Jump to content
karsayor

Security vulnerability exploitation actions

Recommended Posts

Hello

I noticed that some servers reports that CVE has been blocked, some others allowed. What does it exactly mean and why does it block on some servers and not on others ?

If someone could tell me how this works ? :) Would be nice.

Thanks

image.thumb.png.6054b904648e7a15539fd56c2929d1e4.png

Share this post


Link to post
Share on other sites

Security vulnerability detections are blocked unless you have an IDS exception created. Please check IDS exceptions on the machine where the action was allowed.

Share this post


Link to post
Share on other sites

OK indeed you are correct that's about an exception I did not make...

Thanks !

Share this post


Link to post
Share on other sites

Is there anything we can do to exlude the detection of these ? As soon as I have confirmed the server is not vulnerable to CVE-2015-1635, it should be possible to exlude detection of this event but the "Create Exlclusion" is greyed out for these detections

image.png.263a1ba50ff13bce2aca1cc89e7ef704.png

Share this post


Link to post
Share on other sites
Posted (edited)

Eset IDS exceptions are created per work station as follows: https://support.eset.com/en/kb7052-create-ids-exclusions-on-client-workstations-in-your-eset-endpoint-product-6x

For ESET Security Management Center, refer to this to create IDS exclusions for client workstations: https://support.eset.com/en/kb7054-create-ids-exclusions-for-client-workstations-in-eset-security-management-center-7x

For Eset Remote Administrator, refer to this: https://support.eset.com/en/kb6624-create-ids-exclusions-in-eset-remote-administrator-6x

Edited by itman

Share this post


Link to post
Share on other sites

Ok thanks, was looking at wrong place. What's the difference between Notify and Log in the Action section ?

I want to remove alerts of CVE-2015-1635 from ESMC because the server is not vulnerable and they are blocked so I don't need them to appear but still have them blocked.

image.png.375b6b8d742da891ffeb1cd72b57d908.png

Share this post


Link to post
Share on other sites

Change log to No and that's all. However, rather than creating exceptions I'd suggest putting the machine behind a firewall and allow only the desired communication on the firewall. Otherwise the server will keep being attacked and one day attackers may succeed and get into your network.

Share this post


Link to post
Share on other sites

That's what we did, it's an IIS server that has to be online on internet (443) but it sometimes detect those attacks which it's not vulnerable to. Its good that ESET blocks those attacks but if the server is not vulnerable to it, I don't need them to appear.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...