Jump to content

Restore from quarantine and exclude gets popped


BDeep

Recommended Posts

  • ESET Insiders

I am excluding and restoring from quarantine via ERA and the local ESET client (6.4.2014.0) tftpd32.exe but as soon as it is restored and excluded either via ERA or the local client, ESET pops it again and sends it back to quarantine. This is also happening on ESET File Security for Windows Servers.

Link to comment
Share on other sites

  • Administrators

The application is detected as potentially unsafe. In that case, you can exclude it from detection as shown below:

 

post-10-0-97893200-1472051416_thumb.png

Link to comment
Share on other sites

  • ESET Insiders

The application is detected as potentially unsafe. In that case, you can exclude it from detection as shown below:

 

attachicon.gifEPv6_exclude_pua.png

 

Our enterprise endpoints are locked down and they do not have that option. Restoring and excluding from ERA just causes the file to get popped again.

Link to comment
Share on other sites

  • Administrators

As long as the user has local administrator rights, it should be possible to exclude PUA from detection. This setting cannot be locked by a policy as it's not a part of the configuration tree.

Link to comment
Share on other sites

  • ESET Insiders

As long as the user has local administrator rights, it should be possible to exclude PUA from detection. This setting cannot be locked by a policy as it's not a part of the configuration tree.

This is what our end users see for notifications.

 

Instead of running in circles, what I think you are saying is that PUPs restored from ERA are going to get popped regardless of whether the "restore and exclude" option is selected in ERA.

post-9961-0-20646200-1472051894_thumb.png

Link to comment
Share on other sites

  • ESET Staff

Hello,

 

This works OK, when you have no exclusions set by policy from ERA.

In that case, "restore & exclude" option will fill in a valid exclusion.

 

However, when you have the exclusions set by ERA, it could not be appended, as the "list" of exclusions is handled as a one setting, and centrally set list will overwrite the one created by this entry (either local, or the one by ERA agent). 

This is certainly an issue within the current design, and we will do our best, to resolve this situation for the new version of ERA / Endpoint.

 

As of now, I would suggest the following workaround:

  1. Disable the centrally forced exclusions
  2. Execute "restore & exclude" task for the problematic threat
  3. Request configuration from Endpoint
  4. Copy the Exclusion path, and add it to the centrally forced exclusion
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...