Command IT 7 Posted October 18, 2018 Share Posted October 18, 2018 I'm seeing a few of these related to CVE-2017-5638.Struts2. The affected servers are not running any Struts code, so I'm assuming this is detecting that someone is attempting to utilize the exploit, but how do I stop ESMC from showing these as threats once the device has been checked to ensure it's not vulnerable? John Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted October 18, 2018 Most Valued Members Share Posted October 18, 2018 (edited) 2 hours ago, Command IT said: I'm seeing a few of these related to CVE-2017-5638.Struts2. The affected servers are not running any Struts code, so I'm assuming this is detecting that someone is attempting to utilize the exploit, but how do I stop ESMC from showing these as threats once the device has been checked to ensure it's not vulnerable? John If you don't run Apache I don't know how the exploit will work because it's exploiting Apache and Apache isn't installed as you have said (Apache Struts) , just keep your systems up to date with security patches , and try to know this attack is coming from what source Why do you want it to stop showing you about threats or attacks? Edited October 18, 2018 by Rami Link to comment Share on other sites More sharing options...
Command IT 7 Posted October 18, 2018 Author Share Posted October 18, 2018 13 minutes ago, Rami said: Why do you want it to stop showing you about threats or attacks? I want to get notified when there's something that requires action, so I have email notifications for unresolved threats. These show up as unresolved threats. An analogy would be, I'm interested in knowing if someone walking down the street has tried to open my front door but it was locked (resolved threat), but I really want to know if the door got opened (unresolved threat) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,407 Posted October 19, 2018 Administrators Share Posted October 19, 2018 IDS detections are blocked automatically. In Endpoint's log you should see the action Blocked. Unfortunately, the message is translated by ESMC as "Detected" which may cause confusion. This will be fixed in ESMC v7.1 at latest to my best knowledge. To prevent network attacks, if you are behind a router / firewall also make sure that ESET (ideally Endpoint v7) is installed on every machine and that arbitrary machines cannot connect to the network. Every machine in the LAN should be fully patched. Link to comment Share on other sites More sharing options...
Command IT 7 Posted October 20, 2018 Author Share Posted October 20, 2018 Is there a timeline for ESMC 7.1 ? John Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted October 20, 2018 ESET Insiders Share Posted October 20, 2018 (edited) Eset may also want to start using the terminology IDS, and IPS to prevent confusion. The following below from Marvin Rhoads, a member of the Cisco Community is a good description that explains the difference betwen IDS, and IPS. IDS does not block, or remediate any traffic at all, you need IPS to do that. "IDS only logs or alerts on malicious traffic." "IPS inspects traffic flowing through a network and is capable of blocking or otherwise remediating flows that it determines are malicious." https://community.cisco.com/t5/firewalls/what-is-the-difference-between-ips-ids-and-a-firewall/td-p/2419412 Edited October 20, 2018 by cutting_edgetech Link to comment Share on other sites More sharing options...
itman 1,789 Posted October 20, 2018 Share Posted October 20, 2018 (edited) Actually Eset's IDS protection is a hybrid IDS/IPS in that besides blocking the activity, it gives you the option to be informed about the activity: Edited October 20, 2018 by itman Link to comment Share on other sites More sharing options...
ESET Insiders cutting_edgetech 25 Posted October 21, 2018 ESET Insiders Share Posted October 21, 2018 (edited) Eset can actually block detected attacks, and does so it should reflect that by showing something like IDS/IPS or separate settings for IDS and IPS in the GUI. Edited: 10/21/18 @ 1:17 I want to point out that you are correct about it being Hybrid. My suggestion is only that the GUI reflects that correctly by the changes I mentioned above. Edited October 21, 2018 by cutting_edgetech Link to comment Share on other sites More sharing options...
Recommended Posts