Exclusions

ESET Inspect provides the ability to match incoming events against the rules. Rules are defined using an XML-based language to predicate conditions over events property (Module name, Hash, Signer, Popularity).

Rules can be edited/enabled/disabled when events reception is provided to the RuleEngine component to be compiled and matched against the events, eventually raising a detection.

For this reason, the possibility to filter/exclude some detections is needed.

As most of the filtering is going to be based on exactly the same property used in the rules, exclusions are defined using the same language used by the rules. This has the notable advantage of allowing for fair reuse of much of the existing machinery.

Provides an editing tool wizard, as exclusions are usually strictly related to some existing rule. Starting from an existing detection, this wizard will provide some initial values for the exclusion rule conditions.

Set of predefined exclusions (disabled by default) that you can enable later.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the list of displayed items. Tags are also powerful when searching for a specific computer, detection, incident, executable, or script. Also you can click the gear icon for table options to manage the main table.

Right-click an exclusion name to take further actions: