Jump to content

Low reputation LiveGrid file - rule.


Recommended Posts

Hi ,
I've created a rule designed to identify a file with a low reputation, but for some reasons, it isn't successfully detecting it. :)

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <definition>
        <process>
            <operator type="AND">
                <condition component="LiveGrid" property="Popularity" condition="less" value="1000" />
                <condition component="LiveGrid" property="Reputation" condition="less" value="3" />
            </operator>
        </process>
    </definition>
    <description>
        <name>Low reputation file found</name>
        <category>File system</category>
        <os>Windows</os>
        <severity>86</severity>
        <explanation>A file with a diminished reputation has been detected on the system. It could potentially be malicious, so kindly inspect it.</explanation>
        <benignCauses>The file likely originated from either a USB drive/CD or was downloaded.</benignCauses>
        <recommendedActions>1. Verify the reputation using Virustotal.
2. If the hash is identified as malicious, proceed to block it. </recommendedActions>
    </description>
    <maliciousProcess process="current" />
    <actions>
        <action name="TriggerDetection" />
        <action name="StoreEvent" />
    </actions>
</rule>


I would greatly appreciate some advice.

Link to comment
Share on other sites

  • ESET Staff

Your rule is targeting a Process which will have low LiveGrid reputation and popularity.

How are you testing the rule?

If you are testing by simply downloading an EXE to the system, this will not trigger and would require a more advanced rule (<operations> section).

Link to comment
Share on other sites

On 1/8/2024 at 2:37 PM, JamesR said:

How are you testing the rule?

Thank you for your asnwer.

That's the primary issue, I'm unsure how to test the rules.
All my attempts to download a malicious file have been unsuccessful bcs of the AV system :P


 

On 1/8/2024 at 2:37 PM, JamesR said:

If you are testing by simply downloading an EXE to the system, this will not trigger and would require a more advanced rule (<operations> section).

I've generated a new rule, and while the syntax was accepted, I'm not sure if it works correctly :P 
If anyone can provide guidance on testing these rules safely, please share your knowladge! :P


 

<rule>
    <definition>
        <operations>
            <operation type="WriteFile">
                <operator type="AND">
                    <condition component="LiveGrid" property="Popularity" condition="less" value="1000" />
                    <condition component="LiveGrid" property="Reputation" condition="less" value="3" />
                </operator>
            </operation>
        </operations>
    </definition>
    <description>
.....

 

Edited by JokerTux1337
Link to comment
Share on other sites

The easiest way how to safely test executable being low popularity is to just take some known executable e.g. notepad.exe and append a random byte at the end of the file with hex editor. It should still remain a valid PE and usually have 0 popularity and low reputation.

Link to comment
Share on other sites

5 hours ago, j91321 said:

The easiest way how to safely test executable being low popularity is to just take some known executable e.g. notepad.exe and append a random byte at the end of the file with hex editor. It should still remain a valid PE and usually have 0 popularity and low reputation.

Thank you for the information, it's brilliant! 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...