Jump to content

874 EsetIPBlacklist.A on Users Work From Home Computer

mtellefson

By mtellefson
in ESET Endpoint Products

 Share
Go to solution Solved by Marcos,

Recommended Posts

mtellefson

mtellefson 0

Posted
Posted

One of our users normally works in the office but has a computer to work from home.  In the last 5 days, there have been 874 EsetIPBlacklist.A warnings from several different IP address trying to hit several different ports.  Outside of scanning the computer for viruses and vulnerabilities, what can I do to kill these attacks?

Link to comment
Share on other sites
itman

itman 1,711

Posted
Posted (edited)

Based on prior forum postings on this topic, one possibility is vulnerable software exists on the device and these detection's are attempts to exploit those vulnerabilities.

Review of the Eset logs on the device should yield details on the source of these detection's.

Edited by itman
Link to comment
Share on other sites
mtellefson

mtellefson 0

Posted
  • Author
Posted

Time;Application;Operation;Target;Action;Rule;Additional information
10/13/2023 8:47:06 AM;C:\Windows\System32\csrss.exe;Get access to another application;C:\Program Files\ESET\ESET Security\egui.exe;Blocked;Self-Defense: Protect ekrn and egui processes;Unknown operation

Time;Application;Operation;Target;Action;Rule;Additional information
10/13/2023 8:46:29 AM;C:\Program Files\Huntress\HuntressAgent.exe;Get access to another application;C:\Program Files\ESET\ESET Security\eguiProxy.exe;Blocked;Self-Defense: Protect ekrn and egui processes;Unknown operation,Unknown operation,Unknown operation,Unknown operation,Unknown operation


Time;Application;Operation;Target;Action;Rule;Additional information
10/13/2023 8:42:10 AM;C:\Windows\System32\svchost.exe;Attempt to lock the file;C:\Program Files\ESET\ESET Security\SecurityProductInformation.ini;Blocked;Self-Defense: Protect ESET files;

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,154

Posted
  • Administrators
Posted

Those are records from the HIPS log. Make sure to turn off this setting which serves only for troubleshooting HIPS-related issues:

image.png

Please provide the appropriate records pertaining to the EsetIPBlacklist.A block from the Network protection log.

Link to comment
Share on other sites
mtellefson

mtellefson 0

Posted
  • Author
Posted

Yes Huntress is installed as part of a detection package through our MSP

I will check with our ESET provider about turning off the HIPS setting.  It is locked in the policy.

Where can I get the Network Protection Log?  Or do you just want a copy of the information from the Detections screen?

Link to comment
Share on other sites
mtellefson

mtellefson 0

Posted
  • Author
Posted

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application path;Application;Hash;User;Signer;Package name;Service
10/13/2023 9:46:00 AM;Security vulnerability exploitation attempt;Blocked;107.170.254.8:42639;140.186.96.15:2096;TCP;EsetIpBlacklist.A;;;;;;;

Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application path;Application;Hash;User;Signer;Package name;Service
10/13/2023 9:08:41 AM;Security vulnerability exploitation attempt;Blocked;58.65.153.246:53410;140.186.96.15:445;TCP;EsetIpBlacklist.A;System;System;;;;;
 

Link to comment
Share on other sites
itman

itman 1,711

Posted
Posted (edited)
23 hours ago, mtellefson said:

They did just get a new modem from the ISP which may have given them a new IP address.

Have them check if the ISP router has a firewall and its enabled.

Most ISP provided routers these days have a NAT firewall. Also, they are stateful. This means they won't allow unsolicited inbound TCP traffic; i.e. inbound traffic not in response to a prior outbound request, . If all the above apply, I would stand by my previous statement that un-patched  vulnerable OS or app software exits on the device and an external hacker is trying to exploit it.

Also per Eset posted log entries, the target IP address is 140.186.96.15 which is associated with Midcontinent Communications in Fargo, ND. That is a public IP address and not a private IP address which should be associated with the device. As such, something is definitely not right here.

-EDIT-

Let's say Midcontinent Communications; i.e. Midco, is the user's ISP. He requested and received a static IP address from them; i.e.140.186.96.15. Note the security issue with static IP assignment;

Quote

Security

Static IP addresses are seen as less secure. Because static IP addresses don't change, data may be easier to locate and to gain access to by a hacker; the static IP addresses' unchanging nature also leaves them more likely to be hit by follow-up attacks. Static IP addresses are also easier to track.

https://www.techtarget.com/whatis/definition/static-IP-address

Edited by itman
Link to comment
Share on other sites
mtellefson

mtellefson 0

Posted
  • Author
Posted

Found out when he hooked up the new modem, he plugged his computer directly into the modem instead of the router.  He is also buying a new router since his is about 8 years old.

Link to comment
Share on other sites
itman

itman 1,711

Posted
Posted
On 10/14/2023 at 11:51 AM, mtellefson said:

Found out when he hooked up the new modem, he plugged his computer directly into the modem instead of the router.

That explains why ISP address was being displayed in Eset log entries. Also, he must be using a cable-based ISP since they usually only issue modems versus modem/router combo units issued by DSL/fiber providers.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...