Start a new topic
Answered

File monitoring System32, excluding and including

So the default is:

"Only monitor files that are included below

*.exe

*.sys"

But it appears Malwarebytes is constantly adding/removing a file from system32/drivers so I want to exclude that file. The radio for "include all except" and "monitory only" cannot have both selected, so do I simply create a 2nd "monitored folder" for the exclusion?


Best Answer

Yes, you would want to create a new event log package (or add one to an existing one) and then add the exclusion filter to that package. Just make sure the package is assigned correctly. We have a video that explains this in detail: https://www.youtube.com/watch?v=UQKaSToPrWo&t=77s. That video probably tells you more than you need to know - if you prefer a shorter tutorial then you can go here: https://www.eventsentry.com/support/tutorial/topic/include-exclude-filters/step/1.


Let me know if that helps.


Adding a 2nd folder is not supported, since it would instruct EventSentry to monitor the same folder twice. The best approach to suppress these false alerts from Malwarebytes would be to create an exclude filter so that these alerts aren't forwarded to an email for example. The advantage of this approach is that the changes to the "drivers" directory still get recorded to the database.


I included a screenshot of what this exclusion filter could look like. You may have to change the 2nd content filter if the file that is being added is not mbamswissarmy.sys:



You can put this exclusion filter into any package that is assigned to the host where these alerts are generated, or you can create a new package.

I hope this helps, please let us know!

That sounds great! I have one dumb question though, where to navigate to set that exclusion filter?

Answer

Yes, you would want to create a new event log package (or add one to an existing one) and then add the exclusion filter to that package. Just make sure the package is assigned correctly. We have a video that explains this in detail: https://www.youtube.com/watch?v=UQKaSToPrWo&t=77s. That video probably tells you more than you need to know - if you prefer a shorter tutorial then you can go here: https://www.eventsentry.com/support/tutorial/topic/include-exclude-filters/step/1.


Let me know if that helps.

Perfect! One last question, when adding the "content filters" (where it says "string (#1) matches") I am given three options, "wildcard," "insertion," or "regex" for "text match type." Which do I want?

EDIT: Nevermind, it's "insertion"

Thanks again!

Glad you figured it out - yes it's insertion string.

Login or Signup to post a comment