Executables

Executables table represents an entire repository of all of the discovered executables (and DLLs) within the network that is monitored by ESET Enterprise Inspector.

For each executable granular statistics are provided, such as reputation/popularity in LiveGrid®, when it was first seen by LiveGrid®, on how many computers it was seen/executed, how many file operations/network connections were established, what modifications it made, and further metadata which are helpful to identify the potentially suspicious behavior of any executable. As this is the most data-dense view in ESET Enterprise Inspector, it allows the most powerful customization options, from the perspective of displayed columns, and filtering (again, with the possibility to manage filter sets). You can see details about how many detections each executable triggered, and what the highest severity of a triggered detection was.

You can check the details of every executable, which includes not only the statistics data mentioned above but also the detections the executable triggered, origin of the executable, registry entries. All information will help you with the investigation of based on what behavior the executable was evaluated as malicious.

You can also drill down to aggregated/raw events, to examine them one by one to figure out any activity that might be violating the company policy. It is possible also to perform remediation action = > download executable for further investigation, add it to a block list (by hash) and kill a particular process.

 

When you click the name of the executable, the Executable Details displays.

Right-click executable name or left click anywhere else on the row, brings up a context menu with the following options:

Details—same as Executable Details when clicking the name of the executable.

Details(New Tab)—you are redirected to Executable Details, but in the new tab

Statistics—you are redirected to the Statistics tab

Detections—you are redirected to the Detections tab

Seen On—you are redirected to the Computers tab

Source—you are redirected to the Executable sources

Filter Events—you are redirected to the Create event storage filter. Also, the user can use the button at the bottom of the screen

Mark as Safe—Safe state, which is used by many rules to determine the risk. Mark as Safe does have an impact on detections. Mark as Safe does not necessarily guarantee that a particular module will never be included in detections. There are a few hundred rules, and some raise detections, regardless of which module executed the suspicious action. For example, a popular instance, trusted modules as powershell, can do it. Other rules try to evaluate risk on the basis of the module. Such rules take “safe” flag into consideration. This flag means that the user analyzed the module, and it is unlikely that the module is malicious, so rules assume that the risk is lower during the evaluation

Mark as Unsafe—if you marked some executable as safe by a mistake, you can use this option to mark it unsafe

Block—you are redirected to Add Hashes section

Unblock—hash from Blocked Hash section is removed

Mark as Inspected—does not have an impact on detections. The module can be marked this way if Security Admin/Reviewer checked them, knows the source of the module, and what it does, but he is still unsure whether the module is safe (he can let to decide higher rank colleague or so)

Mark as Uninspected—will mark the executable as uninspected by logged user. You can use also the button at the bottom of the page

Download File—the download window for affected executable appears

Tags—used to tag the computer. After choosing this option, a new window for tag edition opens. In the Select field, you can type a new tag or select an already existing one. You can also use the button at the bottom of the screen to show the list of assigned tags

Display Absolute/Relative Time—Absolute time will show the time in format DD/MM/YYYY HH:MM:SS. Relative time will show the time in the format minutes/hours/months in relation to present time, like "15 minutes ago" or "6 days ago"

Filter—you can find these quick filters, depending on the column:

oShow only this—Shows only records, based on this particular value

oHide this—Hides all records based on this particular value

oShow before—shows only records that are before this value (for example, time)

oShow after—shows only records that are after this value (for example, time)

oShow lower—Shows only records, which value is lower than this particular one

oShow higher—Shows only records, which value is higher than this particular one

 

By default you can filter executables by the following:

1.Type of OS (Win, macOS)

2.Type of executable (EXE, DLL)

3.Status (Threat, Warning, Info, OK)   eei_satus_filter_icons

4.Blocked/Safe

5.Additional filters

 

You can select all executables available in the screen or select individual one and Mark as Safe, Mark as Unsafe, Block, Unblock, Mark as Inspected, Mark as Uninspected them or click Seen On button to get the list of computers on which the selected executable was seen on by using the buttons located at the bottom of the screen.

Type of OS (win, macOS)

Select which OS you want to see the executables for. Windows Win_Iconor macOS MacOS_Icon.

Type of executable (EXE, DLL)

With this filter, you can choose between EXE Exec_EXE or DLL Exec_DLL files or both at once.

 

Status

There are four statuses:

Threat Alarm_Severity_Threat

Warning Alarm_Severity_Warning

Info Alarm_Severity_Info

Ok Executables_Status_Ok

 

Blocked/Safe

You can use this filter to see Blocked Exec_Blocked or Safe Exec_Safe or both types of files.

 

Additional filters

The additional filters are accessible by clicking the ADD FILTER button or clicking on a space next to the add filter button, where the list of available filters shows. The user can search filter by typing its name or selecting from the list. For the definitions of the additional filters, follow here.

Some of the filters have a funnel icon next to them with two or four possible predefined options:

Unknown—the value in the filtered column is not available (probably not a known value at the time of occurrence)

Known—the value is available

None—value is an empty string

Any—the value is not empty. The negation of None filter

If present on the screen you, can refresh the table by clicking the refresh iconAlarms_Refresh. If available, the export icon Export_CSV can be used to export the table grid to CSV format and use it in other applications to work with the list.

If present, click the PRESETS button to manage filter sets. These options are available:

Save filters—allows you to save the actual filter set. Select the check box Include the visible columns and sorting to save also this setting of your selection, otherwise when loading saved filter without this option selected will end up by showing you the default column setting

Reset filters—resets active filter and return to default filter setting with default column setting

Reset view—resets the active view without resetting the filter set

Manage—allows you to manage your filter sets

Save Filters as Rule—if available, allows you to save the filter as a rule. You can find it then in the list of rules under the Detection rules sub-tab of the admin tab

Tags

Tagging is an additional form of filtering that can connect multiple objects through multiple views (computer, executable, event filter, etc.). If available, the tag icon Tag_Panel is on the left side, next to the name of the view. In the Computers view, the tag panel can be accessed by clicking the Three_dots icon. In the opened tag panel, all created tags are listed and ready to use. If the list of tags is already too long, you can use the magnifying glass to search for a specific tag. At the top of the screen, the TAGS selector can be used to select the desired tags. If available, the user can use also TAGS button located at the bottom of the screen among action buttons.

Columns

Columns can be reorganized by using the Columns_Move icon that appears on the right side of the column name when you hover the mouse over the column name.

The width of the column can be re-sized by the Column_Resize icon that appears on the left side of the column name when you hover the mouse over the column name.

The order of the columns can be organized by clicking the name of the column:

Default (No icon)

Ascending Column_Ascending

Descending Column_Descending

You can change which columns are displayed after clicking the gear icon and selecting the Select column option, or you can reset the view to default by clicking the Reset columns option. You can use Enter quick search pattern—here, you can search for the column by typing its name or a couple of letters from it. Useful if the list of columns is long. For the definitions of the columns follow here.