Jump to content

Restore from quarantine and exclude gets popped

BDeep

By BDeep
in ESET Endpoint Products

 Share

Recommended Posts

  • ESET Insiders
BDeep

BDeep 7

Posted
  • ESET Insiders
Posted

I am excluding and restoring from quarantine via ERA and the local ESET client (6.4.2014.0) tftpd32.exe but as soon as it is restored and excluded either via ERA or the local client, ESET pops it again and sends it back to quarantine. This is also happening on ESET File Security for Windows Servers.

  • Administrators
Marcos

Marcos 5,725

Posted
  • Administrators
Posted

The application is detected as potentially unsafe. In that case, you can exclude it from detection as shown below:

 

post-10-0-97893200-1472051416_thumb.png

  • ESET Insiders
BDeep

BDeep 7

Posted
  • Author
  • ESET Insiders
Posted

The application is detected as potentially unsafe. In that case, you can exclude it from detection as shown below:

 

attachicon.gifEPv6_exclude_pua.png

 

Our enterprise endpoints are locked down and they do not have that option. Restoring and excluding from ERA just causes the file to get popped again.

  • Administrators
Marcos

Marcos 5,725

Posted
  • Administrators
Posted

As long as the user has local administrator rights, it should be possible to exclude PUA from detection. This setting cannot be locked by a policy as it's not a part of the configuration tree.

  • ESET Insiders
BDeep

BDeep 7

Posted
  • Author
  • ESET Insiders
Posted

As long as the user has local administrator rights, it should be possible to exclude PUA from detection. This setting cannot be locked by a policy as it's not a part of the configuration tree.

This is what our end users see for notifications.

 

Instead of running in circles, what I think you are saying is that PUPs restored from ERA are going to get popped regardless of whether the "restore and exclude" option is selected in ERA.

post-9961-0-20646200-1472051894_thumb.png

  • ESET Staff
MichalJ

MichalJ 434

Posted
  • ESET Staff
Posted

Hello,

 

This works OK, when you have no exclusions set by policy from ERA.

In that case, "restore & exclude" option will fill in a valid exclusion.

 

However, when you have the exclusions set by ERA, it could not be appended, as the "list" of exclusions is handled as a one setting, and centrally set list will overwrite the one created by this entry (either local, or the one by ERA agent). 

This is certainly an issue within the current design, and we will do our best, to resolve this situation for the new version of ERA / Endpoint.

 

As of now, I would suggest the following workaround:

  1. Disable the centrally forced exclusions
  2. Execute "restore & exclude" task for the problematic threat
  3. Request configuration from Endpoint
  4. Copy the Exclusion path, and add it to the centrally forced exclusion
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...