karsayor 6 Posted July 14, 2020 Share Posted July 14, 2020 Hello I noticed that some servers reports that CVE has been blocked, some others allowed. What does it exactly mean and why does it block on some servers and not on others ? If someone could tell me how this works ? Would be nice. Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 4,712 Posted July 14, 2020 Administrators Share Posted July 14, 2020 Security vulnerability detections are blocked unless you have an IDS exception created. Please check IDS exceptions on the machine where the action was allowed. Link to comment Share on other sites More sharing options...
karsayor 6 Posted July 14, 2020 Author Share Posted July 14, 2020 OK indeed you are correct that's about an exception I did not make... Thanks ! Link to comment Share on other sites More sharing options...
karsayor 6 Posted July 30, 2020 Author Share Posted July 30, 2020 Is there anything we can do to exlude the detection of these ? As soon as I have confirmed the server is not vulnerable to CVE-2015-1635, it should be possible to exlude detection of this event but the "Create Exlclusion" is greyed out for these detections Link to comment Share on other sites More sharing options...
itman 1,541 Posted July 30, 2020 Share Posted July 30, 2020 (edited) Eset IDS exceptions are created per work station as follows: https://support.eset.com/en/kb7052-create-ids-exclusions-on-client-workstations-in-your-eset-endpoint-product-6x For ESET Security Management Center, refer to this to create IDS exclusions for client workstations: https://support.eset.com/en/kb7054-create-ids-exclusions-for-client-workstations-in-eset-security-management-center-7x For Eset Remote Administrator, refer to this: https://support.eset.com/en/kb6624-create-ids-exclusions-in-eset-remote-administrator-6x Edited July 30, 2020 by itman Link to comment Share on other sites More sharing options...
karsayor 6 Posted July 31, 2020 Author Share Posted July 31, 2020 Ok thanks, was looking at wrong place. What's the difference between Notify and Log in the Action section ? I want to remove alerts of CVE-2015-1635 from ESMC because the server is not vulnerable and they are blocked so I don't need them to appear but still have them blocked. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,712 Posted July 31, 2020 Administrators Share Posted July 31, 2020 Change log to No and that's all. However, rather than creating exceptions I'd suggest putting the machine behind a firewall and allow only the desired communication on the firewall. Otherwise the server will keep being attacked and one day attackers may succeed and get into your network. Link to comment Share on other sites More sharing options...
karsayor 6 Posted July 31, 2020 Author Share Posted July 31, 2020 That's what we did, it's an IIS server that has to be online on internet (443) but it sometimes detect those attacks which it's not vulnerable to. Its good that ESET blocks those attacks but if the server is not vulnerable to it, I don't need them to appear. Link to comment Share on other sites More sharing options...
Recommended Posts