No Alerts From IDS

[itman 1,659]

Eset IS ver. 11.2.49, Win 10 x(64) Home 1803

Yesterday I was doing some PowerShell based testing against SMBv1. Note I do prohibit access to admin shares via Eset IDS option. Today I notice the following in my Network log file:

Zip IDS alerts on all this activity. Is this normal IDS behavior not to alert?

FYI and BTW - Microsoft in their "infinite dis-wisdom" now enables SMBv1 on clean installs of Win 10 1803. If you care about that, you have to manual uninstall it via Windows Features option.

-EDIT- now I am getting blocks on localhost connections to port 445 for Microsoft_ds. Perhaps this is why MS added SMBv1 to Win 10 -1803 - a hidden backdoor?

Edited July 24, 2018 by itman

[itman 1,659]

@Marcos, the lack of IDS alert withstanding, I still would like to know why Eset is blocking this activity with SMBv1 disabled whereas it did not detect anything with SMBv1 enabled?

Note that I recently reinstalled ver. 1803 which is how SMBv1 got enabled in the first place. On my old ver. 1803 install which was an upgrade from ver. 1709, SMBv1 was disabled and there were no blocked log entries from Eset IDS in regards to admin share access. Eset 11.2.42 was installed after ver.1803 obviously with SMBv1 disabled later.

Edited July 26, 2018 by itman

[itman 1,659]

This also might be related to this issue:

Quote

What hasn’t changed?

Any folder, files, printers that you previously shared using HomeGroup will continue to be shared. This means that:

• Shared network folders will still be available. You can open them in File Explorer by typing the name of the PC and the shared folder name in this format: \\homePC\SharedFolderName.
• If one user account was set up on a PC for sharing, you can continue using that one account for sharing.
• You can still get to any shared printers through the Print dialog box.

https://support.microsoft.com/en-us/help/4091368/windows-10-homegroup-removed

I don't have a network setup; this is a stand-alone PC. I do have a HP Laser printer connected however and HP setup's are "famous" for weird local printer connections. Now the above extract should not apply for a clean install, but I actually did a Win OS reset versus a clean install. So who knows how Win 10 set up the printer. Also the impact of disabling SMBv1 had on the above and in regards to Eset admin share access detection. 

Edited July 26, 2018 by itman

[itman 1,659]

Make this one solved. Also file under the category as sometimes you do dumb things.

I have always disabled associated remote desktop services in Win 10 Home although technically you can't connect remotely to your PC in it. I didn't do that when I reinstalled Win 10. As such, the remote desktop connection option was available. Every time I started it up is when I received the Eset log entries about access to admin shares. Also explains why no alert was generated since the access attempt was locally based.