Jump to content
durimrkva

ESMC threats guidance

Recommended Posts

Hi. I am a newbie here with ESMC and Eset. I have eset installed on MS Exchange and lately I have been getting messages about incoming attack. My question is, what do I do when it has been detected. What do you recommend as a general practice? The messages I have been getting are attached in screenshots. Thank you in advance for any guidance. 

 

Screen Shot 2020-03-23 at 2.09.33 PM.png

Screen Shot 2020-03-23 at 2.17.20 PM.png

Share this post


Link to post
Share on other sites

The two screen shots are unrelated. While the upper one shows bruteforce attacks against the server which were blocked, the other screen shot shows a threat detection in an email scanned by ESET for MS Exchange.

I'd recommend putting the Exchange server behind a firewall and creating rules so that only the desired communication is allowed and bruteforce attacks are blocked by the firewall.

Share this post


Link to post
Share on other sites

Thank you for the advice. The exchange is behind a firewall, zywall. The attacks happen on ports essentials for exchange traffic, 25, 80, 443. 

As far as the email scanner goes... is it just informative message that Eset is doing its job? Do I do anything with that?

Share this post


Link to post
Share on other sites
6 minutes ago, durimrkva said:

Thank you for the advice. The exchange is behind a firewall, zywall. The attacks happen on ports essentials for exchange traffic, 25, 80, 443. 

As far as the email scanner goes... is it just informative message that Eset is doing its job? Do I do anything with that?

As per the screenshots , the second one says that the email has been filtered and the threat is removed , so you don't need do any kind of actions

And for the ports if you can't filter them out then you need to do something else , like hardening the server so intruders won't get in somehow someday , like a very good password , to keep the server updated for vulnerabilities , etc

I believe there are some hardening guides for Exchange in Google that could help with this situation.

Share this post


Link to post
Share on other sites

You can block the IP addresses from which the attack attempts originated on the firewall, however, there can be further attack attempts from other IP addresses in the future. ESET will continue to block these attempts, however, if there are too many of them the network protection log may grow quickly.

Share this post


Link to post
Share on other sites

That`s what I attemted to do, but didn`t find a reasonable way to keep adding these IP addresses into a group on zywall that would have an automatic rule to block connection. I need to look into zywall manual. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...