Jump to content

Recommended Posts

Posted

Hello

Currently evaluating ESET Inspect, I'm wondering about the default rules created by ESET but that have no user actions. If I understand correctly, once exclusions have been made by learning mode, we should be able to set protective actions to the rules, especially the threats rules. But afaik, there is

  1. No way to mass enable user actions on rules, so you have to edit them all 1 by 1 😐
  2. No recommended user actions on rules. ESET should recommend default user actions for the rules they make because they know what is the best protective action for a rule

What is the right way to deal with these ? We are a Service Provider and we cannot afford to go on each console of each customer to edit manually each rule..

Posted
  1. Correct
  2. There are some Threat rules where a user action, like blocking, is set. E. g. B1005, it kills the process on this computer.
Posted

Thanks for the feedback. It still feels like we are left alone with those users actions, they should do the job to the end and recommend us what user actions to do for each rules. They know best what impact / severity each threat has.

  • 2 weeks later...
  • ESET Staff
Posted (edited)
On 7/4/2024 at 9:24 AM, karsayor said:

once exclusions have been made by learning mode, we should be able to set protective actions to the rules

Well, while using learning mode will definitely help you to create the most common exclusions for your environment, enabling some form of action on all rules after that would be an oversimplification. The general rule of thumb is that if  maliciousTarget name="module" you use Block Executable and if it is "current" or "parent" you use KillProcess.

Then you can check tags like "Aggressive Kill" to filter for rules, where you can apply KillProcess action (although I don't recommend using all these rules in production).

If we know the rule doesn't cause problems for most of the customers, it'll have automatic action assigned by default. We try to review these regularly.

It really doesn't work the way you are describing @karsayor. When we write rules and add actions to them they must work for everybody and this limits us. You know your environment best and are the person who can make an informed decision what is and isn't normal for your environment. I agree that, maybe we should re-think some user-experience aspects of this.

On 7/4/2024 at 9:24 AM, karsayor said:

No way to mass enable user actions on rules, so you have to edit them all 1 by 1 😐

Yes, unfortunately this is true. We register this issue as a a pain point for the users. 

Edited by j91321
  • 1 month later...
Posted
On 7/21/2024 at 4:03 PM, j91321 said:

Well, while using learning mode will definitely help you to create the most common exclusions for your environment, enabling some form of action on all rules after that would be an oversimplification. The general rule of thumb is that if  maliciousTarget name="module" you use Block Executable and if it is "current" or "parent" you use KillProcess.

Then you can check tags like "Aggressive Kill" to filter for rules, where you can apply KillProcess action (although I don't recommend using all these rules in production).

If we know the rule doesn't cause problems for most of the customers, it'll have automatic action assigned by default. We try to review these regularly.

It really doesn't work the way you are describing @karsayor. When we write rules and add actions to them they must work for everybody and this limits us. You know your environment best and are the person who can make an informed decision what is and isn't normal for your environment. I agree that, maybe we should re-think some user-experience aspects of this.

Yes, unfortunately this is true. We register this issue as a a pain point for the users. 

Hello

Thank you for your answer. I discussed this with ESET employees, and the MDR Service seems to be a better fit for our use case since we would not have to care about exclusions and actions on rules.

Still, I think there are ways to improve the Inspect Console to facilitate the work, I keep thinking that there should be recommended actions by ESET for rules, especially the critical ones.

In my head, the process of enabling the EDR would be :

  1. Install agents and enable learning mode for a few days / week
  2. Choose the level of security you want : 1 is to enable protective actions on reds and yellow rules, 2 is only protective actions on red rules
  3. Create exclusions to lower the number of false positive detection, there shouldn't be any red false positive if you choosed security level 2 and there shouldn't be any reds nor yellow if you choosed security level 2
  4. Mass Enable user actions provided by ESET recommendation on rules, either only reds if you choosed security level 2 or reds and yellows if you choosed security level 1
  5. When there is an update of the detection rules, user actions of the new and modified rules are disabled but those rules would be highlighted until reviewed and user actions re-renabled.

I know I'm idealizing things a bit, at least it could give some hints to ease things for SME that still want the EDR Protection without having their own SOC :)

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...