Exclusion of E.V.E. paths in third-party Endpoint solutions
Exclusions
For the correct functioning of the EVE softwareit is necessary to add exceptions in third-party solutions, which flag EVE processes or files as suspicious or malicious.
Note that it is necessary to exclude the "Downloads" folder in the EVE. installation directory. This is for a correct evaluation of the Network vector. Thepaths to be excluded are shown below. How they are excluded varies depending on the third-party solution.
This exclusions are MANDATORY for a correct functioning.
WINDOWS:
C:\Program Files (x86)\Reveald\EVE\App\*
C:\Program Files (x86)\Reveald\EVE\Downloads\*
C:\Program Files (x86)\Reveald\EVE\EveContain\*
LINUX
publish/Downloads/*
publish/EVE.Agent.ConsoleMonitor
You must ensure these exceptions are added on all the engines of the Endpoint security solution.
Why Do We Need Exclusions in Third-Party Security Solutions?
To ensure the proper functioning of Epiphany Validation Engine (EVE), it is mandatory to configure exclusions in third-party security solutions such as antivirus (AV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR). These exclusions allow each attack vector to be properly assessed without external interference that could affect test results.
Evaluation of Attack Vectors in EVE
EVE assesses the effectiveness of security controls across three levels: Network, Endpoint, and Execution. To achieve this, certain files and directories must not be blocked or altered by third-party security solutions. Below is a detailed explanation of why each exclusion is necessary in the context of attack vector validation.
1. Network Vector Evaluation
The Downloads folder within EVE’s installation directory is used to validate whether the network security infrastructure (IPS, IDS, Proxy, Firewall, Secure Web Gateways, etc.) is functioning correctly.
If a malicious sample reaches this folder, it means the network security controls FAILED to detect and block the threat.
If the sample does not reach the folder, it means a security control within the network successfully blocked the file before it was downloaded, indicating an effective defense at this stage.
Exclusion Requirement: Third-party security solutions must not interfere with the Downloads folder, as this could distort the results of the network vector evaluation.
2. Endpoint Vector Evaluation
Once the sample reaches the Downloads folder, the EVE agent automatically moves the file to a new folder called Executions.
At this stage, EVE evaluates whether endpoint security solutions (AV, EDR, XDR) detect and remove the malicious file.
If the sample is detected and removed at this point, it means the endpoint security solutions are functioning correctly.
If the sample remains in the Executions folder, it indicates that the endpoint security controls FAILED to detect the threat.
Exclusion Requirement: Third-party security solutions must NOT exclude the Executions folder, as this is where endpoint security effectiveness is assessed.
3. Execution Vector Evaluation
Finally, EVE executes the sample from the Executions folder to validate whether advanced security solutions such as EDR and XDR detect the malicious behavior of the executable file.
At this stage, behavior-based detection and runtime analysis should activate to stop the threat.
Evaluation
The evaluation of each vector occurs within a default time of 15 seconds, which can be adjusted as needed.
Last updated