JokerTux1337 0 Posted January 8 Posted January 8 Hi , I've created a rule designed to identify a file with a low reputation, but for some reasons, it isn't successfully detecting it. <?xml version="1.0" encoding="utf-8"?> <rule> <definition> <process> <operator type="AND"> <condition component="LiveGrid" property="Popularity" condition="less" value="1000" /> <condition component="LiveGrid" property="Reputation" condition="less" value="3" /> </operator> </process> </definition> <description> <name>Low reputation file found</name> <category>File system</category> <os>Windows</os> <severity>86</severity> <explanation>A file with a diminished reputation has been detected on the system. It could potentially be malicious, so kindly inspect it.</explanation> <benignCauses>The file likely originated from either a USB drive/CD or was downloaded.</benignCauses> <recommendedActions>1. Verify the reputation using Virustotal. 2. If the hash is identified as malicious, proceed to block it. </recommendedActions> </description> <maliciousProcess process="current" /> <actions> <action name="TriggerDetection" /> <action name="StoreEvent" /> </actions> </rule> I would greatly appreciate some advice.
ESET Staff JamesR 58 Posted January 8 ESET Staff Posted January 8 Your rule is targeting a Process which will have low LiveGrid reputation and popularity. How are you testing the rule? If you are testing by simply downloading an EXE to the system, this will not trigger and would require a more advanced rule (<operations> section). JokerTux1337 1
JokerTux1337 0 Posted January 10 Author Posted January 10 (edited) On 1/8/2024 at 2:37 PM, JamesR said: How are you testing the rule? Thank you for your asnwer. That's the primary issue, I'm unsure how to test the rules. All my attempts to download a malicious file have been unsuccessful bcs of the AV system On 1/8/2024 at 2:37 PM, JamesR said: If you are testing by simply downloading an EXE to the system, this will not trigger and would require a more advanced rule (<operations> section). I've generated a new rule, and while the syntax was accepted, I'm not sure if it works correctly If anyone can provide guidance on testing these rules safely, please share your knowladge! :P <rule> <definition> <operations> <operation type="WriteFile"> <operator type="AND"> <condition component="LiveGrid" property="Popularity" condition="less" value="1000" /> <condition component="LiveGrid" property="Reputation" condition="less" value="3" /> </operator> </operation> </operations> </definition> <description> ..... Edited January 10 by JokerTux1337
ESET Staff j91321 8 Posted January 11 ESET Staff Posted January 11 The easiest way how to safely test executable being low popularity is to just take some known executable e.g. notepad.exe and append a random byte at the end of the file with hex editor. It should still remain a valid PE and usually have 0 popularity and low reputation. JamesR and JokerTux1337 2
JokerTux1337 0 Posted January 11 Author Posted January 11 5 hours ago, j91321 said: The easiest way how to safely test executable being low popularity is to just take some known executable e.g. notepad.exe and append a random byte at the end of the file with hex editor. It should still remain a valid PE and usually have 0 popularity and low reputation. Thank you for the information, it's brilliant!
Recommended Posts