Exclusions

ESET Inspect provides the ability to match incoming events against the rules. Rules are defined using an XML-based language to predicate conditions over events property (Module name, Hash, Signer, Popularity).

Rules can be edited/enabled/disabled when events reception is provided to the RuleEngine component to be compiled and matched against the events, eventually raising a detection.

For this reason, the possibility to filter/exclude some detections is needed.

As most of the filtering is going to be based on exactly the same property used in the rules, exclusions are defined using the same language used by the rules. This has the notable advantage of allowing for fair reuse of much of the existing machinery.

Provides an editing tool wizard, as exclusions are usually strictly related to some existing rule. Starting from an existing detection, this wizard will provide some initial values for the exclusion rule conditions.

Set of predefined exclusions (disabled by default) that you can enable later.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the list of displayed items. Tags are also powerful when searching for a specific computer, detection, incident, executable, or script. Also you can click the gear gear_icon icon for table options to manage the main table.

Right-click an exclusion name to take further actions:

Edit

Go to the update exclusion window.

New exclusion

Go to the Create exclusion window.

Enable

 

Disable

 

Delete

 

Export

Starts the export process of the rule, depending on the used web browser. The format of the file is XML.

Import

Opens the window for import the XML rule file.

Tags

Assign tag(s) to an exclusion from the list of existing, or create a new custom tag(s).

Display Absolute/Relative Time

Absolute time will show the time in format DD/MM/YYYY HH:MM:SS. Relative time will show the time in the format minutes/hours/months concerning present time, like 15 minutes ago or six days ago.

Filter

Quick filters, depending on the column where you activated the context menu (Show only this, Hide this).