Jump to content

Threats not reported to ERA console


Gamtat
 Share

Recommended Posts

Had a user come to me to let me know they had accidentally clicked on something they shouldn't have and had received the Access Denied "Access to the web page was blocked" popup and browser warning.  I can see it in their event log on the client but there's no sign of it in the Threats section of the web interface.  I can go to the Computers section, select Show Details on their computer and can't see it there either in the Threats or Alerts pages.  The computer is otherwise reporting just fine to the ERA server.  Have I screwed up the one of my policies?  How do I make sure this stuff is visible in the dashboard (or possibly via email alert)?

Link to comment
Share on other sites

See my screen, needed config of Agent. Also you must setup the policy of webcontroll to log this as "warning"

2017-06-07_08h56_06.png

Edited by HSW
Link to comment
Share on other sites

  • ESET Staff

If this was a page blocked not by webcontrol, but by the internal lists using protocol filtering / web access protection, it could be located locally in the "filtered websites log" on the Endpoint. Contents of this log file are as of now not collected in ESET Remote Administrator 6. We are planning to add this functionality in the next major release by Q4/2017 resp. Q1/2018.

Link to comment
Share on other sites

I haven't changed the defaults to enable WebControl so it wasn't that - just now exported the log to confirm that it was blocked by the internal lists.  I look forward to this being logged in the console.  I know the software has done its job by blocking the URL but it's a useful insight into user behavior for possible "reeducation".

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Time">6/6/2017 2:18:52 PM</COLUMN>
      <COLUMN NAME="URL">hxxp://newrequest-changeshippingcenter-ebayinc.com</COLUMN>
      <COLUMN NAME="Status">Blocked by internal IP blacklist</COLUMN>
      <COLUMN NAME="Application">C:\Windows\System32\CompatTelRunner.exe</COLUMN>
      <COLUMN NAME="User">DOMAIN\user</COLUMN>
      <COLUMN NAME="IP address">51.15.139.219</COLUMN>
      <COLUMN NAME="SHA1">7508DB266FDCDF93C951A022C5DA505A13EE6BE9</COLUMN>
    </RECORD>
    <RECORD>
      <COLUMN NAME="Time">6/6/2017 2:18:13 PM</COLUMN>
      <COLUMN NAME="URL">hxxp://newrequest-changeshippingcenter-ebayinc.com</COLUMN>
      <COLUMN NAME="Status">Blocked by internal IP blacklist</COLUMN>
      <COLUMN NAME="Application">C:\Windows\System32\CompatTelRunner.exe</COLUMN>
      <COLUMN NAME="User">DOMAIN\user</COLUMN>
      <COLUMN NAME="IP address">51.15.139.219</COLUMN>
      <COLUMN NAME="SHA1">7508DB266FDCDF93C951A022C5DA505A13EE6BE9</COLUMN>
    </RECORD>
 </LOG>
</ESET>

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...