Jump to content

Recommended Posts

Posted

Servus Community,

currently, we are evaluating a Vulnerability Scanner and have noticed that a significant number of connections originating from the scanner's IP are being blocked on a Windows Server test system. Even though we have whitelisted the scanner's IP in the "SECURITY Sensor Settings" under network access protection (Exclude from IDS), this policy does not appear to be effective. Is there another option for configuring this?

Thanks & Bye Tom

  • Administrators
Posted

The vulnerability scanners uses a local module with data to determine if a vulnerable software is installed. However, in order to patch found vulnerabilities, it connects to particular vendors' websites to download fixed versions of products.

Posted

No, the scanner does not search for fixes nor does it patch vulnerabilities automatically. What I am looking for is a setting within ESET that prevents connections from the scanner's IP address from being blocked by default. The message in ESET reads: "Attempt to exploit a vulnerability".

Bildschirmfoto 2024-02-13 um 14.44.00.png

Posted

Is there anything else I can do? The (remote) scanner does not use a local module, but authenticates itself with an admin user on the system. What else has been changed is that remote access to the registry has been allowed for this user.

  • Administrators
Posted

Do you expect those detections to be false positives?

Posted

In principle, these were false positives. We had initially configured the IDS of the client policy by mistake, now we have the server security policy and the false detections are now gone. Thank you.

  • Administrators
Posted

I don't think there would be that many false positives, maybe a network vulnerability scan was run which triggered the detections. If you would like to verify the detections, please reproduce it and create an advanced network protection log for perusal.

Posted

Hi Marcos,

what's wrong with you? Aren't you usually spot on? I already wrote in my first post that we are testing a vulnerability scanner. All the answers were somehow off-topic. What can I do better to avoid such misunderstandings? I'm worried...

Bye Pronto

  • Administrators
Posted

These detections come from the Network attack protection, not from Vulnerability & Patch Management. Please clarify. Are you testing a 3rd party vulnerability scanner which has nothing to do with ESET Vulnerability & Patch Management?

image.png

Posted

Yes, we are testing the OpenVAS scanner from Greenbone and I thought that was obvious as we tried to whitelist the IP of the scanner but without success.

https://www.openvas.org/

  • Administrators
Posted

An IDS exception like this with the IP address of the machine on which the vulnerability scanner runs in the Remote IP address field should work:

image.png

If not, please carry on as follows:

  1. Enable advanced logging under Help and support -> Technical support
  2. Run a vulnerability scan to reproduce the detection
  3. Stop logging
  4. Collect logs with ESET Log Collector and upload the generated archive here.

 

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...