Question over Eset Updates via proxy and Port 80

[RichardW 3]

Hi,
Currently we have ESET Server Security Setup on multiple servers within a PCI Environment
As part of the Setup we're using ESET Management Agent / Web UI and Apache Proxy to handle the updates
So that the Eset client on each box connects to the Apache Proxy (that eset installs) to do the updates to the outside world.

One thing we've noticed is that if we block port 80 (which is an unsecure port) to the outside world
This seems to interfere with Eset updates.
Do you know if there's a way to avoid this while at the same time avoiding the use of port 80 for access to the internet (just 443 for Https)

Many Thanks
 

[Marcos 5,070]

Do you use Apache HTTP proxy with default settings? Asking cause only access to ESET's servers is permitted by default and connections on port 80 are safe, meaning it's not possible to trick ESET products to download and install compromised modules.

If you must download update files via https due to a strict company policy for instance, you can use a custom update server with the path:
https://update.eset.com/eset_upd/ep9

[Sec-C 5]

15 hours ago, RichardW said:

Do you know if there's a way to avoid this while at the same time avoiding the use of port 80 for access to the internet (just 443 for Https)

Short answer: No, there is no way.

Lang answer:

Eset Updates are digitally signed. This is how Eset verifies the integrity of downloaded files, even when they are transferred over an insecure connection. So in this specific scenario, there is no additional risk in using unencrypted http.

The benefit of downloading updates over unencrypted connection is caching on your apache proxy. In an end-to-end encrypted download (https) the proxy would not be able cache any of the downloaded updates, since it sees only garbled ciphertext. It can only cache files from unencrypted connections. Blocking these unencrypted connections would defeat the whole point of using a caching proxy.

[RichardW 3]

The 2nd message is actually what I was looking for if it works.

Our use of the Apache Proxy isn't really for caching, instead it's for making sure machines within a L1 environment don't have direct access to the internet. Since the environment is PCI based and makes using port 80 very difficult.

[RichardW 3]

On 5/3/2022 at 5:12 PM, Marcos said:

Do you use Apache HTTP proxy with default settings? Asking cause only access to ESET's servers is permitted by default and connections on port 80 are safe, meaning it's not possible to trick ESET products to download and install compromised modules.

If you must download update files via https due to a strict company policy for instance, you can use a custom update server with the path:
https://update.eset.com/eset_upd/ep9

Ok so this nearly works, although that url is asking for a username password
This currently prevents eset from downloading module updates from that url
is there a specific thing I should be using for the username / password for that url?

[Marcos 5,070]

Activated clients authenticate with a username and password against the update servers.

[RichardW 3]

From the looks of things if you try and set the Update URL Manually to a https link by turning "Choose Autmatically" here
then it also requires manual input of the username / password

It mentions it here - Modules Update | ESET PROTECT | ESET Online Help

I've been able to determine my username / EAV-number using Ctrl-U on the eset window
But since the licence is activated online I'm not sure how to get the password to use

Unless I have to do an offline activation or something.

Tried having a look on the Eset Business Account site where the licences are listed but I couldn't see anything there

Edited May 10, 2022 by RichardW

[RichardW 3]

Ok found it

Inside the Business Account Login
Licences -> Select Licence (show details) -> Products -> Select Product
Select Download Legacy Licence File

and it shows up there

[Marcos 5,070]

I've discussed this with developers and we've agreed on using credentials received during activation for updates from update.eset.com even when server auto-selection is disabled. That said, you will not need to enter a U/P in future versions if updating via https.

[RichardW 3]

Thanks very much for looking into this with the developers. I admit the use case is kind of unusual in that I'm not using apache for caching. But unfortunately the PCI auditors tend to be quite strict over what is allowed when it comes to non SSL ports.
Typically allowing port 80 requires a lot of paperwork is part of the reason, even though the proxy limits access to certain hosts and the updates are signed.