So the default is:
"Only monitor files that are included below
*.exe
*.sys"
But it appears Malwarebytes is constantly adding/removing a file from system32/drivers so I want to exclude that file. The radio for "include all except" and "monitory only" cannot have both selected, so do I simply create a 2nd "monitored folder" for the exclusion?
Adding a 2nd folder is not supported, since it would instruct EventSentry to monitor the same folder twice. The best approach to suppress these false alerts from Malwarebytes would be to create an exclude filter so that these alerts aren't forwarded to an email for example. The advantage of this approach is that the changes to the "drivers" directory still get recorded to the database.
I included a screenshot of what this exclusion filter could look like. You may have to change the 2nd content filter if the file that is being added is not mbamswissarmy.sys:
You can put this exclusion filter into any package that is assigned to the host where these alerts are generated, or you can create a new package.
I hope this helps, please let us know!
I
Ingmar Koecher
said
almost 5 years ago
That sounds great! I have one dumb question though, where to navigate to set that exclusion filter?
Perfect! One last question, when adding the "content filters" (where it says "string (#1) matches") I am given three options, "wildcard," "insertion," or "regex" for "text match type." Which do I want?
EDIT: Nevermind, it's "insertion"
Thanks again!
Ingmar Koecher
said
almost 5 years ago
Glad you figured it out - yes it's insertion string.
Ingmar Koecher
So the default is:
"Only monitor files that are included below
*.exe
*.sys"
But it appears Malwarebytes is constantly adding/removing a file from system32/drivers so I want to exclude that file. The radio for "include all except" and "monitory only" cannot have both selected, so do I simply create a 2nd "monitored folder" for the exclusion?
Yes, you would want to create a new event log package (or add one to an existing one) and then add the exclusion filter to that package. Just make sure the package is assigned correctly. We have a video that explains this in detail: https://www.youtube.com/watch?v=UQKaSToPrWo&t=77s. That video probably tells you more than you need to know - if you prefer a shorter tutorial then you can go here: https://www.eventsentry.com/support/tutorial/topic/include-exclude-filters/step/1.
Let me know if that helps.
- Oldest First
- Popular
- Newest First
Sorted by Oldest FirstIngmar Koecher
Adding a 2nd folder is not supported, since it would instruct EventSentry to monitor the same folder twice. The best approach to suppress these false alerts from Malwarebytes would be to create an exclude filter so that these alerts aren't forwarded to an email for example. The advantage of this approach is that the changes to the "drivers" directory still get recorded to the database.
I included a screenshot of what this exclusion filter could look like. You may have to change the 2nd content filter if the file that is being added is not mbamswissarmy.sys:
You can put this exclusion filter into any package that is assigned to the host where these alerts are generated, or you can create a new package.
I hope this helps, please let us know!
Ingmar Koecher
That sounds great! I have one dumb question though, where to navigate to set that exclusion filter?
Ingmar Koecher
Yes, you would want to create a new event log package (or add one to an existing one) and then add the exclusion filter to that package. Just make sure the package is assigned correctly. We have a video that explains this in detail: https://www.youtube.com/watch?v=UQKaSToPrWo&t=77s. That video probably tells you more than you need to know - if you prefer a shorter tutorial then you can go here: https://www.eventsentry.com/support/tutorial/topic/include-exclude-filters/step/1.
Let me know if that helps.
Ingmar Koecher
Perfect! One last question, when adding the "content filters" (where it says "string (#1) matches") I am given three options, "wildcard," "insertion," or "regex" for "text match type." Which do I want?
EDIT: Nevermind, it's "insertion"
Thanks again!
Ingmar Koecher
Glad you figured it out - yes it's insertion string.
-
EventSentry SQL Backup
-
Freeing up disk space
-
"The RPC server is unavailable" when trying to add any computer.
-
How to remove a list of Servers/Agents using a CSV
-
Pros and Cons of Database in a container for EventSentry
-
PostgreSQL error
-
After installing trial with a collector, then removing the collector, Agents appear Disconnect or Frozen
-
Can EventSentry Light be used to monitor a phone server on my network?
-
Support for Windows Server 2019
-
Syslog Search Syntax
See all 36 topics