Detection exclusions for a folder

[Misza 3]

As in the title, is it possible to create an detection exclusion for a folder and its subfolders?

In ESET Protect console so far I can see I can create an exclusion from an already triggered event.

Is it possible to create an exclusion from a scratch?

And specify that any detections within a specific folder and its subfolders to be ignored?

[Marcos 5,082]

You can create only a performance exclusion from the ESET PROTECT console before a detection is triggered.

Also detection exclusions for a folder can be created only in Endpoint. It is not possible to create such from ESET PROTECT if you want to limit it only to a specific folder.

[Misza 3]

Hi Marcos, thank you for your reply.

I thought having to remote onto a pc and setting these could have been avoided, as I have a good few computers to cover.

That's a pity. I assume there is no way to automate this in any way?

[Marcos 5,082]

Could you please elaborate more on the use case? Do you want a particular detection not to be triggered on files in a certain folder but in other folders the files should be detected?

[Misza 3]

Hi Marcos,

that is somewhat correct, more precisely I don't want any detections to be triggered on files in a certain folder.

So this folder is completely whitelisted, and skipped by the detections module completely.

There is a bit of software that uses this folder and whenever it receives an update this triggers the detection engine.

Each time an update is received its unpacked to this folder, the hash and file name differ each time a new update is unpacked in that folder. so I cant really exclude it by name or hash. Therefore was looking how to whitelist the whole folder.

Detections are triggered with a cause:

Win32/RiskWare.nameofprogram 

or with 

Suspicious

Hope this makes sense, I can provide more info if needed.

* edited some typos

Edited September 19, 2023 by Misza

[Marcos 5,082]

If you don't want any detection to be triggered on files in the folder, create a performance exclusion via a policy.

[Misza 3]

Hi Marcus,

Did just that, yet the errors still pop up. Is my understanding correct that performance exclusions via policy will 

only exclude for the scan purposes and  detection exclusion is a separate thing?

[Misza 3]

Have the performance exclusion set to C:\ProgramData\{program_name}\*

so my assumption was anything within {program_name} including subfolders will be excluded.

Policy applied to the endpoint, unless I need to give it a higher priority. But there is nothing above it in the policy order which would negate it.

 

[Marcos 5,082]

Yes, the above performance exclusion should work unless overridden by another policy that replaces the exclusion list.

[Misza 3]

ok, will do some more testing, thanks Marcos

[Misza 3]

@Marcos Tested more and unfortunately it does not work, still get detections in the folder that was added to performance exclusions. There is no other policy in place that would negate these settings.
Tested on couple of endpoints. it will not work, unless when based on the detection I will create an exclusion for path and detection.

 

[Marcos 5,082]

Please provide logs collected with ESET Log Collector from that machine.