itman 1,807 Posted July 2, 2019 Posted July 2, 2019 (edited) Ref.: Eset IS 12.1.34 Refer to the circled portion of the below screen shot. I did not manually make the "0 - 65535" change. In essence, this means that Eset is scanning all computer traffic; for all system and app processes. Edited July 2, 2019 by itman
Administrators Marcos 5,467 Posted July 2, 2019 Administrators Posted July 2, 2019 I have no clue. I have various ESET products installed and everywhere is port 443: Also I'm not sure if a range of ports will work; it's accepted by the validator, however, the tooltip says that ports must be delimited by a comma. Even if it worked, ESET supports only HTTP(S), POP3(S) and IMAP(S) protocols so other communication would not be scanned anyways.
itman 1,807 Posted July 2, 2019 Author Posted July 2, 2019 2 hours ago, Marcos said: Also I'm not sure if a range of ports will work; it's accepted by the validator, however, the tooltip says that ports must be delimited by a comma. There is a comma between 443 and 0 - 65535; i.e. 443,0 - 65535. The question is what would have changed this setting without my knowledge? Also it appears it is scanning everything. For example "System;" i.e. ntoskrnl.exe is one of the apps listed in the scan listing. I will just delete everything there and let Eset repopulate it.
itman 1,807 Posted July 2, 2019 Author Posted July 2, 2019 (edited) 3 hours ago, Marcos said: I have no clue. I have various ESET products installed and everywhere is port 443 I found out what caused this to be created. Click on the default setting icon for Web Protocols. The result is " , 0- 65535" is added to the existing 443 setting. So again, need to know is this by design or a bug. My suspicion is 0-65535 is being used for HTTP monitoring everything except HTTPS. In other words, Eset is scanning all inbound communication. Edited July 2, 2019 by itman
Administrators Marcos 5,467 Posted July 2, 2019 Administrators Posted July 2, 2019 I now have 443-600 there. I reset to defaults a 2-3 hours ago as I thought that could be the culprit, however, when I reopened advanced setup, there was 443 only. Not sure what happened in the mean time besides a module update. Looks like a bug but it's not yet clear when it occurs.
itman 1,807 Posted July 2, 2019 Author Posted July 2, 2019 Now I am wondering if these IDS detections are related to this: Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;User 7/2/2019 1:49:49 PM;Connection to Server RPC service;Blocked;127.0.0.1:50562;127.0.0.1:445;TCP;;System; There are usually 4 of these log enties in a row. Started around 6/19. So far 2 prior sequences and one that occurred after I set HTTPS port back to port 443 exclusively today!
Recommended Posts