[KB8192] Add detection rules in ESET Inspect for Log4j 2 vulnerability

Issue

Solution

The two Log4Shell rules below are designed to detect the log4j2 exploit. The rules use an experimental feature not fully supported by ESET Inspect, so detection may not work each time. For example, if a detection has already been reported on the network layer, ESET Inspect will not detect the exploit again. ESET recommends executing the two rules below as a task using the Rerun task option.

  • Possible Log4Shell (CVE-2021-44228) exploitation [D0532a]
  • Possible Log4Shell (CVE-2021-44228) exploitation [D0532b]

The two rules below are for the general exploitation of Java Runtime, for example, CVE-2021-44228. These general rules may generate some false positives for legitimate Java applications.

  • Potential Java Runtime exploitation [E0461]
  • Java Runtime executing suspicious script/command interpreter [E0462]

Import rules into ESET Inspect

  1. Download and unzip the detection rules file.

  2. Open ESET Inspect.

  3. Click Admin.

  4. Click Detection Rules.

  5. Click Import to select the import file.

  6. Select the file and click Open.

  7. Repeat steps 5-6 for each file.