itman 1,630 Posted July 2, 2019 Share Posted July 2, 2019 (edited) Ref.: Eset IS 12.1.34 Refer to the circled portion of the below screen shot. I did not manually make the "0 - 65535" change. In essence, this means that Eset is scanning all computer traffic; for all system and app processes. Edited July 2, 2019 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted July 2, 2019 Administrators Share Posted July 2, 2019 I have no clue. I have various ESET products installed and everywhere is port 443: Also I'm not sure if a range of ports will work; it's accepted by the validator, however, the tooltip says that ports must be delimited by a comma. Even if it worked, ESET supports only HTTP(S), POP3(S) and IMAP(S) protocols so other communication would not be scanned anyways. Link to comment Share on other sites More sharing options...
itman 1,630 Posted July 2, 2019 Author Share Posted July 2, 2019 2 hours ago, Marcos said: Also I'm not sure if a range of ports will work; it's accepted by the validator, however, the tooltip says that ports must be delimited by a comma. There is a comma between 443 and 0 - 65535; i.e. 443,0 - 65535. The question is what would have changed this setting without my knowledge? Also it appears it is scanning everything. For example "System;" i.e. ntoskrnl.exe is one of the apps listed in the scan listing. I will just delete everything there and let Eset repopulate it. Link to comment Share on other sites More sharing options...
itman 1,630 Posted July 2, 2019 Author Share Posted July 2, 2019 (edited) 3 hours ago, Marcos said: I have no clue. I have various ESET products installed and everywhere is port 443 I found out what caused this to be created. Click on the default setting icon for Web Protocols. The result is " , 0- 65535" is added to the existing 443 setting. So again, need to know is this by design or a bug. My suspicion is 0-65535 is being used for HTTP monitoring everything except HTTPS. In other words, Eset is scanning all inbound communication. Edited July 2, 2019 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,931 Posted July 2, 2019 Administrators Share Posted July 2, 2019 I now have 443-600 there. I reset to defaults a 2-3 hours ago as I thought that could be the culprit, however, when I reopened advanced setup, there was 443 only. Not sure what happened in the mean time besides a module update. Looks like a bug but it's not yet clear when it occurs. Link to comment Share on other sites More sharing options...
itman 1,630 Posted July 2, 2019 Author Share Posted July 2, 2019 Now I am wondering if these IDS detections are related to this: Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;User 7/2/2019 1:49:49 PM;Connection to Server RPC service;Blocked;127.0.0.1:50562;127.0.0.1:445;TCP;;System; There are usually 4 of these log enties in a row. Started around 6/19. So far 2 prior sequences and one that occurred after I set HTTPS port back to port 443 exclusively today! Link to comment Share on other sites More sharing options...
Recommended Posts