InfosecAtom 0 Posted April 27, 2020 Share Posted April 27, 2020 I am getting these alerts from our vulnerability scanner in ESMC, despite having created an IDS exception policy to not alert or log on scans from the vulnerability scanner. Am I supposed to be creating the exception elsewhere to avoid all endpoints filling my detections log with all these events? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted April 27, 2020 Administrators Share Posted April 27, 2020 Is the vulnerability CVE-2008-4250 actually patched on the machine? Please provide ELC logs from the machine that reported the attack. Link to comment Share on other sites More sharing options...
Solution InfosecAtom 0 Posted May 6, 2020 Author Solution Share Posted May 6, 2020 (edited) On 4/27/2020 at 3:16 PM, Marcos said: Is the vulnerability CVE-2008-4250 actually patched on the machine? Please provide ESET Log Collector logs from the machine that reported the attack. It was a Windows 10 endpoint, so it would not be vulnerable. It was flagging only on the attempt. I figured out what the issue was, I falsely believed that program name was supposed to be a IDS exception rule name. Removing all input from the program name field resolved my issue. Edited May 6, 2020 by InfosecAtom Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted May 6, 2020 Administrators Share Posted May 6, 2020 I would not create any exclusions for these detections. The source machine may be running a malicious code even if both machines were patched against the exploited vulnerability. Link to comment Share on other sites More sharing options...
Recommended Posts