pronto 6 Posted February 13 Posted February 13 Servus Community, currently, we are evaluating a Vulnerability Scanner and have noticed that a significant number of connections originating from the scanner's IP are being blocked on a Windows Server test system. Even though we have whitelisted the scanner's IP in the "SECURITY Sensor Settings" under network access protection (Exclude from IDS), this policy does not appear to be effective. Is there another option for configuring this? Thanks & Bye Tom
Administrators Marcos 5,453 Posted February 13 Administrators Posted February 13 The vulnerability scanners uses a local module with data to determine if a vulnerable software is installed. However, in order to patch found vulnerabilities, it connects to particular vendors' websites to download fixed versions of products.
pronto 6 Posted February 13 Author Posted February 13 No, the scanner does not search for fixes nor does it patch vulnerabilities automatically. What I am looking for is a setting within ESET that prevents connections from the scanner's IP address from being blocked by default. The message in ESET reads: "Attempt to exploit a vulnerability".
pronto 6 Posted February 20 Author Posted February 20 Is there anything else I can do? The (remote) scanner does not use a local module, but authenticates itself with an admin user on the system. What else has been changed is that remote access to the registry has been allowed for this user.
Administrators Marcos 5,453 Posted February 20 Administrators Posted February 20 Do you expect those detections to be false positives?
pronto 6 Posted February 20 Author Posted February 20 In principle, these were false positives. We had initially configured the IDS of the client policy by mistake, now we have the server security policy and the false detections are now gone. Thank you.
Administrators Marcos 5,453 Posted February 20 Administrators Posted February 20 I don't think there would be that many false positives, maybe a network vulnerability scan was run which triggered the detections. If you would like to verify the detections, please reproduce it and create an advanced network protection log for perusal.
pronto 6 Posted February 20 Author Posted February 20 Hi Marcos, what's wrong with you? Aren't you usually spot on? I already wrote in my first post that we are testing a vulnerability scanner. All the answers were somehow off-topic. What can I do better to avoid such misunderstandings? I'm worried... Bye Pronto
Administrators Marcos 5,453 Posted February 20 Administrators Posted February 20 These detections come from the Network attack protection, not from Vulnerability & Patch Management. Please clarify. Are you testing a 3rd party vulnerability scanner which has nothing to do with ESET Vulnerability & Patch Management?
pronto 6 Posted February 20 Author Posted February 20 Yes, we are testing the OpenVAS scanner from Greenbone and I thought that was obvious as we tried to whitelist the IP of the scanner but without success. https://www.openvas.org/
Administrators Marcos 5,453 Posted February 21 Administrators Posted February 21 An IDS exception like this with the IP address of the machine on which the vulnerability scanner runs in the Remote IP address field should work: If not, please carry on as follows: Enable advanced logging under Help and support -> Technical support Run a vulnerability scan to reproduce the detection Stop logging Collect logs with ESET Log Collector and upload the generated archive here.
Recommended Posts