsvc\ltsvc.exe" />

Any idea why this exclusion is not working? Thank you in advance!


Link to comment
Share on other sites

  • ESET Staff
  • Solution

I think you are a bit confused by the Event being ProcessCreated %WINDIR\ltsvc\ltsvc.exe%. If I understand it right the B1004 is connected to the bcedit.exe process. The process tree should look something like this:

|-------> services.exe
          |-------> %WINDIR%\ltsvc\ltsvc.exe
                    |-------> %SYSTEM%\bcdedit.exe
                              +-------> Setting a dangerous boot configuration [B1004]

What your exclusion is trying to do is exclude behavior when bcedit.exe would spawn ltsvc.exe, but it's the other way around, ltsvc.exe spawns bcedit.exe. You need to use parentprocess like this:

    <operator type="AND">
      <condition component="Module" condition="is" property="OriginalFileName" value="LTSVC.exe"/>
      <condition component="Module" condition="is" property="SignerName" value="Connectwise, LLC"/>
      <condition component="FileItem" condition="starts" property="FullPath" value="%WINDIR%\ltsvc\"/>


Link to comment
Share on other sites



Oh I see, so this is actually the parent process. Yes, indeed in this case the exclusion can even be create using the exclusion builder UI. 

It still blows mu mind how the 'Event' section is not an option in the exclusion builder UI. Sometimes it is the only way to create viable exclusion such as IP or URLs listed there which are not found anywhere else in the event. Thus making us work with the advanced exclusion builder syntax which is not very well documented.


Best Regards,

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...