ESET Network protection module unexpected behavior

[iceone213 0]

We are investigating an incident with suspicious network scanning on one of our servers. This server has an external IP and Windows firewall configured.

On this server, there is also ESET Server Security 10.0.12012.0 (this product has network protection module but doesn’t have firewall).

 

Now question: 

Is it expected that with Windows firewall enabled on the server and a couple of ports open, we still see lots of network attacks blocked on thousands of ports by ESET network protection? 

We expect that this server gets scanned since it has an external IP, however, we are seeing network attacks on the closed ports as well.

 

Could it be that ESET investigates network traffic before Windows firewall? Meaning – inbound traffic goes to ESET network protection module first, gets filtered there, then traffic goes to Windows firewall, which also filters and blocks it.

 

Please see the scheme below:

Inbound traffic > (ESET network protection) > (Windows firewall) > Server applications

 

We need this information to understand if this is specific case of ESET Network protection module + Windows firewall working together OR we have misconfigured something on our Windows firewall.

 

Attaching the ESET Network protections module logs from this server. Looking forward to any suggestions.

ESET network protection attacks - Drill Down.zip

[Marcos 4,841]

Quote

Could it be that ESET investigates network traffic before Windows firewall?

That's correct. You'd need to filter the communication on a perimeter firewall before it reaches the server to avoid the attack detections.