hgm
-
Posts
5 -
Joined
-
Last visited
Posts posted by hgm
-
-
Hello,
We began seeing "Security vulnerability exploitation attempts: JAVA/Exploit.CVE-2021-44228", and I'm wondering if anyone can help me understand what is occurring with these alerts?
Product: Endpoint Antivirus 8.1.2037.2
OS: Windows 10.0.19044.1415
The detection includes the following (simplified, obfuscated numbers):
Process nameC:\Program Files (x86)\Internet Explorer\iexplore.exeSource address10.1.2.3Source port59876Target address117.2.3.4Target port80Inbound CommunicationnoProtocolTCPActionBlockedIs the following understanding correct: this computer, using process iexplore.exe, made a call from 10.1.2.3 on port 59876 to 117.2.3.4 which was blocked?
Or was the traffic from 117.2.3.4 on port 80 blocked, with the target of 10.1.2.3?
It is the "Inbound Communication: no" part that is tripping me up. What part of the communication was blocked, the part from the ESET protected endpoint to a server, or a server to the ESET protected endpoint?
-
All of the mentioned ways to view agent version status are fine workarounds. But it seems to be a big oversight to not have this particular piece of information available, considering that there are about 20 other things we can list in column view.
If auto-updating agents is a future plan, then great! That will really reduce our workload considering how often we have to go through these workarounds to sort endpoints and respective agent versions.
-
Thank you for the suggestion, @MartinK. I have been working to understand and implement your suggestion, but have yet to successfully get the data I am looking for.
The question has been converted to a suggestion as ESET support confirmed that there is no ability to add a column in a dynamic group which shows the agent version.Support's response:
Quotethe only way is to create a dynamic group template with following expression:
1. "Installed software.Application" "name is one of " "ESET Management Agent"
2. "Installed software.Application version" "not equal" "8.0.1238.0"
Assign this template to your dynamic group.
In this dynamic group you will see all client (Agents <> 8.0.1238.0).
Additional informations. It is not possible that you can see directly the agent version under you dynamic group.This suggestion creates a dynamic group which will show endpoints which meet the criteria. But again it does not solve the initial question of how to show agent version in existing dynamic groups, as its own column. Hopefully the ability to add a column in a dynamic group which shows agent version, as we are currently able to show product version (client software) exists currently, will be added in the next update.
-
Is it possible to have a column in ESET Protect dynamic group view which shows the installed agent version? I see where security product version can be displayed, and many other things, but no option for agent version.
Clarify Detection: JAVA/Exploit.CVE-2021-44228
in ESET Endpoint Products
Posted
Thank you @itman for the prompt reply!
I am aware of update information from this link:
https://support.eset.com/en/kb3580-upgrade-eset-business-products
Regarding Apache server, are you referring to Apache that was installed with ESET Protect, or other non-ESET related instances of Apache? It is our understanding that Apache which runs with Protect is not vulnerable. Is this correct?
Another question on the topic of this post, I don't see anything in the detection report that points to how or why the blocked traffic occurred. Performing the script searches outlined in this post (link below) doesn't turn up any instance of .jar archive files on the system. And I am unaware of any other installed software that would do this either. So I'm trying to figure out what is the root of the offending traffic? Is this something that ESET can provide?
https://www.welivesecurity.com/2021/12/13/log4shell-vulnerability-what-we-know-so-far/