Creating an exclusion for a vulnerability scanner detections

[bblair 0]

Hi, we recently started utilizing the ESET Inspect module for a number of clients and I've been tasked with learning/managing most of our Security, despite me being a bit in over my head. Currently we are getting a large amount of detections in the EI dashboard for Protocol Mismatch - detected RDP communication over non-standard port [E0517]. I've confirmed they're coming from the internal IP address of our vulnerability scanner and even double checked it against our vulnerability scanner vendor to confirm if these were from their tool, which it is. So my next job is seeing how to reduce these detections as they are known authorized events.

I've made exclusions in the Security Product's IDS in the policy which appears to be functioning, but this doesn't seem to spill over to the Inspect module. Whenever I try and make the exclusion however, there doesn't seem to be enough identifying data from the event to create an exclusion (no parent process, no hash, no unique process or service), and I want to be careful not to make the exclusion too wide that actual port scanning that's malicious can get through because of this rule. Any help for this green security analyst would be greatly appreciated. Thanks.

[Marcos 5,074]

I'd recommend creating an exclusion for the vulnerability scanner process.

[bblair 0]

That's the crux of what I'm trying to do. I've read through the ESET documentation support sent me, but it's still not really clear to me how to set up an exception for a specific process. Especially since the detection doesn't mention anything specific to the scanner.

[j91321 5]

It would be helpful if you could provide exact example of such detection. In the detection details you should see to which process is your detection attached to. Let's say the process is nmap.exe that we want to exclude:

Click the Create Exclusion button and you can go through the wizard:

This prevent nmap.exe from specific location to trigger this detection. You can use "Targets" to apply this only on certain computers or groups.

If you'd like to also add specific IP address there (in case the triggering event is always the same) you'd need to use "Advanced Editor" on the same screen and write something like this:

<definition>
    <process>
        <operator type="AND">
            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/>
            <condition component="FileItem" property="FileName" condition="is" value="nmap.exe"/>
            <condition component="FileItem" property="Path" condition="starts" value="%PROGRAMFILES(X86)%\nmap\"/>
            <condition component="Module" property="SignerName" condition="is" value="Insecure.Com LLC"/>
        </operator>
    </process>
    <operations>
            <operation type="TcpIpProtocolIdentified">
            	<condition component="Network" property="DestinationIpAddressV4" condition="is" value="192.168.1.122" />
            </operation>
        </operations>
</definition>

It's the same logic as on the wizard screen I've just added specific IP address to be excluded.

[bblair 0]

So this is one of the about 620 instances of it. I made one for nmap before as you described through the wizard, however this one is for "system" which sounded too generic as I didn't want to risk excluding actual malicious behaviors. Unless that's not how this is treated, in which case feel free to correct me.

[bblair 0]

Just checking in as I haven't heard anything back on this. Happy to make an exclusion for the process "system" but won't that be too wide of a blanket exclusion?

[j91321 5]

Some detections are tied to this "system" process, which is not real process, it's more of a placeholder for anything that originates in the kernel. These are just warning severity alerts and are prone to being on the nosier side. Unless you can see any value in the detection I suggest to also exclude it.

It's a common mistake to be overly careful when creating exclusions. Alert fatigue from spammy detections is a bigger security risk than any coverage gaps you're likely to introduce with this specific exclusion.

[bblair 0]

@j91321 Right, and that's what I'm trying to accomplish is make an exclusion for it, but since it's a generic system one, I didn't want to cast too wide of a net with that exclusion, but from what it sounds like you're saying as that I can make the system.exe process the exclusion safely? Again, apologies for the very basic questions, still trying to figure this out as I go.