Michael002 0 Posted March 12, 2024 Posted March 12, 2024 Hello, I would like to ask, if I want to create an exclusion for two different rules that have different trigger events, let's say I would like to add into exclusion CodeInjection for rule [F0413b][C] and for rule [D1206] I would like to add trigger event DllLoaded into exclusion. Is it possible to add two operations like this into the exclusions?
ESET Staff JamesR 62 Posted March 12, 2024 ESET Staff Posted March 12, 2024 I would not recommend this. When you create an advanced exclusion, which will use an <operation type="...">, you should have it match the operation type of the triggering event. If you try to use an exclusion with a "DllLoad" operation, and apply the exclusion to a rule which is looking for "CodeInjection", your exclusion will not work as expected. In short, mixing and matching different operations in an exclusion, can break your exclusion. Also, it appears you may be using an older version of our On Premise solution. I would recommend upgrading when you can. The rule tag "[F0413b][C]" is outdated and has been replaced with "[F0413b]".
Michael002 0 Posted March 12, 2024 Author Posted March 12, 2024 Thank you for your response. So the conclusion of it is to separate them and create one exclusion for [F0413b][C] and one exclusion for [D1206]? Just to be sure. And thank you for the update reminder... I know about it.
ESET Staff Solution JamesR 62 Posted March 12, 2024 ESET Staff Solution Posted March 12, 2024 1 minute ago, Michael002 said: Thank you for your response. So the conclusion of it is to separate them and create one exclusion for [F0413b][C] and one exclusion for [D1206]? Just to be sure. And thank you for the update reminder... I know about it. Correct. Its best to separate into 2 different exclusions.
Recommended Posts