Scripts
Many recent attacks/infections use file-less malware, where scripts deliver a malicious payload or perform any harmful activity.
ESET Inspect On-Prem provides granular insight into all scripts executed within the company. It shows details about what changes were made and if any of the scripts triggered a specific behavior-based detection.
Security engineers can access details about the Event, process tree and detailed Command-line parameters (arguments). All are required for a thorough forensic investigation.
Use filters and group scripts at the Command line to spot anomalies or potentially suspicious activities.
Visual Basic and PowerShell (WScript and CScript) scripts are supported.
Filtering, Tags and Table options
Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear icon for table options to manage the main table.
Process Groups
•Ungrouped—Sort by Process Name (ID).
•First child executable—Group by the first child process that is a successor of the script.
•Parent executable—Group by parent process that is an ancestor of the script.
•Command line—Group by the Command line/Process Name (ID) used to execute the executable.
Create an exclusion for a specified script. In the Basics section, type basic information about the task, including an Exclusion Name and Note for a more in-depth exclusion description. Click Continue to configure the task settings. Criteria You can use pre-defined criteria: •Process name is one of—Type the process names you want to apply to the exclusion. •Cmd. line contains—Type the process parameters if you want to exclude by parameter. •User is one of—Type all user names you want to apply to the exclusion. Targets Click Assign to select computers or groups where you want this exclusion to apply and click OK. Summary Review the configured settings summary in the Exclusion preview. Verify the settings and click Create exclusion.
After creating the exclusion, you are redirected to Exclusions in More tab. |
Click the process name to take further action:
Details |
Go to the Process details tab. |
---|---|
Aggregated Events |
Go to the Aggregated events of of this specific process. |
Detections |
Go to the Detections tab with a list of detections for this specific script. |
Raw Events |
Go to the Raw Events tab of this specific process. |
Loaded Modules |
Go to the Loaded Modules tab. |
Parent Process |
Go to parent process details tab of this specific process. |
First Child Process |
Go to first child process details tab of this specific process. |
Mark as Safe |
Mark targets in Safe state; many rules determine the risk. Mark as Safe impact detections. Select the targets you want to mark as safe from the target window. Mark as Safe does not guarantee that a specific module will not be included in detections. There are several hundred rules—some raise detections regardless of which module executed the suspicious action, including trusted modules like PowerShell. Other rules evaluate risk based on the module. Such rules consider the “safe” flag. This flag means that the user analyzed the module and determined it is unlikely to be malicious, so rules assume that the risk is earlier in the evaluation. |
Mark as Unsafe |
Mark an executable as unsafe. |
Create Exclusion |
Create an exclusion for a specified script. |
Download Script |
Show the script’s download window to investigate (only if it is still available on the network). |
Tags |
Assign detection tags from the existing list or create custom tags. |
Filter |
Show quick filters on the column where you activated the context menu (Show only this, Hide this). |