Skip to content

ESET USB Mount/Unmount#157

Open
j91321 wants to merge 1 commit intotsale:mainfrom
j91321:pnpconnected_event
Open

ESET USB Mount/Unmount#157
j91321 wants to merge 1 commit intotsale:mainfrom
j91321:pnpconnected_event

Conversation

@j91321
Copy link
Contributor

@j91321 j91321 commented Jan 20, 2026

ESET USB Mount/Unmount

Contribution Details

With the release of ESET Inspect Connector 3.0 PnPDeviceConnected and PnPDeviceDisconnected were added. This creates an event for any peripheral connected as a Plug&Play device (mass storage device, HID, monitor, bluetooth devices etc.)

pnp_device_connect_disconnect

Additionally I'm adding Partially to File Opened subcategory. For some reason I omitted this category in the past, although it was always implemented. In ESET Inspect it's named "FileRead", but the implementation actually triggers on file open operation.

This event is generated only on specific files that may contain sensitive information such as browser related databases, credential storages etc.

image

Telemetry Validation

PnPDevice Events:
Tested with BashBunny in both Mass Storage device mode and HID mode

FileRead:
Standard system operation, e.g. opening browser.

Documentation or Evidence:

  • Official documentation (link: )
  • Screenshots attached
  • Sanitized logs provided
  • Private documentation (will share confidentially)

Type of Contribution

  • Adding telemetry information for an existing EDR product
  • Adding a new EDR product that meets eligibility criteria
  • Proposing new event categories/sub-categories
  • Documentation improvement
  • Tool enhancement

Validation Details

EDR Product Information

  • EDR Product Name:
  • EDR Version:
  • Operating System(s) Tested:

Testing Methodology

Tested with BashBunny in both Mass Storage device mode and HID mode

Additional Notes

None

@coderabbitai
Copy link

coderabbitai bot commented Jan 20, 2026

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@j91321