Jump to content
Tim Jones

Version 7 File Server Reporting to ESET SMC7 Detected attack against security hole ( How do I exclude Nessus)

Recommended Posts

Hey Guys

I have updated to Version 7 great stuff it so much better than 6, I have also started updating my clients to V7 as well but have noticed the V7 File Server clients now reporting in

Detected attack against security hole, Obviously awesome and IPS protection is much appreciated, However it seems to alert from my scans with Nessus
 
Is there any way to exclude the IP's of our Nessus Scanners from triggering these and swamping the reports and dashboards with these alerts, I have excluded the ip's in the policy for all alerts and logs but im not sure its working any one else having a similar issue? ( it could be but maybe ive missed something)
 
Tim

Share this post


Link to post
Share on other sites

Hi Tim,

can you confirm that the following works? 

Network attack protection -> IDS exceptions -> Add -> “Alert: any alert; Remote IP address: 1.2.3.4”

Share this post


Link to post
Share on other sites
16 hours ago, MichalJ said:

Hi Tim,

can you confirm that the following works? 

Network attack protection -> IDS exceptions -> Add -> “Alert: any alert; Remote IP address: 1.2.3.4”

That is what i have set but it still alerts in the client and back to ERA, The settings are showing in the clients

Share this post


Link to post
Share on other sites

Is anyone else having this issue? Im thinking about logging a call with our vendor as no matter what I do Eset File Security 7 allways logs reports ( and blocks) ips if policy is pushed from SMC7

Share this post


Link to post
Share on other sites

Yes, we're seeing this behavior too.  After setting the first batch of alerts in ESMC, I found this post.  I then added the policy exception (any alert, with a specific remote address, all other options at default), and marked the old threats as resolved.  24 hours and another Nessus scan later, and the alerts are back.

 

 

Share this post


Link to post
Share on other sites

I have checked it with a colleague.  When defining exclusion, there should be a option to define  “log / block / notify” and you should set it to “No”.

If you keep the default value, it´s like if you have not created any exception at all. 

Share this post


Link to post
Share on other sites

Following on from Tim Jones above, 

We have log / block / notify all set to "No" and are still getting alerts, anything else to try ?  

Share this post


Link to post
Share on other sites

MichalJ's suggestion worked for us.  We marked all of the related firewall alerts as resolved, and then modified our server policy to have the Log, Block, and Notify options set to "No", and it has been quiet ever since.

B-G, just to confirm - if you open the File Security client on one of your machines and check its setup, I assume that you can see your desired IDS configuration there, with all of the options set to No?  (Just making sure that it received the corrected policy)

EFSW_IDS-Exception.png.1b786fcd8f21077c5fb70afaf2e6d889.png

Share this post


Link to post
Share on other sites

I'd recommend not to create exceptions for any alert, otherwise you'd effectively disable IDS protection against potential attacks coming from the excluded IP address.

Share this post


Link to post
Share on other sites
14 hours ago, B-G said:

We have log / block / notify all set to "No" and are still getting alerts, anything else to try ?   

Could you please post a screen shot of your IDS exclusion setup as well as the appropriate records from the Network protection log that were generated with the exception in place?

Share this post


Link to post
Share on other sites

I tried one more thing yesterday, I removed the Application name from the filter (We had named them as the scanners that we were using ) (Though it was just a descriptive field) and now it is working as expected. 

Looking at your filter setup confirms this configuration method as well.

Thanks for your help all.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×