Jump to content

Interactive alerts when we turn on the computer


Go to solution Solved by itman,

Recommended Posts

Hello,

I trust this message finds you well. I've included the Eset log collector records along with the XML configuration file. This will allow you to replicate the issue if you have Eset Endpoint Security installed on your machine.

 

You can download the Eset Log Collector from the following link:  https://www.transfernow.net/dl/20240118JZmeB8z3

The link is valid for 7 days.

 

 

Please note that the XML file contains specific settings used in our independently installed Eset Endpoint Security product. Feel free to review the configuration to better understand the parameters in use.

If you have any questions or require further clarification, please don't hesitate to reach out.

Captura de pantalla 2024-01-16 181834.png

EES_CFR_Recomendada.zip

Link to comment
Share on other sites

21 hours ago, Hardq said:

If you have any questions or require further clarification, please don't hesitate to reach out.

Captura de pantalla 2024-01-16 181834.png

Referring to this alert, do you have a HIPS rule that monitors child process startup from PowerShell? If this is the case, you will have to exclude conhost.exe since a number of Win internal maintenance PowerShell scripts invoke conhost.exe.

Link to comment
Share on other sites

Hello Itman

Your comment is useful, if you are grateful, you know how to create the interface. This other alert also appears in Eset.

On the other hand, you know how to create the exclusion. Your help would be appreciated

image.png.28427d21b74e59930f15ed3b55a54605.png

Link to comment
Share on other sites

  • Solution
18 hours ago, Hardq said:

On the other hand, you know how to create the exclusion. Your help would be appreciated

Again, if you are deploying Eset recommended firewall rules against ransomware as noted in this article: https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware , one of those rules is to block any inbound/outbound rundll32.exe network traffic.

You will have to determine if the rundll32.exe network traffic being detected is legit OS/app network traffic or not. If the network traffic is legit, you will have to create a firewall rule to allow it. Move this allow rule/s prior to the existing deny rundll32.exe rules you created.

-EDIT- An example of how to determine if outbound app based rundll32.exe network traffic is legit: https://superuser.com/questions/1598094/rundll32-exe-making-outbound-tcp-connection .

Edited by itman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...