Jump to content

SSL/TLS Scanning Port Assignments

itman
 Share

Recommended Posts

itman

itman 1,659

Posted
Posted (edited)

Ref.: Eset IS 12.1.34

Refer to the circled portion of the below screen shot. I did not manually make the "0 - 65535" change.

In essence, this means that Eset is scanning all computer traffic; for all system and app processes.

Eset_HTTPS.thumb.png.d1ef934f22eeedcbd5269b2a68ec352b.png

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

I have no clue. I have various ESET products installed and everywhere is port 443:

image.png

Also I'm not sure if a range of ports will work; it's accepted by the validator, however, the tooltip says that ports must be delimited by a comma. Even if it worked, ESET supports only HTTP(S), POP3(S) and IMAP(S) protocols so other communication would not be scanned anyways.

Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted
2 hours ago, Marcos said:

Also I'm not sure if a range of ports will work; it's accepted by the validator, however, the tooltip says that ports must be delimited by a comma.

There is a comma between 443 and 0 - 65535; i.e. 443,0 - 65535. The question is what would have changed this setting without my knowledge?

Also it appears it is scanning everything. For example "System;" i.e. ntoskrnl.exe is one of the apps listed in the scan listing. I will just delete everything there and let Eset repopulate it.

Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted (edited)
3 hours ago, Marcos said:

I have no clue. I have various ESET products installed and everywhere is port 443

I found out what caused this to be created. Click on the default setting icon for Web Protocols. The result is " , 0- 65535" is added to the existing 443 setting.

So again, need to know is this by design or a bug. My suspicion is 0-65535 is being used for HTTP monitoring everything except HTTPS. In other words, Eset is scanning all inbound communication.

Edited by itman
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,074

Posted
  • Administrators
Posted

I now have 443-600 there. I reset to defaults a 2-3 hours ago as I thought that could be the culprit, however, when I reopened advanced setup, there was 443 only. Not sure what happened in the mean time besides a module update. Looks like a bug but it's not yet clear when it occurs.

Link to comment
Share on other sites
itman

itman 1,659

Posted
  • Author
Posted

Now I am wondering if these IDS detections are related to this:

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;User
7/2/2019 1:49:49 PM;Connection to Server RPC service;Blocked;127.0.0.1:50562;127.0.0.1:445;TCP;;System;

There are usually 4 of these log enties in a row. Started around 6/19. So far 2 prior sequences and one that occurred after I set HTTPS port back to port 443 exclusively today!

 

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...