ESET Insiders BDeep 7 Posted August 24, 2016 ESET Insiders Share Posted August 24, 2016 I am excluding and restoring from quarantine via ERA and the local ESET client (6.4.2014.0) tftpd32.exe but as soon as it is restored and excluded either via ERA or the local client, ESET pops it again and sends it back to quarantine. This is also happening on ESET File Security for Windows Servers. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted August 24, 2016 Administrators Share Posted August 24, 2016 The application is detected as potentially unsafe. In that case, you can exclude it from detection as shown below: Link to comment Share on other sites More sharing options...
ESET Insiders BDeep 7 Posted August 24, 2016 Author ESET Insiders Share Posted August 24, 2016 The application is detected as potentially unsafe. In that case, you can exclude it from detection as shown below: EPv6_exclude_pua.png Our enterprise endpoints are locked down and they do not have that option. Restoring and excluding from ERA just causes the file to get popped again. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,273 Posted August 24, 2016 Administrators Share Posted August 24, 2016 As long as the user has local administrator rights, it should be possible to exclude PUA from detection. This setting cannot be locked by a policy as it's not a part of the configuration tree. Link to comment Share on other sites More sharing options...
ESET Insiders BDeep 7 Posted August 24, 2016 Author ESET Insiders Share Posted August 24, 2016 As long as the user has local administrator rights, it should be possible to exclude PUA from detection. This setting cannot be locked by a policy as it's not a part of the configuration tree. This is what our end users see for notifications. Instead of running in circles, what I think you are saying is that PUPs restored from ERA are going to get popped regardless of whether the "restore and exclude" option is selected in ERA. Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted August 25, 2016 ESET Staff Share Posted August 25, 2016 Hello, This works OK, when you have no exclusions set by policy from ERA. In that case, "restore & exclude" option will fill in a valid exclusion. However, when you have the exclusions set by ERA, it could not be appended, as the "list" of exclusions is handled as a one setting, and centrally set list will overwrite the one created by this entry (either local, or the one by ERA agent). This is certainly an issue within the current design, and we will do our best, to resolve this situation for the new version of ERA / Endpoint. As of now, I would suggest the following workaround: Disable the centrally forced exclusions Execute "restore & exclude" task for the problematic threat Request configuration from Endpoint Copy the Exclusion path, and add it to the centrally forced exclusion Link to comment Share on other sites More sharing options...
Recommended Posts