Jump to content

SSL/TLS Scanning Port Assignments


Recommended Posts

Ref.: Eset IS 12.1.34

Refer to the circled portion of the below screen shot. I did not manually make the "0 - 65535" change.

In essence, this means that Eset is scanning all computer traffic; for all system and app processes.

Eset_HTTPS.thumb.png.d1ef934f22eeedcbd5269b2a68ec352b.png

Edited by itman
Link to comment
Share on other sites

  • Administrators

I have no clue. I have various ESET products installed and everywhere is port 443:

image.png

Also I'm not sure if a range of ports will work; it's accepted by the validator, however, the tooltip says that ports must be delimited by a comma. Even if it worked, ESET supports only HTTP(S), POP3(S) and IMAP(S) protocols so other communication would not be scanned anyways.

Link to comment
Share on other sites

2 hours ago, Marcos said:

Also I'm not sure if a range of ports will work; it's accepted by the validator, however, the tooltip says that ports must be delimited by a comma.

There is a comma between 443 and 0 - 65535; i.e. 443,0 - 65535. The question is what would have changed this setting without my knowledge?

Also it appears it is scanning everything. For example "System;" i.e. ntoskrnl.exe is one of the apps listed in the scan listing. I will just delete everything there and let Eset repopulate it.

Link to comment
Share on other sites

3 hours ago, Marcos said:

I have no clue. I have various ESET products installed and everywhere is port 443

I found out what caused this to be created. Click on the default setting icon for Web Protocols. The result is " , 0- 65535" is added to the existing 443 setting.

So again, need to know is this by design or a bug. My suspicion is 0-65535 is being used for HTTP monitoring everything except HTTPS. In other words, Eset is scanning all inbound communication.

Edited by itman
Link to comment
Share on other sites

  • Administrators

I now have 443-600 there. I reset to defaults a 2-3 hours ago as I thought that could be the culprit, however, when I reopened advanced setup, there was 443 only. Not sure what happened in the mean time besides a module update. Looks like a bug but it's not yet clear when it occurs.

Link to comment
Share on other sites

Now I am wondering if these IDS detections are related to this:

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;User
7/2/2019 1:49:49 PM;Connection to Server RPC service;Blocked;127.0.0.1:50562;127.0.0.1:445;TCP;;System;

There are usually 4 of these log enties in a row. Started around 6/19. So far 2 prior sequences and one that occurred after I set HTTPS port back to port 443 exclusively today!

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...