Jump to content
Cousin Vinny

Web protection reporting detections in ESMC after update

Recommended Posts

How do I stop web protection from generating detections in ESMC?  Every URL that gets blocked is now adding to the detections number and it's like the boy who cried wolf.  Super annoying.

Share this post


Link to post
Share on other sites

Currently it's only possible to use the Detection category filter without adding "Web protection". This will be subject to further internal discussion since we understand it might generate too many reports.

image.png

Share this post


Link to post
Share on other sites

It is indeed annoying and not something to worry about, just informational thing. It doesn't look suitable for "threat/detection" term - if you've got an event there it means the access was definitely blocked (not like file scanning for example: found a threat - was it cleaned? removed? just detected? Such events required attention)

It would be much better to move it to reports section (Web control category is missing at the moment) and create default dashboard item "Web control detections" with web control logs (which I have done myself manually).

If you need it to be part of Detections, please make it optional category, not default.

Share this post


Link to post
Share on other sites

What we'll do it consider automatic resolution of blocked attempts to access a blacklisted website. It's unrelated to Web Control which is disabled by default and it's Web access protection which blocks access to sites known to host malware or PUAs.

Share this post


Link to post
Share on other sites

I have several rules blocking specific URL groups (which were created manually) in Web Control settings and user attempts to open those URLs also generate detections after last ESMC update.

Share this post


Link to post
Share on other sites

In order for the application of Web rules to be reported to the ESMC Server, it is necessary to set the appropriate severity for each rule. By default they are not reported to ESMC.

Share this post


Link to post
Share on other sites

And what exactly does "appropriate severity" mean in this situation? Logging level is set to "warning" for those rules.

Share this post


Link to post
Share on other sites

By default logging severity is set to "Always". In this case, when a rule is applied it's logged locally on the client but the record is not reported to the ESMC server.  Changing the severity to Diagnostic, Warning or Information will cause the record to be reported to the ESMC server with the specified severity.

Share this post


Link to post
Share on other sites

Now that it's been a few days I just wanted to reiterate - this is a major oversight and I do not like how i've lost such a great deal of insight into my network due to the constant reporting of blocked websites.

This feels like i've essentially lost one of the tools I use to monitor for infections and outbreaks since it's constantly accumulating web blocker detection that are completely useless to me are reported at the same level as an actual detection that I would care about.

This really sucks and I was one of the people that was interviewed by ESET last year.

Share this post


Link to post
Share on other sites
7 minutes ago, Cousin Vinny said:

Now that it's been a few days I just wanted to reiterate - this is a major oversight and I do not like how i've lost such a great deal of insight into my network due to the constant reporting of blocked websites.

Unfortunately it is not clear what the issue is. With Web Control, you can define the severity of logged records. Only "informative", "warning" and "critical" records are relayed to the ESMC server and it's nothing new in ESMC 7.1 or 7.0.

While attempts to access a blocked website by web access protection now appear in the Detection panel, they can be filtered out using a filter.

Share this post


Link to post
Share on other sites

The issue is the Detections column in the Computers section reporting on blocked websites which began after the most recent upgrade.  Not the Detections section as indicated in your original reply to me.  The change caught me off guard because when I was interviewed, a portion had to do with what screen do administrators have open most often.  For me, it's the Computers section which now constantly looks like an outbreak since there is no way to filter by detection category.

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Unfortunately it is not clear what the issue is. With Web Control, you can define the severity of logged records. Only "informative", "warning" and "critical" records are relayed to the ESMC server and it's nothing new in ESMC 7.1 or 7.0.

While attempts to access a blocked website by web access protection now appear in the Detection panel, they can be filtered out using a filter.

I've had my Web control rules logging level set to "warning" for couple of months already but they began to appear in detections only after last ESMC update. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...