Jump to content

pronto

Members
  • Content Count

    58
  • Joined

  • Last visited

  • Days Won

    1

pronto last won the day on October 17 2019

pronto had the most liked content!

1 Follower

Profile Information

  • Location
    Germany

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Servus, the detections run on two Exchange Server 2016. These are brute force attacks that are applied to the virtual directories of Exchange IIS. I can't get out of this, if OWA and Active Sync should be accessible via the Internet. The problem is not unknown, and we used to use a reverse proxy to prevent it, but we don't have that anymore since Microsoft stopped it's TMG support. Our goal now is not to prevent these detections but we don't need to have every single successfully blocked attack in our log. This makes the log confusing and trains people to ignore warnings because they think they know what is behind it. An error or warning should be a rare event and every single one should get full attention. This is not possible if you know in advance what to expect in 95% of the warnings. If there is another solution that we have not yet considered, we would be interested to have a look at it... Thx & Bye Tom
  2. Servus Community, in another thread regarding this 'Disable.Attack.Generic' warning we found a place in the policies where this warning can be disabled but the setting seems not to work because these warnings are still logged. See the attached screenshots. Thx & Bye Tom
  3. Servus Marcos, ist the ESET Dynamic Threat Defense feature included in an ESET Secure Business license? It isn't listed in the feature list of any product:
  4. Servus Marcos and Itman, we have discussed this issue with our management, even though we have deactivated the execution of macros in Microsoft Office by group policy but it would be worse if we would forward such an e-mail to a business partner who does not have that many security levels available. This was our biggest concern in this particular case. Our management has classified this as a serious incident, not least because an encryption Trojan recently caused a business partner to suffer significant financial damage. Our preferred configuration would be to remove all macro code from every Office document but still deliver it, but of course if no virus was found or the email was not detected as spam. That's how we had configured it earlier and had actually made good experiences with it. But ESET can't do that in this form as far as I know. But it would be great if it could. If this is not possible, we would be interested in a procedure to collect data about how many Office documents with macro code we receive and how many of them might have been detected as false positives, if we decided to generally reject such documents in a later step. This was the result of our meeting with our management. Do you have any ideas on how we could best solve this? Any suggestions would be welcome. Thx & Bye Tom
  5. Servus Itman, yes, the email arrived on wednesday at 10:50, at that time the two internal mail servers had installed pattern 20750, the border edge mail server even had installed pattern 20751 for a few minutes. The two internal servers both found the virus at 15:01, half an hour after the update to pattern 20752. Thx & Bye Tom
  6. I understood. It would be interesting to know which versions of a virus are covered by which patterns and which version of the virus you are dealing with. This would help to understand what happened and help to take countermeasures. I can remember earlier times where other vendors listed exactly if this or that DLL is found with a size of so many bytes, there is an infection, otherwise with certain listed sizes and version numbers they are unsuspicious original files, depending on the patch level. This way or something similar. This may be a bit much information but for those who need it, it is definitely invaluable. But that's probably not a problem we are solving tonight... 😉 Bye Tom
  7. Hm, that's not good. ESET tells me they've found a virus, but they won't tell me exactly what virus it was. We had the same situation this week with the analysis of the spam detection values in the header of an email, they were not public either. This is really a pity, it was looking so good... Bye Tom
  8. Servus Marcos, is there a public database where you can view more detailed information about specific malware? Such as the history or other useful information to make your own investigations if an infection is suspected... Thx & Bye Tom
  9. Servus Comminity, yesterday at 11:00am we had a false negative detection on our Exchange Server, which accepts the email from outside and is the first instance to check for viruses. This server then forwards the mails to the internal servers, which host the databases of a two-node DAG. At about 15:00pm the virus scanner on the internal Exchange servers has detected and deleted an infected attachment. Due to the delay of four hours I first assumed that this was a zero-day exploit and unfortunately we were among the first to receive this virus. However, further research has shown that ESET has known this virus, or at least a virus with the same name as this one, since 20.01.2020 and would therefore be far away from a zero-day exploit. In the logfile of the virus scanner there are some updates of the detection engine for yesterday, on all three mail servers. How is it possible that the first mail server missed the email and the other two did not have a reaction within four hours? Is this a generic name, as there is no version number in the threat name, are there more detailed information about the found virus? If the name is not specific and is used multiple times, how can you take adequate action in case of an infection? Thx & Bye Tom
×
×
  • Create New...