Jump to content

Version 7 File Server Reporting to ESET SMC7 Detected attack against security hole ( How do I exclude Nessus)


Tim Jones
 Share

Recommended Posts

Hey Guys

I have updated to Version 7 great stuff it so much better than 6, I have also started updating my clients to V7 as well but have noticed the V7 File Server clients now reporting in

Detected attack against security hole, Obviously awesome and IPS protection is much appreciated, However it seems to alert from my scans with Nessus
 
Is there any way to exclude the IP's of our Nessus Scanners from triggering these and swamping the reports and dashboards with these alerts, I have excluded the ip's in the policy for all alerts and logs but im not sure its working any one else having a similar issue? ( it could be but maybe ive missed something)
 
Tim
Link to comment
Share on other sites

  • ESET Staff

Hi Tim,

can you confirm that the following works? 

Network attack protection -> IDS exceptions -> Add -> “Alert: any alert; Remote IP address: 1.2.3.4”

Link to comment
Share on other sites

16 hours ago, MichalJ said:

Hi Tim,

can you confirm that the following works? 

Network attack protection -> IDS exceptions -> Add -> “Alert: any alert; Remote IP address: 1.2.3.4”

That is what i have set but it still alerts in the client and back to ERA, The settings are showing in the clients

Link to comment
Share on other sites

  • 2 weeks later...

Is anyone else having this issue? Im thinking about logging a call with our vendor as no matter what I do Eset File Security 7 allways logs reports ( and blocks) ips if policy is pushed from SMC7

Link to comment
Share on other sites

  • 4 weeks later...

Yes, we're seeing this behavior too.  After setting the first batch of alerts in ESMC, I found this post.  I then added the policy exception (any alert, with a specific remote address, all other options at default), and marked the old threats as resolved.  24 hours and another Nessus scan later, and the alerts are back.

 

 

Link to comment
Share on other sites

  • ESET Staff

I have checked it with a colleague.  When defining exclusion, there should be a option to define  “log / block / notify” and you should set it to “No”.

If you keep the default value, it´s like if you have not created any exception at all. 

Link to comment
Share on other sites

Following on from Tim Jones above, 

We have log / block / notify all set to "No" and are still getting alerts, anything else to try ?  

Link to comment
Share on other sites

MichalJ's suggestion worked for us.  We marked all of the related firewall alerts as resolved, and then modified our server policy to have the Log, Block, and Notify options set to "No", and it has been quiet ever since.

B-G, just to confirm - if you open the File Security client on one of your machines and check its setup, I assume that you can see your desired IDS configuration there, with all of the options set to No?  (Just making sure that it received the corrected policy)

EFSW_IDS-Exception.png.1b786fcd8f21077c5fb70afaf2e6d889.png

Link to comment
Share on other sites

  • Administrators

I'd recommend not to create exceptions for any alert, otherwise you'd effectively disable IDS protection against potential attacks coming from the excluded IP address.

Link to comment
Share on other sites

  • Administrators
14 hours ago, B-G said:

We have log / block / notify all set to "No" and are still getting alerts, anything else to try ?   

Could you please post a screen shot of your IDS exclusion setup as well as the appropriate records from the Network protection log that were generated with the exception in place?

Link to comment
Share on other sites

I tried one more thing yesterday, I removed the Application name from the filter (We had named them as the scanners that we were using ) (Though it was just a descriptive field) and now it is working as expected. 

Looking at your filter setup confirms this configuration method as well.

Thanks for your help all.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...