ESSPUSR 2 Posted May 16 Share Posted May 16 I have a friend that runs latest ESSP. I helped him add a few files to be excluded from detection but everytime he runs a scan it put those files to quarantine. I cant even restore those files in quarantine either. I get a message that the files cant be restored to where they belong. It can be restored ONLY to another place but not to where they belong. I have the same setup on my own PC and there is no problem here. My question is why does ESSP put those files that are excluded from detection put in quarantine? How do I help him to fix this? Thanks in advance Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 16 Administrators Share Posted May 16 We'd need logs collected with ESET Log Collector in order to tell. Link to comment Share on other sites More sharing options...
itman 1,740 Posted May 16 Share Posted May 16 (edited) 1 hour ago, ESSPUSR said: but everytime he runs a scan it put those files to quarantine. I cant even restore those files in quarantine either. I get a message that the files cant be restored to where they belong. It can be restored ONLY to another place but not to where they belong. There was a recent forum posting in this regard and it involved C:\Documents and Settings path existing on the device. Is that the case here? Edited May 16 by itman Link to comment Share on other sites More sharing options...
ESSPUSR 2 Posted May 23 Author Share Posted May 23 On 5/16/2024 at 8:45 PM, itman said: There was a recent forum posting in this regard and it involved C:\Documents and Settings path existing on the device. Is that the case here? Yes thats the case and also some other files that is not in that path. What do you know about this issue and where can I read about that forum posting you mentioned? Is this a bug and is it beeing addressed? Link to comment Share on other sites More sharing options...
ESSPUSR 2 Posted May 23 Author Share Posted May 23 On 5/16/2024 at 7:25 PM, Marcos said: We'd need logs collected with ESET Log Collector in order to tell. Hello. Im not comfortable sharing the logs here so I sent it to your inbox. Hope its fine with you and please check it out and see if you can find the cause of the issue and get back at me when you have time. Thanks in advance :) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 23 Administrators Share Posted May 23 If you have a detected file in a folder for which a link exists (symlink, hard link, junction), there should be two exclusions, both for the link and the actual folder. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 23 Administrators Share Posted May 23 I was able to find only the path to c:\users in your Detection log. There were no records with "c:\documents and settings" folder. Are you getting an alert where the path points to the link (junction) "c:\documents and settings" but when you created an exclusion it was made for the actual folder (c:\users) when you checked "Exclude from detection" box in the alert? Could you post a screenshot of the alert with the path visible? As for posting files here, only ESET staff can access them but it's ok to supply them via a private message too. Link to comment Share on other sites More sharing options...
ESSPUSR 2 Posted May 23 Author Share Posted May 23 (edited) 2 hours ago, Marcos said: If you have a detected file in a folder for which a link exists (symlink, hard link, junction), there should be two exclusions, both for the link and the actual folder. What do you mean by that is highlighted? Do you mean exclude both the file and its folder? If folder too then if anything finds its way there it would be excluded too? Edited May 23 by ESSPUSR Link to comment Share on other sites More sharing options...
ESSPUSR 2 Posted May 23 Author Share Posted May 23 2 hours ago, Marcos said: I was able to find only the path to c:\users in your Detection log. There were no records with "c:\documents and settings" folder. Are you getting an alert where the path points to the link (junction) "c:\documents and settings" but when you created an exclusion it was made for the actual folder (c:\users) when you checked "Exclude from detection" box in the alert? Could you post a screenshot of the alert with the path visible? As for posting files here, only ESET staff can access them but it's ok to supply them via a private message too. I think I may have deleted that log file information before I collected the logs. I will do a new scan and then using ESET log collector and will send it to you via PM. Yes im getting an alert that points to "c:\documents and settings". I created an exclusion to the file located in this path: "c:\users". I will take a screenshot and send it to you. When doing a scan and it finds a file that it warns me about it wont respect when im telling it to be excluded or ignored. It just put it to quarantine. Then after scanning is done I try to restore those files but it tells me it cant be restored. I have to manually restore it to another location and THEN put those files to its folder. I dont want to do this everytime I do a scan. It should respect that those files are excluded and be ignored from being put to quarantine and deleted. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted May 23 Administrators Share Posted May 23 Please also include the logs from the on-demand scanner when collecting logs with ELC. The Detections log contains records from real-time protection and other scanner but the on-demand scanner has its own logs. Link to comment Share on other sites More sharing options...
ESSPUSR 2 Posted May 23 Author Share Posted May 23 3 hours ago, Marcos said: Please also include the logs from the on-demand scanner when collecting logs with ESET Log Collector. The Detections log contains records from real-time protection and other scanner but the on-demand scanner has its own logs. I have done what you requested. Please check your inbox. Thanks in advance. Link to comment Share on other sites More sharing options...
ESSPUSR 2 Posted May 27 Author Share Posted May 27 On 5/23/2024 at 2:24 PM, Marcos said: Please also include the logs from the on-demand scanner when collecting logs with ESET Log Collector. The Detections log contains records from real-time protection and other scanner but the on-demand scanner has its own logs. Hello! Have you had time to look at what I sent you via PM about this issue? Thanks in advance. Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,231 Posted May 27 Administrators Solution Share Posted May 27 The on-demand scanner detected the application in C:\Documents and Settings\APPS\KMS\KMS_VL_ALL_AIO.cmd but excluded is only C:\Users\APPS\KMS\*. You should either exclude C:\Documents and settings\APPS\KMS\* as well or make the exclusion only for the detection name with the path field empty so that it's excluded everywhere. This is because the on-demand scanner has always followed links (junction in this case) so both the junction and the actual folder must be excluded. This will change as of the next product version that will not follow links by default unless you enable the appropriate option. Link to comment Share on other sites More sharing options...
ESSPUSR 2 Posted May 28 Author Share Posted May 28 On 5/27/2024 at 8:32 PM, Marcos said: The on-demand scanner detected the application in C:\Documents and Settings\APPS\KMS\KMS_VL_ALL_AIO.cmd but excluded is only C:\Users\APPS\KMS\*. You should either exclude C:\Documents and settings\APPS\KMS\* as well or make the exclusion only for the detection name with the path field empty so that it's excluded everywhere. This is because the on-demand scanner has always followed links (junction in this case) so both the junction and the actual folder must be excluded. This will change as of the next product version that will not follow links by default unless you enable the appropriate option. Added this also to exclusion worked: C:\Documents and Settings\APPS\KMS\KMS_VL_ALL_AIO.cmd Thank you for your service. Very appreciated. Link to comment Share on other sites More sharing options...
Recommended Posts