Hardq 0 Posted January 18 Share Posted January 18 Hello, I trust this message finds you well. I've included the Eset log collector records along with the XML configuration file. This will allow you to replicate the issue if you have Eset Endpoint Security installed on your machine. You can download the Eset Log Collector from the following link: https://www.transfernow.net/dl/20240118JZmeB8z3 The link is valid for 7 days. Please note that the XML file contains specific settings used in our independently installed Eset Endpoint Security product. Feel free to review the configuration to better understand the parameters in use. If you have any questions or require further clarification, please don't hesitate to reach out. EES_CFR_Recomendada.zip Link to comment Share on other sites More sharing options...
itman 1,746 Posted January 19 Share Posted January 19 21 hours ago, Hardq said: If you have any questions or require further clarification, please don't hesitate to reach out. Referring to this alert, do you have a HIPS rule that monitors child process startup from PowerShell? If this is the case, you will have to exclude conhost.exe since a number of Win internal maintenance PowerShell scripts invoke conhost.exe. Link to comment Share on other sites More sharing options...
Hardq 0 Posted January 22 Author Share Posted January 22 Hello Itman Your comment is useful, if you are grateful, you know how to create the interface. This other alert also appears in Eset. On the other hand, you know how to create the exclusion. Your help would be appreciated Link to comment Share on other sites More sharing options...
Solution itman 1,746 Posted January 22 Solution Share Posted January 22 (edited) 18 hours ago, Hardq said: On the other hand, you know how to create the exclusion. Your help would be appreciated Again, if you are deploying Eset recommended firewall rules against ransomware as noted in this article: https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware , one of those rules is to block any inbound/outbound rundll32.exe network traffic. You will have to determine if the rundll32.exe network traffic being detected is legit OS/app network traffic or not. If the network traffic is legit, you will have to create a firewall rule to allow it. Move this allow rule/s prior to the existing deny rundll32.exe rules you created. -EDIT- An example of how to determine if outbound app based rundll32.exe network traffic is legit: https://superuser.com/questions/1598094/rundll32-exe-making-outbound-tcp-connection . Edited January 22 by itman Link to comment Share on other sites More sharing options...
Recommended Posts