karsayor 8 Posted July 4 Posted July 4 Hello Currently evaluating ESET Inspect, I'm wondering about the default rules created by ESET but that have no user actions. If I understand correctly, once exclusions have been made by learning mode, we should be able to set protective actions to the rules, especially the threats rules. But afaik, there is No way to mass enable user actions on rules, so you have to edit them all 1 by 1 😐 No recommended user actions on rules. ESET should recommend default user actions for the rules they make because they know what is the best protective action for a rule What is the right way to deal with these ? We are a Service Provider and we cannot afford to go on each console of each customer to edit manually each rule..
thae 14 Posted July 9 Posted July 9 Correct There are some Threat rules where a user action, like blocking, is set. E. g. B1005, it kills the process on this computer.
karsayor 8 Posted July 11 Author Posted July 11 Thanks for the feedback. It still feels like we are left alone with those users actions, they should do the job to the end and recommend us what user actions to do for each rules. They know best what impact / severity each threat has.
ESET Staff j91321 8 Posted July 21 ESET Staff Posted July 21 (edited) On 7/4/2024 at 9:24 AM, karsayor said: once exclusions have been made by learning mode, we should be able to set protective actions to the rules Well, while using learning mode will definitely help you to create the most common exclusions for your environment, enabling some form of action on all rules after that would be an oversimplification. The general rule of thumb is that if maliciousTarget name="module" you use Block Executable and if it is "current" or "parent" you use KillProcess. Then you can check tags like "Aggressive Kill" to filter for rules, where you can apply KillProcess action (although I don't recommend using all these rules in production). If we know the rule doesn't cause problems for most of the customers, it'll have automatic action assigned by default. We try to review these regularly. It really doesn't work the way you are describing @karsayor. When we write rules and add actions to them they must work for everybody and this limits us. You know your environment best and are the person who can make an informed decision what is and isn't normal for your environment. I agree that, maybe we should re-think some user-experience aspects of this. On 7/4/2024 at 9:24 AM, karsayor said: No way to mass enable user actions on rules, so you have to edit them all 1 by 1 😐 Yes, unfortunately this is true. We register this issue as a a pain point for the users. Edited July 21 by j91321 karsayor 1
karsayor 8 Posted August 29 Author Posted August 29 On 7/21/2024 at 4:03 PM, j91321 said: Well, while using learning mode will definitely help you to create the most common exclusions for your environment, enabling some form of action on all rules after that would be an oversimplification. The general rule of thumb is that if maliciousTarget name="module" you use Block Executable and if it is "current" or "parent" you use KillProcess. Then you can check tags like "Aggressive Kill" to filter for rules, where you can apply KillProcess action (although I don't recommend using all these rules in production). If we know the rule doesn't cause problems for most of the customers, it'll have automatic action assigned by default. We try to review these regularly. It really doesn't work the way you are describing @karsayor. When we write rules and add actions to them they must work for everybody and this limits us. You know your environment best and are the person who can make an informed decision what is and isn't normal for your environment. I agree that, maybe we should re-think some user-experience aspects of this. Yes, unfortunately this is true. We register this issue as a a pain point for the users. Hello Thank you for your answer. I discussed this with ESET employees, and the MDR Service seems to be a better fit for our use case since we would not have to care about exclusions and actions on rules. Still, I think there are ways to improve the Inspect Console to facilitate the work, I keep thinking that there should be recommended actions by ESET for rules, especially the critical ones. In my head, the process of enabling the EDR would be : Install agents and enable learning mode for a few days / week Choose the level of security you want : 1 is to enable protective actions on reds and yellow rules, 2 is only protective actions on red rules Create exclusions to lower the number of false positive detection, there shouldn't be any red false positive if you choosed security level 2 and there shouldn't be any reds nor yellow if you choosed security level 2 Mass Enable user actions provided by ESET recommendation on rules, either only reds if you choosed security level 2 or reds and yellows if you choosed security level 1 When there is an update of the detection rules, user actions of the new and modified rules are disabled but those rules would be highlighted until reviewed and user actions re-renabled. I know I'm idealizing things a bit, at least it could give some hints to ease things for SME that still want the EDR Protection without having their own SOC
Recommended Posts