Exclusion for vulnerability scanner

[pronto 6]

Servus Community,

currently, we are evaluating a Vulnerability Scanner and have noticed that a significant number of connections originating from the scanner's IP are being blocked on a Windows Server test system. Even though we have whitelisted the scanner's IP in the "SECURITY Sensor Settings" under network access protection (Exclude from IDS), this policy does not appear to be effective. Is there another option for configuring this?

Thanks & Bye Tom

[Marcos 5,074]

The vulnerability scanners uses a local module with data to determine if a vulnerable software is installed. However, in order to patch found vulnerabilities, it connects to particular vendors' websites to download fixed versions of products.

[pronto 6]

No, the scanner does not search for fixes nor does it patch vulnerabilities automatically. What I am looking for is a setting within ESET that prevents connections from the scanner's IP address from being blocked by default. The message in ESET reads: "Attempt to exploit a vulnerability".

[pronto 6]

Is there anything else I can do? The (remote) scanner does not use a local module, but authenticates itself with an admin user on the system. What else has been changed is that remote access to the registry has been allowed for this user.

[Marcos 5,074]

Do you expect those detections to be false positives?

[pronto 6]

In principle, these were false positives. We had initially configured the IDS of the client policy by mistake, now we have the server security policy and the false detections are now gone. Thank you.

[Marcos 5,074]

I don't think there would be that many false positives, maybe a network vulnerability scan was run which triggered the detections. If you would like to verify the detections, please reproduce it and create an advanced network protection log for perusal.

[pronto 6]

Hi Marcos,

what's wrong with you? Aren't you usually spot on? I already wrote in my first post that we are testing a vulnerability scanner. All the answers were somehow off-topic. What can I do better to avoid such misunderstandings? I'm worried...

Bye Pronto

[Marcos 5,074]

These detections come from the Network attack protection, not from Vulnerability & Patch Management. Please clarify. Are you testing a 3rd party vulnerability scanner which has nothing to do with ESET Vulnerability & Patch Management?

[pronto 6]

Yes, we are testing the OpenVAS scanner from Greenbone and I thought that was obvious as we tried to whitelist the IP of the scanner but without success.

https://www.openvas.org/

[Marcos 5,074]

An IDS exception like this with the IP address of the machine on which the vulnerability scanner runs in the Remote IP address field should work:

If not, please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Run a vulnerability scan to reproduce the detection
3. Stop logging
4. Collect logs with ESET Log Collector and upload the generated archive here.