Jump to content

Question over Eset Updates via proxy and Port 80


Recommended Posts

Hi,
Currently we have ESET Server Security Setup on multiple servers within a PCI Environment
As part of the Setup we're using ESET Management Agent / Web UI and Apache Proxy to handle the updates
So that the Eset client on each box connects to the Apache Proxy (that eset installs) to do the updates to the outside world.

One thing we've noticed is that if we block port 80 (which is an unsecure port) to the outside world
This seems to interfere with Eset updates.
Do you know if there's a way to avoid this while at the same time avoiding the use of port 80 for access to the internet (just 443 for Https)

Many Thanks
 

Link to comment
Share on other sites

  • Administrators

Do you use Apache HTTP proxy with default settings? Asking cause only access to ESET's servers is permitted by default and connections on port 80 are safe, meaning it's not possible to trick ESET products to download and install compromised modules.

If you must download update files via https due to a strict company policy for instance, you can use a custom update server with the path:
https://update.eset.com/eset_upd/ep9

Link to comment
Share on other sites

15 hours ago, RichardW said:

Do you know if there's a way to avoid this while at the same time avoiding the use of port 80 for access to the internet (just 443 for Https)

Short answer: No, there is no way.

Lang answer:

Eset Updates are digitally signed. This is how Eset verifies the integrity of downloaded files, even when they are transferred over an insecure connection. So in this specific scenario, there is no additional risk in using unencrypted http.

The benefit of downloading updates over unencrypted connection is caching on your apache proxy. In an end-to-end encrypted download (https) the proxy would not be able cache any of the downloaded updates, since it sees only garbled ciphertext. It can only cache files from unencrypted connections. Blocking these unencrypted connections would defeat the whole point of using a caching proxy.

Link to comment
Share on other sites

The 2nd message is actually what I was looking for if it works.

Our use of the Apache Proxy isn't really for caching, instead it's for making sure machines within a L1 environment don't have direct access to the internet. Since the environment is PCI based and makes using port 80 very difficult.

Link to comment
Share on other sites

On 5/3/2022 at 5:12 PM, Marcos said:

Do you use Apache HTTP proxy with default settings? Asking cause only access to ESET's servers is permitted by default and connections on port 80 are safe, meaning it's not possible to trick ESET products to download and install compromised modules.

If you must download update files via https due to a strict company policy for instance, you can use a custom update server with the path:
https://update.eset.com/eset_upd/ep9

Ok so this nearly works, although that url is asking for a username password
This currently prevents eset from downloading module updates from that url
is there a specific thing I should be using for the username / password for that url?

Link to comment
Share on other sites

  • Administrators

Activated clients authenticate with a username and password against the update servers.

Link to comment
Share on other sites

Posted (edited)

From the looks of things if you try and set the Update URL Manually to a https link by turning "Choose Autmatically" here
then it also requires manual input of the username / password

It mentions it here - Modules Update | ESET PROTECT | ESET Online Help

image.png.3d117f3e52ec444ab7f6c8a1018a850a.png

I've been able to determine my username / EAV-number using Ctrl-U on the eset window
But since the licence is activated online I'm not sure how to get the password to use

Unless I have to do an offline activation or something.

Tried having a look on the Eset Business Account site where the licences are listed but I couldn't see anything there

Edited by RichardW
Link to comment
Share on other sites

Ok found it

Inside the Business Account Login
Licences -> Select Licence (show details) -> Products -> Select Product
Select Download Legacy Licence File

and it shows up there

Link to comment
Share on other sites

  • Administrators

I've discussed this with developers and we've agreed on using credentials received during activation for updates from update.eset.com even when server auto-selection is disabled. That said, you will not need to enter a U/P in future versions if updating via https.

Link to comment
Share on other sites

Thanks very much for looking into this with the developers. I admit the use case is kind of unusual in that I'm not using apache for caching. But unfortunately the PCI auditors tend to be quite strict over what is allowed when it comes to non SSL ports.
Typically allowing port 80 requires a lot of paperwork is part of the reason, even though the proxy limits access to certain hosts and the updates are signed.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...