ESET Online Help

Search
Select the category
Select the topic

Working with LiveGrid and Safe property

Sometimes malware saves a payload in the form of a script, or part of the malware's action is executed by a script saved to disk. So we want to create a rule to monitor the saving of a script file by the process.

Rule

<?xml version="1.0" encoding="utf-8"?>

<rule>
<body>
 <name>Saving script file [Z0301]</name>
 <severity>Information</severity>

 <process>
         <operator type="AND">
                 <condition component="FileItem" property="FileNameWithoutExtension" condition="isnot" value="git" />
                 <condition component="LiveGrid" property="Popularity" condition="less" value="10000" />
                 <condition component="LiveGrid" property="Reputation" condition="greater" value="2" />
                 <condition component="Enterprise" property="Safe" condition="isnot" value="1" />
         </operator >
 </process>

 <operations>
         <operation type="WriteFile">
                 <operator type="OR">
                         <condition component="FileItem" property="Extension" condition="is" value="vbs" />
                         <condition component="FileItem" property="Extension" condition="is" value="js" />
                         <condition component="FileItem" property="Extension" condition="is" value="bat" />
                         <condition component="FileItem" property="Extension" condition="is" value="ps1" />
                 </operator>
         </operation>
 </operations>
</body>
</rule>

Things to notice in the rule example above:

1.We used the operation WriteFile to detect the creation of files and property Extension to catch specific file types (defined by file extension).

2.With this type of rule, we typically get a lot of unwanted alerts on processes that usually save legitimate script files on disk. We used three types of conditions to eliminate most of them:

a.FileItem with Name property to eliminate git, which regularly saves files of various types.

b.The LiveGrid component and properties Popularity and Reputation to eliminate widely used programs and programs with good reputation.

c.Despite using those conditions, many alerts may still arise. However, there is a way to solve it and provide an operator the opportunity to explicitly mark a file that is proven to be safe (they will do it using the button Mark as Safe in ESET Inspect Web Console). This flag can be utilized in a rule using the Safe property of the Enterprise component.