Jump to content

Recommended Posts

Posted

Hi ,
I've created a rule designed to identify a file with a low reputation, but for some reasons, it isn't successfully detecting it. :)

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <definition>
        <process>
            <operator type="AND">
                <condition component="LiveGrid" property="Popularity" condition="less" value="1000" />
                <condition component="LiveGrid" property="Reputation" condition="less" value="3" />
            </operator>
        </process>
    </definition>
    <description>
        <name>Low reputation file found</name>
        <category>File system</category>
        <os>Windows</os>
        <severity>86</severity>
        <explanation>A file with a diminished reputation has been detected on the system. It could potentially be malicious, so kindly inspect it.</explanation>
        <benignCauses>The file likely originated from either a USB drive/CD or was downloaded.</benignCauses>
        <recommendedActions>1. Verify the reputation using Virustotal.
2. If the hash is identified as malicious, proceed to block it. </recommendedActions>
    </description>
    <maliciousProcess process="current" />
    <actions>
        <action name="TriggerDetection" />
        <action name="StoreEvent" />
    </actions>
</rule>


I would greatly appreciate some advice.

  • ESET Staff
Posted

Your rule is targeting a Process which will have low LiveGrid reputation and popularity.

How are you testing the rule?

If you are testing by simply downloading an EXE to the system, this will not trigger and would require a more advanced rule (<operations> section).

Posted (edited)
On 1/8/2024 at 2:37 PM, JamesR said:

How are you testing the rule?

Thank you for your asnwer.

That's the primary issue, I'm unsure how to test the rules.
All my attempts to download a malicious file have been unsuccessful bcs of the AV system :P


 

On 1/8/2024 at 2:37 PM, JamesR said:

If you are testing by simply downloading an EXE to the system, this will not trigger and would require a more advanced rule (<operations> section).

I've generated a new rule, and while the syntax was accepted, I'm not sure if it works correctly :P 
If anyone can provide guidance on testing these rules safely, please share your knowladge! :P


 

<rule>
    <definition>
        <operations>
            <operation type="WriteFile">
                <operator type="AND">
                    <condition component="LiveGrid" property="Popularity" condition="less" value="1000" />
                    <condition component="LiveGrid" property="Reputation" condition="less" value="3" />
                </operator>
            </operation>
        </operations>
    </definition>
    <description>
.....

 

Edited by JokerTux1337
  • ESET Staff
Posted

The easiest way how to safely test executable being low popularity is to just take some known executable e.g. notepad.exe and append a random byte at the end of the file with hex editor. It should still remain a valid PE and usually have 0 popularity and low reputation.

Posted
5 hours ago, j91321 said:

The easiest way how to safely test executable being low popularity is to just take some known executable e.g. notepad.exe and append a random byte at the end of the file with hex editor. It should still remain a valid PE and usually have 0 popularity and low reputation.

Thank you for the information, it's brilliant! 

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...