Version 7 File Server Reporting to ESET SMC7 Detected attack against security hole ( How do I exclude Nessus)

[Tim Jones 2]

Hey Guys

I have updated to Version 7 great stuff it so much better than 6, I have also started updating my clients to V7 as well but have noticed the V7 File Server clients now reporting in

Detected attack against security hole, Obviously awesome and IPS protection is much appreciated, However it seems to alert from my scans with Nessus

 

Is there any way to exclude the IP's of our Nessus Scanners from triggering these and swamping the reports and dashboards with these alerts, I have excluded the ip's in the policy for all alerts and logs but im not sure its working any one else having a similar issue? ( it could be but maybe ive missed something)

 

Tim

[MichalJ 434]

Hi Tim,

can you confirm that the following works? 

Network attack protection -> IDS exceptions -> Add -> “Alert: any alert; Remote IP address: 1.2.3.4”

[Tim Jones 2]

16 hours ago, MichalJ said:

Hi Tim,

can you confirm that the following works? 

Network attack protection -> IDS exceptions -> Add -> “Alert: any alert; Remote IP address: 1.2.3.4”

That is what i have set but it still alerts in the client and back to ERA, The settings are showing in the clients

[Tim Jones 2]

Is anyone else having this issue? Im thinking about logging a call with our vendor as no matter what I do Eset File Security 7 allways logs reports ( and blocks) ips if policy is pushed from SMC7

[zhopkins 10]

Yes, we're seeing this behavior too.  After setting the first batch of alerts in ESMC, I found this post.  I then added the policy exception (any alert, with a specific remote address, all other options at default), and marked the old threats as resolved.  24 hours and another Nessus scan later, and the alerts are back.

 

 

[MichalJ 434]

I have checked it with a colleague.  When defining exclusion, there should be a option to define  “log / block / notify” and you should set it to “No”.

If you keep the default value, it´s like if you have not created any exception at all. 

[B-G 0]

Following on from Tim Jones above, 

We have log / block / notify all set to "No" and are still getting alerts, anything else to try ?  

[zhopkins 10]

MichalJ's suggestion worked for us.  We marked all of the related firewall alerts as resolved, and then modified our server policy to have the Log, Block, and Notify options set to "No", and it has been quiet ever since.

B-G, just to confirm - if you open the File Security client on one of your machines and check its setup, I assume that you can see your desired IDS configuration there, with all of the options set to No?  (Just making sure that it received the corrected policy)

[Marcos 5,072]

I'd recommend not to create exceptions for any alert, otherwise you'd effectively disable IDS protection against potential attacks coming from the excluded IP address.

[Marcos 5,072]

14 hours ago, B-G said:

We have log / block / notify all set to "No" and are still getting alerts, anything else to try ?   

Could you please post a screen shot of your IDS exclusion setup as well as the appropriate records from the Network protection log that were generated with the exception in place?

[B-G 0]

I tried one more thing yesterday, I removed the Application name from the filter (We had named them as the scanners that we were using ) (Though it was just a descriptive field) and now it is working as expected. 

Looking at your filter setup confirms this configuration method as well.

Thanks for your help all.