Jump to content

Recommended way to deal with user actions

karsayor
 Share

Recommended Posts

karsayor

karsayor 8

Posted
Posted

Hello

Currently evaluating ESET Inspect, I'm wondering about the default rules created by ESET but that have no user actions. If I understand correctly, once exclusions have been made by learning mode, we should be able to set protective actions to the rules, especially the threats rules. But afaik, there is

  1. No way to mass enable user actions on rules, so you have to edit them all 1 by 1 😐
  2. No recommended user actions on rules. ESET should recommend default user actions for the rules they make because they know what is the best protective action for a rule

What is the right way to deal with these ? We are a Service Provider and we cannot afford to go on each console of each customer to edit manually each rule..

Link to comment
Share on other sites
thae

thae 11

Posted
Posted
  1. Correct
  2. There are some Threat rules where a user action, like blocking, is set. E. g. B1005, it kills the process on this computer.
Link to comment
Share on other sites
karsayor

karsayor 8

Posted
  • Author
Posted

Thanks for the feedback. It still feels like we are left alone with those users actions, they should do the job to the end and recommend us what user actions to do for each rules. They know best what impact / severity each threat has.

Link to comment
Share on other sites
  • 2 weeks later...
  • ESET Staff
j91321

j91321 6

Posted
  • ESET Staff
Posted (edited)
On 7/4/2024 at 9:24 AM, karsayor said:

once exclusions have been made by learning mode, we should be able to set protective actions to the rules

Well, while using learning mode will definitely help you to create the most common exclusions for your environment, enabling some form of action on all rules after that would be an oversimplification. The general rule of thumb is that if  maliciousTarget name="module" you use Block Executable and if it is "current" or "parent" you use KillProcess.

Then you can check tags like "Aggressive Kill" to filter for rules, where you can apply KillProcess action (although I don't recommend using all these rules in production).

If we know the rule doesn't cause problems for most of the customers, it'll have automatic action assigned by default. We try to review these regularly.

It really doesn't work the way you are describing @karsayor. When we write rules and add actions to them they must work for everybody and this limits us. You know your environment best and are the person who can make an informed decision what is and isn't normal for your environment. I agree that, maybe we should re-think some user-experience aspects of this.

On 7/4/2024 at 9:24 AM, karsayor said:

No way to mass enable user actions on rules, so you have to edit them all 1 by 1 😐

Yes, unfortunately this is true. We register this issue as a a pain point for the users. 

Edited by j91321
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...