Jump to content
dpa

Detections not producing notifications

Recommended Posts

Hi there,

For quite some time now we have been having the issue of Detections not being delivered through email. 

Strangely, though, the EICAR test file DOES produce a notification, however if I use the amtso.org site, the phishing test will produce a Detection, however that detection does not send out the desired alert. To put it mildly, it is slowly driving me mad and our business is considering moving to a different product if we can't resolve this seemingly simple problem. 

As a last resort, i thought i would post the issue up the form as another set of eyes may be able to shed some light as to whether something is set incorrectly.

Given we are receiving alerts when testing with the EICAR file, there is nothing wrong with the SMTP relay.

Happy to provide whatever information is necessary to ideally diagnose and resolve this

 

Thanks in advance, DPA

 

 

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Do you mean that you don't get any alert when you open (...)

Do you have SSL filtering enabled?

 

 

No, he doesn't mean that!

dpa said :

"if I use the amtso.org site, the phishing test will produce a Detection, however that detection does not send out the desired alert."

So ESET will produce a detection but doesn't send out by email .

Share this post


Link to post
Share on other sites
Posted (edited)

Marcos

Local is correct

Detection shows up in the ESMC but no notification over email.

Recently I discovered that by mounting a Kali .iso image to my machine and running an "On-Demand Scan", the scanner would create close to 500 detections; see screenshot for a sample of the output.

None of these Detections created a notification despite the fact that I have an active notification which is designed to notify me when anti-virus picks detects these threats. 

I have also attached the Notification settings I am using,

DPA

detections_no_alerts.PNG

av_config.PNG

Edited by dpa

Share this post


Link to post
Share on other sites

Just to be clear, you are using ESMC notification mechanisms for this purpose? Asking because also endpoints can be configured to send notifications.

In case issue seems to be in ESMC, please verify SMTP configuration is still correct by sending test email from ESMC configuration, or possibly try to send report to the same email address. Or only this specific notification is not working?

Share this post


Link to post
Share on other sites

Just to make sure we are on the same page and to better understand your needs, do you expect a notification to be sent:
a) when access to a  web page has been blocked (your first post)?
b) when threats were detected during an on-demand scan (your last post)?

Share this post


Link to post
Share on other sites

Ok guys

Martin - SMTP works fine. As disclosed in the original post we receive some notifications. For example we have a daily report scheduled; we receive this on email. The relay is not the problem

Marcos - I want a notification whenever eset creates a detection. We are relying on ESET as an a/v solution for our managed clients. If these notifications aren’t reliable, what happens when a client has an employee that triggers a phishing email but we don’t get “notified” of this? I would expect that the notification capability is designed to keep us updated of what/any activity ESET is doing. We don’t care so much much about volume; fact is we are only seeing 1-2 detections on average per day at best. But if it’s a ransomware then I need to know what’s happening going on. 
 

As disclosed, I run Eicar, I get notified. Anything else, no notification 

Share this post


Link to post
Share on other sites
Posted (edited)
On 6/18/2020 at 2:20 AM, dpa said:

For quite some time now we have been having the issue of Detections not being delivered through email. 

Strangely, though, the EICAR test file DOES produce a notification, however if I use the amtso.org site, the phishing test will produce a Detection, however that detection does not send out the desired alert.

I am confused by what is posted in this thread.

As far as Eset Endpoint sending detection e-mail for web based detection's, I don't know if that feature even exists?

-EDIT- Yes it does. Either at Endpoint or ESMC level: https://support.eset.com/en/kb7247-configure-eset-endpoint-products-to-send-automated-detection-notifications-7x

Edited by itman

Share this post


Link to post
Share on other sites

itman

Thanks for the reference - spent a good deal of time yesterday implementing a Policy-based approach to this problem

Not only did the policy kick off a stack of notifications about failed pico updates but it didn't notify me when detections were raised.

Today, I have had success Anti-Virus notifications. I seem to be receiving them from the real-time scanner - I will test the on-demand scanner a little later.

However, I do not get the notifications from the detections regarding blocked connections to URL's (see attached)

Our business wants these notifications - we could possibly look at delivering Syslog into Slack but that's a last resort - the preference is to have them delivered to our support team over email. 

The scanner that blocks URL's is the http filter - I have attached the settings i have for this notification. Again, the detection is not producing the required notification/alert. 

Would like to  get some clarity here as I have spent so much trying to get these notifications delivered to us for ALL detections

blocked_url.PNG

http_filter.PNG

Share this post


Link to post
Share on other sites
16 hours ago, dpa said:

The scanner that blocks URL's is the http filter - I have attached the settings i have for this notification. Again, the detection is not producing the required notification/alert. 

The question is if EMSC has a predefined Notification for phishing detection? If not, it appears you will have to create a custom one for it.

Share this post


Link to post
Share on other sites

itman

Again, thanks for the response.

So I have completely disabled the "Notifications" and have instead created an endpoint policy.

Same problem, though, I am unable to receive email notifications for "blocked by anti-phishing blacklist" warnings.

I have noticed that if I get a Desktop Notification, I will also receive the email notification although I don't think its necessarily supposed to function that way - I just find it interesting that I don't receive the "blocked by anti-phishing blacklist" on the desktop either

Almost there by the looks of it, just need to resolve this issue

Thanks, DPA

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...