[874 EsetIPBlacklist.A on Users Work From Home Computer]

Found out when he hooked up the new modem, he plugged his computer directly into the modem instead of the router.  He is also buying a new router since his is about 8 years old.

[874 EsetIPBlacklist.A on Users Work From Home Computer]

Thanks for you assistance.

[874 EsetIPBlacklist.A on Users Work From Home Computer]

They did just get a new modem from the ISP which may have given them a new IP address.

[874 EsetIPBlacklist.A on Users Work From Home Computer]

Obviously ESET is doing it's job.  Should I do anything else to the computer or possibly have the ISP kick it to a new IP address?

[874 EsetIPBlacklist.A on Users Work From Home Computer]

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application path;Application;Hash;User;Signer;Package name;Service
10/13/2023 9:46:00 AM;Security vulnerability exploitation attempt;Blocked;107.170.254.8:42639;140.186.96.15:2096;TCP;EsetIpBlacklist.A;;;;;;;

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application path;Application;Hash;User;Signer;Package name;Service
10/13/2023 9:08:41 AM;Security vulnerability exploitation attempt;Blocked;58.65.153.246:53410;140.186.96.15:445;TCP;EsetIpBlacklist.A;System;System;;;;;
 

[874 EsetIPBlacklist.A on Users Work From Home Computer]

Yes Huntress is installed as part of a detection package through our MSP

I will check with our ESET provider about turning off the HIPS setting.  It is locked in the policy.

Where can I get the Network Protection Log?  Or do you just want a copy of the information from the Detections screen?

[874 EsetIPBlacklist.A on Users Work From Home Computer]

Time;Application;Operation;Target;Action;Rule;Additional information
10/13/2023 8:47:06 AM;C:\Windows\System32\csrss.exe;Get access to another application;C:\Program Files\ESET\ESET Security\egui.exe;Blocked;Self-Defense: Protect ekrn and egui processes;Unknown operation

Time;Application;Operation;Target;Action;Rule;Additional information
10/13/2023 8:46:29 AM;C:\Program Files\Huntress\HuntressAgent.exe;Get access to another application;C:\Program Files\ESET\ESET Security\eguiProxy.exe;Blocked;Self-Defense: Protect ekrn and egui processes;Unknown operation,Unknown operation,Unknown operation,Unknown operation,Unknown operation

Time;Application;Operation;Target;Action;Rule;Additional information
10/13/2023 8:42:10 AM;C:\Windows\System32\svchost.exe;Attempt to lock the file;C:\Program Files\ESET\ESET Security\SecurityProductInformation.ini;Blocked;Self-Defense: Protect ESET files;

[874 EsetIPBlacklist.A on Users Work From Home Computer]

One of our users normally works in the office but has a computer to work from home.  In the last 5 days, there have been 874 EsetIPBlacklist.A warnings from several different IP address trying to hit several different ports.  Outside of scanning the computer for viruses and vulnerabilities, what can I do to kill these attacks?

[Over 300 Network Folders Open]

I was looking in computer management > Open Files this morning to see who had a particular file open and I saw that one user had over 300 folders "open".  I confirmed with the user that they didn't have some extensive search or anything running that may cause this appearance.  I refreshed the view and then all of those were gone and the same thing showed for a different user.  Refreshed a while later and same thing for another user.  Eventually it settled down and didn't seem to affect anything while it was happening.

I do have real-time scans of network drives enabled.  Could this cause this behavior?

[Did user try opening the attachment?]

I received a handful of "Event occurred during an attempt to access the email" errors with the MSIL/GenKryptik.EXUD from the email application filter for one of our users.  Does this mean he actually tried to open the attachment or that he opened the email?

[3 different computers with the same "blocked by PUA blacklist" warning]

That makes sense.  Thanks Marcos.

[3 different computers with the same "blocked by PUA blacklist" warning]

I have 3 different computers that have web protection warnings because Chrome is trying to access my.rtmark.net.  One computer had 4 occurrences over 6 days and the other 2 each had two occurrences within the same day.  How likely is it that they all clicked the same/similar bad links or fell for a link in an email?  Should I be looking for some malware acting behind the scenes? 

[Remove licenses in remote office]

We have an office in another country which we have recently sold.  I want to remove the ESET licensing from the computers there but I am having trouble accessing the computers which makes me believe this switch over isn't going to be as friendly as I thought.  If I delete them in the Security Manager, do they stop getting updates?  Is there a better way to pull the plug?

[Exclude TCP Port Scanning Attack not working]

I should have explained a little better.  This is happening on several computers.  I set the exception through a policy that I applied to all computers.  The log files are attached.

ees_logs.zip

[Exclude TCP Port Scanning Attack not working]

I am in the process of upgrading from Eset version 5 to 7.  We use Spiceworks to track inventory of all our computers so when it tries to contact any of the computers, ESET blocks it and records a TCP Port Scanning Attack.  Originally I was receiving ARP Cach Poisoning Attack alerts from the same server and I created an IDS exception and they stopped.  I added the TCP Port Scanning Attack exception in the same place and applied it to all computers but I still have the alerts showing up in the threats.  Any ideas what I am missing?