Michael002 0 Posted March 12 Share Posted March 12 Hello, I would like to ask, if I want to create an exclusion for two different rules that have different trigger events, let's say I would like to add into exclusion CodeInjection for rule [F0413b][C] and for rule [D1206] I would like to add trigger event DllLoaded into exclusion. Is it possible to add two operations like this into the exclusions? Quote Link to comment Share on other sites More sharing options...
ESET Staff JamesR 52 Posted March 12 ESET Staff Share Posted March 12 I would not recommend this. When you create an advanced exclusion, which will use an <operation type="...">, you should have it match the operation type of the triggering event. If you try to use an exclusion with a "DllLoad" operation, and apply the exclusion to a rule which is looking for "CodeInjection", your exclusion will not work as expected. In short, mixing and matching different operations in an exclusion, can break your exclusion. Also, it appears you may be using an older version of our On Premise solution. I would recommend upgrading when you can. The rule tag "[F0413b][C]" is outdated and has been replaced with "[F0413b]". Quote Link to comment Share on other sites More sharing options...
Michael002 0 Posted March 12 Author Share Posted March 12 Thank you for your response. So the conclusion of it is to separate them and create one exclusion for [F0413b][C] and one exclusion for [D1206]? Just to be sure. And thank you for the update reminder... I know about it. Quote Link to comment Share on other sites More sharing options...
ESET Staff Solution JamesR 52 Posted March 12 ESET Staff Solution Share Posted March 12 1 minute ago, Michael002 said: Thank you for your response. So the conclusion of it is to separate them and create one exclusion for [F0413b][C] and one exclusion for [D1206]? Just to be sure. And thank you for the update reminder... I know about it. Correct. Its best to separate into 2 different exclusions. Quote Link to comment Share on other sites More sharing options...
Michael002 0 Posted March 12 Author Share Posted March 12 Thank you for clarifying. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.