RichardW 3 Posted May 3, 2022 Posted May 3, 2022 Hi, Currently we have ESET Server Security Setup on multiple servers within a PCI Environment As part of the Setup we're using ESET Management Agent / Web UI and Apache Proxy to handle the updates So that the Eset client on each box connects to the Apache Proxy (that eset installs) to do the updates to the outside world. One thing we've noticed is that if we block port 80 (which is an unsecure port) to the outside world This seems to interfere with Eset updates. Do you know if there's a way to avoid this while at the same time avoiding the use of port 80 for access to the internet (just 443 for Https) Many Thanks
Administrators Marcos 5,444 Posted May 3, 2022 Administrators Posted May 3, 2022 Do you use Apache HTTP proxy with default settings? Asking cause only access to ESET's servers is permitted by default and connections on port 80 are safe, meaning it's not possible to trick ESET products to download and install compromised modules. If you must download update files via https due to a strict company policy for instance, you can use a custom update server with the path:https://update.eset.com/eset_upd/ep9
Sec-C 6 Posted May 4, 2022 Posted May 4, 2022 15 hours ago, RichardW said: Do you know if there's a way to avoid this while at the same time avoiding the use of port 80 for access to the internet (just 443 for Https) Short answer: No, there is no way. Lang answer: Eset Updates are digitally signed. This is how Eset verifies the integrity of downloaded files, even when they are transferred over an insecure connection. So in this specific scenario, there is no additional risk in using unencrypted http. The benefit of downloading updates over unencrypted connection is caching on your apache proxy. In an end-to-end encrypted download (https) the proxy would not be able cache any of the downloaded updates, since it sees only garbled ciphertext. It can only cache files from unencrypted connections. Blocking these unencrypted connections would defeat the whole point of using a caching proxy. Peter Randziak 1
RichardW 3 Posted May 10, 2022 Author Posted May 10, 2022 The 2nd message is actually what I was looking for if it works. Our use of the Apache Proxy isn't really for caching, instead it's for making sure machines within a L1 environment don't have direct access to the internet. Since the environment is PCI based and makes using port 80 very difficult.
RichardW 3 Posted May 10, 2022 Author Posted May 10, 2022 On 5/3/2022 at 5:12 PM, Marcos said: Do you use Apache HTTP proxy with default settings? Asking cause only access to ESET's servers is permitted by default and connections on port 80 are safe, meaning it's not possible to trick ESET products to download and install compromised modules. If you must download update files via https due to a strict company policy for instance, you can use a custom update server with the path:https://update.eset.com/eset_upd/ep9 Ok so this nearly works, although that url is asking for a username password This currently prevents eset from downloading module updates from that url is there a specific thing I should be using for the username / password for that url?
Administrators Marcos 5,444 Posted May 10, 2022 Administrators Posted May 10, 2022 Activated clients authenticate with a username and password against the update servers.
RichardW 3 Posted May 10, 2022 Author Posted May 10, 2022 (edited) From the looks of things if you try and set the Update URL Manually to a https link by turning "Choose Autmatically" here then it also requires manual input of the username / password It mentions it here - Modules Update | ESET PROTECT | ESET Online Help I've been able to determine my username / EAV-number using Ctrl-U on the eset window But since the licence is activated online I'm not sure how to get the password to use Unless I have to do an offline activation or something. Tried having a look on the Eset Business Account site where the licences are listed but I couldn't see anything there Edited May 10, 2022 by RichardW
RichardW 3 Posted May 10, 2022 Author Posted May 10, 2022 Ok found it Inside the Business Account Login Licences -> Select Licence (show details) -> Products -> Select Product Select Download Legacy Licence File and it shows up there
Administrators Marcos 5,444 Posted May 10, 2022 Administrators Posted May 10, 2022 I've discussed this with developers and we've agreed on using credentials received during activation for updates from update.eset.com even when server auto-selection is disabled. That said, you will not need to enter a U/P in future versions if updating via https. Peter Randziak 1
RichardW 3 Posted May 11, 2022 Author Posted May 11, 2022 Thanks very much for looking into this with the developers. I admit the use case is kind of unusual in that I'm not using apache for caching. But unfortunately the PCI auditors tend to be quite strict over what is allowed when it comes to non SSL ports. Typically allowing port 80 requires a lot of paperwork is part of the reason, even though the proxy limits access to certain hosts and the updates are signed. Peter Randziak 1
Recommended Posts