Jump to content

Delay with automatically resolving blocked firewall detections


NML-Harry
 Share

Recommended Posts

Hello,

When ESET IDS detects a "Security vulnerability exploitation attempt" (usually EsetIpBlacklist), it appears in our ESMC detections as "Blocked" and "Unresolved". 

After 20-60 seconds, the detection automatically changes to "Resolved" and shows as "Handled by product".

How can we fix this delay so that a blocked detection is shown as "Resolved" straight away?

The issue this causes us is that we monitor the number of unresolved detections with our monitoring system and we have some internet facing servers that are constantly throwing up exploit attempts from blacklisted IPs. Our monitoring system checks the current state every 15 minutes and a lot of the time there is one of these unresolved detections. By the time we sign into ESMC to check, it's marked as resolved. The outcome is endless notifications from our monitoring system.

One possible solution is to stop logging blacklisted IP detections - but that means should there be a false positive in future we have less diagnostic capability to see it was blocked by ESET. It also doesn't provide a fix when the detection isn't related to blacklisted IPs.

Best regards,

Harry

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...