ESET Online Help

Search
Select the category
Select the topic

Best Practices

Test new rules in a test environment first or on a smaller set of computers.

Avoid designing rules that produce many alerts, such as "any process was started".

When creating a new rule, document what and why is monitored.

Define rule severity when creating a new rule. If the <severity> tag is not present, the rule has the Warning severity automatically assigned, which may not fit the specific rule.

ESET Inspect does not use CurrentControlSet registry key, as this key is an alternating symbolic link that is dynamically evaluated by the operating system and is pointing to ControlSet%number%. See how to match registry keys/values inside CurrentControlSet in Rules Examples.

Because of how the x86 emulation works on x64 Windows OS, many registry keys/values also have their counterpart under Wow6432Node with similar functionality present, so you need to monitor this location. The same concept applies to %windir%\SysWOW64 and %PROGRAMFILES(X86)% folders.

The best way to match a specific registry value is to use the condition value ends because of how the registry paths are implemented in Windows.

The best way to match alternate data streams (ADS) on Windows NTFS is to use the following condition:
<condition component="FileItem" property="Extension" condition="contains" value=":" />

note

The "contains" comparator is quite heavy on performance. If possible, use "starts" or "ends" instead.

You can use a special value condition "isnotempty", which indicates that detection should be triggered on any value—useful, for example, to match any network connection from a specific process. Example use case:
<condition component="FileItem" property="FileNameWithoutExtension" condition="isnotempty" />

Registry hives are matched via their shortened names, specifically HKCU for HKEY_CURRENT_USER and HKLM for HKEY_LOCAL_MACHINE.

Condition paths are matched case-insensitive.

When creating a rule, plan how to filter false positives (too many irrelevant alerts). Generally speaking, in the first iteration, you should be as general as possible (for example, any change of this registry value) and only add filters subsequently (for example, if the general rule produces many irrelevant detections). Afterward, you can add filters (for example, LiveGrid Popularity/Reputation, Process Name) to reduce the number of irrelevant detections. Filters should be as specific as possible to not lose relevant or noteworthy detections.

Short-circuit evaluation of logical operators (tag <operator>) is implemented, so when creating the rule, you can consider optimization of rule logical expression to improve rule matching performance. Practical example—logical expression (A | B) & C can be rewritten as C & (A | B), and if C is not true, the rest of the expression will not be evaluated.