durimrkva 0 Posted March 23, 2020 Share Posted March 23, 2020 Hi. I am a newbie here with ESMC and Eset. I have eset installed on MS Exchange and lately I have been getting messages about incoming attack. My question is, what do I do when it has been detected. What do you recommend as a general practice? The messages I have been getting are attached in screenshots. Thank you in advance for any guidance. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 23, 2020 Administrators Share Posted March 23, 2020 The two screen shots are unrelated. While the upper one shows bruteforce attacks against the server which were blocked, the other screen shot shows a threat detection in an email scanned by ESET for MS Exchange. I'd recommend putting the Exchange server behind a firewall and creating rules so that only the desired communication is allowed and bruteforce attacks are blocked by the firewall. Link to comment Share on other sites More sharing options...
durimrkva 0 Posted March 24, 2020 Author Share Posted March 24, 2020 Thank you for the advice. The exchange is behind a firewall, zywall. The attacks happen on ports essentials for exchange traffic, 25, 80, 443. As far as the email scanner goes... is it just informative message that Eset is doing its job? Do I do anything with that? Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted March 24, 2020 Most Valued Members Share Posted March 24, 2020 6 minutes ago, durimrkva said: Thank you for the advice. The exchange is behind a firewall, zywall. The attacks happen on ports essentials for exchange traffic, 25, 80, 443. As far as the email scanner goes... is it just informative message that Eset is doing its job? Do I do anything with that? As per the screenshots , the second one says that the email has been filtered and the threat is removed , so you don't need do any kind of actions And for the ports if you can't filter them out then you need to do something else , like hardening the server so intruders won't get in somehow someday , like a very good password , to keep the server updated for vulnerabilities , etc I believe there are some hardening guides for Exchange in Google that could help with this situation. Link to comment Share on other sites More sharing options...
durimrkva 0 Posted March 24, 2020 Author Share Posted March 24, 2020 Great. Thank you again. I will look into that. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 24, 2020 Administrators Share Posted March 24, 2020 You can block the IP addresses from which the attack attempts originated on the firewall, however, there can be further attack attempts from other IP addresses in the future. ESET will continue to block these attempts, however, if there are too many of them the network protection log may grow quickly. Link to comment Share on other sites More sharing options...
durimrkva 0 Posted March 24, 2020 Author Share Posted March 24, 2020 That`s what I attemted to do, but didn`t find a reasonable way to keep adding these IP addresses into a group on zywall that would have an automatic rule to block connection. I need to look into zywall manual. Link to comment Share on other sites More sharing options...
Recommended Posts