Cousin Vinny 6 Posted November 14, 2019 Posted November 14, 2019 How do I stop web protection from generating detections in ESMC? Every URL that gets blocked is now adding to the detections number and it's like the boy who cried wolf. Super annoying.
Administrators Marcos 5,468 Posted November 14, 2019 Administrators Posted November 14, 2019 Currently it's only possible to use the Detection category filter without adding "Web protection". This will be subject to further internal discussion since we understand it might generate too many reports.
Jenova 7 Posted November 17, 2019 Posted November 17, 2019 It is indeed annoying and not something to worry about, just informational thing. It doesn't look suitable for "threat/detection" term - if you've got an event there it means the access was definitely blocked (not like file scanning for example: found a threat - was it cleaned? removed? just detected? Such events required attention) It would be much better to move it to reports section (Web control category is missing at the moment) and create default dashboard item "Web control detections" with web control logs (which I have done myself manually). If you need it to be part of Detections, please make it optional category, not default.
Administrators Marcos 5,468 Posted November 17, 2019 Administrators Posted November 17, 2019 What we'll do it consider automatic resolution of blocked attempts to access a blacklisted website. It's unrelated to Web Control which is disabled by default and it's Web access protection which blocks access to sites known to host malware or PUAs.
Jenova 7 Posted November 18, 2019 Posted November 18, 2019 I have several rules blocking specific URL groups (which were created manually) in Web Control settings and user attempts to open those URLs also generate detections after last ESMC update.
Administrators Marcos 5,468 Posted November 18, 2019 Administrators Posted November 18, 2019 In order for the application of Web rules to be reported to the ESMC Server, it is necessary to set the appropriate severity for each rule. By default they are not reported to ESMC.
Jenova 7 Posted November 18, 2019 Posted November 18, 2019 And what exactly does "appropriate severity" mean in this situation? Logging level is set to "warning" for those rules.
Administrators Marcos 5,468 Posted November 18, 2019 Administrators Posted November 18, 2019 By default logging severity is set to "Always". In this case, when a rule is applied it's logged locally on the client but the record is not reported to the ESMC server. Changing the severity to Diagnostic, Warning or Information will cause the record to be reported to the ESMC server with the specified severity.
Cousin Vinny 6 Posted November 19, 2019 Author Posted November 19, 2019 Now that it's been a few days I just wanted to reiterate - this is a major oversight and I do not like how i've lost such a great deal of insight into my network due to the constant reporting of blocked websites. This feels like i've essentially lost one of the tools I use to monitor for infections and outbreaks since it's constantly accumulating web blocker detection that are completely useless to me are reported at the same level as an actual detection that I would care about. This really sucks and I was one of the people that was interviewed by ESET last year.
Administrators Marcos 5,468 Posted November 19, 2019 Administrators Posted November 19, 2019 7 minutes ago, Cousin Vinny said: Now that it's been a few days I just wanted to reiterate - this is a major oversight and I do not like how i've lost such a great deal of insight into my network due to the constant reporting of blocked websites. Unfortunately it is not clear what the issue is. With Web Control, you can define the severity of logged records. Only "informative", "warning" and "critical" records are relayed to the ESMC server and it's nothing new in ESMC 7.1 or 7.0. While attempts to access a blocked website by web access protection now appear in the Detection panel, they can be filtered out using a filter.
Cousin Vinny 6 Posted November 19, 2019 Author Posted November 19, 2019 The issue is the Detections column in the Computers section reporting on blocked websites which began after the most recent upgrade. Not the Detections section as indicated in your original reply to me. The change caught me off guard because when I was interviewed, a portion had to do with what screen do administrators have open most often. For me, it's the Computers section which now constantly looks like an outbreak since there is no way to filter by detection category.
Jenova 7 Posted November 19, 2019 Posted November 19, 2019 1 hour ago, Marcos said: Unfortunately it is not clear what the issue is. With Web Control, you can define the severity of logged records. Only "informative", "warning" and "critical" records are relayed to the ESMC server and it's nothing new in ESMC 7.1 or 7.0. While attempts to access a blocked website by web access protection now appear in the Detection panel, they can be filtered out using a filter. I've had my Web control rules logging level set to "warning" for couple of months already but they began to appear in detections only after last ESMC update.
Recommended Posts