ESET Online Help

Search
Select the category
Select the topic

Scripts

Many recent attacks/infections use file-less malware, where scripts deliver a malicious payload or perform any harmful activity.

ESET Inspect On-Prem provides granular insight into all scripts executed within the company. It shows details about what changes were made and if any of the scripts triggered a specific behavior-based detection.

Security engineers can access details about the Event, process tree and detailed Command-line parameters (arguments). All are required for a thorough forensic investigation.

Use filters and group scripts at the Command line to spot anomalies or potentially suspicious activities.

Visual Basic and PowerShell (WScript and CScript) scripts are supported.

Filtering, Tags and Table options

Use filters at the top of the screen to refine the displayed items. Tags are powerful when searching for a specific computer, detection, incident, executable or script. Click the gear gear_icon icon for table options to manage the main table.

Process Groups

Ungrouped—Sort by Process Name (ID).

First child executable—Group by the first child process that is a successor of the script.

Parent executable—Group by parent process that is an ancestor of the script.

Command line—Group by the Command line/Process Name (ID) used to execute the executable.

Create Exclusion

Click the process name to take further action:

Details

Go to the Process details tab.

Aggregated Events

Go to the Aggregated events of of this specific process.

Detections

Go to the Detections tab with a list of detections for this specific script.

Raw Events

Go to the Raw Events tab of this specific process.

Loaded Modules

Go to the Loaded Modules tab.

Parent Process

Go to parent process details tab of this specific process.

First Child Process

Go to first child process details tab of this specific process.

Mark as Safe

Mark targets in Safe state; many rules determine the risk. Mark as Safe impact detections. Select the targets you want to mark as safe from the target window. Mark as Safe does not guarantee that a specific module will not be included in detections. There are several hundred rules—some raise detections regardless of which module executed the suspicious action, including trusted modules like PowerShell. Other rules evaluate risk based on the module. Such rules consider the “safe” flag. This flag means that the user analyzed the module and determined it is unlikely to be malicious, so rules assume that the risk is earlier in the evaluation.

Mark as Unsafe

Mark an executable as unsafe.

Create Exclusion

Create an exclusion for a specified script.

Download Script

Show the script’s download window to investigate (only if it is still available on the network).

Tags

Assign detection tags from the existing list or create custom tags.

Filter

Show quick filters on the column where you activated the context menu (Show only this, Hide this).