Delete files listed as threats

[cmccord 0]

I am fairly new to ESET and am still fine tuning policy settings as issues crop up. One issue that has cropped up is affecting our ability to get consistent backups.

 

We run Microsoft DPM 2010 for backing up most file servers, and have ESET File Security installed on all of them.  DPM goes through and touches each file, so if a risk is found, the real-time scanner picks it up, and places it in quarantine.  Most, or all of the risks that have been found on the file servers JS/Redirector.NJU trojans.  Personally I think these are false positives since they are coming from legitmate HTM and HTML files saved on the servers.  However, the problem comes in that once in quarantined by ESET, DPM can no longer access the file, and then skips the file.

 

DPM by default will only skip 100 files before the recovery point will fail.  In my research I've found that Microsoft recommends deleting threats, not quarantining them when using DPM.  So, I believe I have three options.

 

1. Set an exclusion for HTM and HTML files.  - I don't really want to exclude this as as I'm afraid to open up attack vectors.

2. There is a registry key I can put in to increase the limit of skipped files, however I see that has a bandaid.  The quarantined files number will surely increase over time and eventually exceed the limit again.

3. I can set ESET policy to delete instead of quarantine.  However, I cannot find where to do that for file security.

 

Can somebody direct me to the location in the ERA policy settings where this can be, if it can be done? 

[JeremyS 4]

Hello cmccord,

-In the policy, navigate to Windows Server 4.5 -> File Security 4.5 for MS Windows Server -> General Settings -> Antivirus and Antispyware -> Exclusions -> Exclusions. If you click on Exclusions: 0 Entries you'll see the option to edit the list on the right pane.

-From there, select "+Folder" and navigate to the highest level DPM Folder, wherever you have chosen to install it. Select "ok" to add it to the exclusion list, and note the *.* at the end of the folder path. This indicates that all subfolders are included in the exclusion.

-ESET is rather legendary at detecting infected java scripts, and so my cautious recommendation is to submit archived copies of the detected files to samples@eset.com. In the subject line, include "Potential FP: JS/REdirector.NJU" and any other variant detections. In the body of the email include where the files are located and what purpose they serve. This will help the malware lab developers understand how vulnerable said files are to injection. To get the files out of quarantine and into an archive file, you can temporarily disable "Real-Time File System Protection" under the "Setup" section of File Security's main interface.

-If you are able to, test older copies of the htm(l) files against File Security's scanner. If there is a difference even though you know that no major script changes were done within the files, I would begin to trust in the detections.


Best Regards,
Jeremy
ESET Customer Care