mtellefson 0 Posted August 27, 2019 Share Posted August 27, 2019 I am in the process of upgrading from Eset version 5 to 7. We use Spiceworks to track inventory of all our computers so when it tries to contact any of the computers, ESET blocks it and records a TCP Port Scanning Attack. Originally I was receiving ARP Cach Poisoning Attack alerts from the same server and I created an IDS exception and they stopped. I added the TCP Port Scanning Attack exception in the same place and applied it to all computers but I still have the alerts showing up in the threats. Any ideas what I am missing? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted August 27, 2019 Administrators Share Posted August 27, 2019 Please collect logs from the client with ESET Log Collector and post the generated archive here. Basically an exception like this should work: Link to comment Share on other sites More sharing options...
mtellefson 0 Posted August 27, 2019 Author Share Posted August 27, 2019 I should have explained a little better. This is happening on several computers. I set the exception through a policy that I applied to all computers. The log files are attached. ees_logs.zip Link to comment Share on other sites More sharing options...
itman 1,538 Posted August 27, 2019 Share Posted August 27, 2019 (edited) Try entering the TCP Port Scanning attack exception w/o an IP address. If the above doesn't work, you might have to exclude the displaying of IDS after detection alerts as shown in this Eset knowledge base article: http://support.eset.com/kb2951/ . As the article states, only the alerting is being disabled; not the IDS protections. Also assuming your external network gateway has like WAN side TCP port scanning detection capability and mitigation, you could just disable the Eset IDS TCP Port Scanning attack detection on the endpoints. Edited August 27, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts