Jump to content

ESET Network protection module unexpected behavior

Go to solution Solved by Marcos,

Recommended Posts

We are investigating an incident with suspicious network scanning on one of our servers. This server has an external IP and Windows firewall configured.

On this server, there is also ESET Server Security 10.0.12012.0 (this product has network protection module but doesn’t have firewall).


Now question: 

Is it expected that with Windows firewall enabled on the server and a couple of ports open, we still see lots of network attacks blocked on thousands of ports by ESET network protection? 

We expect that this server gets scanned since it has an external IP, however, we are seeing network attacks on the closed ports as well.


Could it be that ESET investigates network traffic before Windows firewall? Meaning – inbound traffic goes to ESET network protection module first, gets filtered there, then traffic goes to Windows firewall, which also filters and blocks it.


Please see the scheme below:

Inbound traffic > (ESET network protection) > (Windows firewall) > Server applications


We need this information to understand if this is specific case of ESET Network protection module + Windows firewall working together OR we have misconfigured something on our Windows firewall.


Attaching the ESET Network protections module logs from this server. Looking forward to any suggestions.

ESET network protection attacks - Drill Down.zip

Link to comment
Share on other sites

  • Administrators
  • Solution

Could it be that ESET investigates network traffic before Windows firewall?

That's correct. You'd need to filter the communication on a perimeter firewall before it reaches the server to avoid the attack detections.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...