Misza 3 Posted September 18, 2023 Share Posted September 18, 2023 As in the title, is it possible to create an detection exclusion for a folder and its subfolders? In ESET Protect console so far I can see I can create an exclusion from an already triggered event. Is it possible to create an exclusion from a scratch? And specify that any detections within a specific folder and its subfolders to be ignored? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,082 Posted September 18, 2023 Administrators Share Posted September 18, 2023 You can create only a performance exclusion from the ESET PROTECT console before a detection is triggered. Also detection exclusions for a folder can be created only in Endpoint. It is not possible to create such from ESET PROTECT if you want to limit it only to a specific folder. Link to comment Share on other sites More sharing options...
Misza 3 Posted September 18, 2023 Author Share Posted September 18, 2023 Hi Marcos, thank you for your reply. I thought having to remote onto a pc and setting these could have been avoided, as I have a good few computers to cover. That's a pity. I assume there is no way to automate this in any way? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,082 Posted September 18, 2023 Administrators Share Posted September 18, 2023 Could you please elaborate more on the use case? Do you want a particular detection not to be triggered on files in a certain folder but in other folders the files should be detected? Link to comment Share on other sites More sharing options...
Misza 3 Posted September 19, 2023 Author Share Posted September 19, 2023 (edited) Hi Marcos, that is somewhat correct, more precisely I don't want any detections to be triggered on files in a certain folder. So this folder is completely whitelisted, and skipped by the detections module completely. There is a bit of software that uses this folder and whenever it receives an update this triggers the detection engine. Each time an update is received its unpacked to this folder, the hash and file name differ each time a new update is unpacked in that folder. so I cant really exclude it by name or hash. Therefore was looking how to whitelist the whole folder. Detections are triggered with a cause: Win32/RiskWare.nameofprogram or with Suspicious Hope this makes sense, I can provide more info if needed. * edited some typos Edited September 19, 2023 by Misza Link to comment Share on other sites More sharing options...
Administrators Marcos 5,082 Posted September 19, 2023 Administrators Share Posted September 19, 2023 If you don't want any detection to be triggered on files in the folder, create a performance exclusion via a policy. Link to comment Share on other sites More sharing options...
Misza 3 Posted September 19, 2023 Author Share Posted September 19, 2023 Hi Marcus, Did just that, yet the errors still pop up. Is my understanding correct that performance exclusions via policy will only exclude for the scan purposes and detection exclusion is a separate thing? Link to comment Share on other sites More sharing options...
Misza 3 Posted September 19, 2023 Author Share Posted September 19, 2023 Have the performance exclusion set to C:\ProgramData\{program_name}\* so my assumption was anything within {program_name} including subfolders will be excluded. Policy applied to the endpoint, unless I need to give it a higher priority. But there is nothing above it in the policy order which would negate it. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,082 Posted September 19, 2023 Administrators Share Posted September 19, 2023 Yes, the above performance exclusion should work unless overridden by another policy that replaces the exclusion list. Link to comment Share on other sites More sharing options...
Misza 3 Posted September 19, 2023 Author Share Posted September 19, 2023 ok, will do some more testing, thanks Marcos Link to comment Share on other sites More sharing options...
Misza 3 Posted October 5, 2023 Author Share Posted October 5, 2023 @Marcos Tested more and unfortunately it does not work, still get detections in the folder that was added to performance exclusions. There is no other policy in place that would negate these settings. Tested on couple of endpoints. it will not work, unless when based on the detection I will create an exclusion for path and detection. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,082 Posted October 5, 2023 Administrators Share Posted October 5, 2023 Please provide logs collected with ESET Log Collector from that machine. Link to comment Share on other sites More sharing options...
Recommended Posts