j-gray 37 Posted August 20 Share Posted August 20 Had an infected Windows system running the latest versions of agent, AV and EI Connector. Ran the 'Isolate Network' task which completed successfully. However, I'm still able to ping, RDP, psexec, access the remote admin share, connect remotely to Computer Management, etc. In other words, it doesn't appear very isolated. Both EP and EI console at least think it's isolated, as the only task option now is to end Network Isolation. I don't find much in the documentation; what are the prerequisites for this to function, what is expected as far as access, and how can one tell if it was successfully implemented regardless of the task reporting successful? Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted August 20 Share Posted August 20 12 minutes ago, j-gray said: However, I'm still able to ping, RDP, psexec, access the remote admin share, connect remotely to Computer Management, etc. In other words, it doesn't appear very isolated. According to this: https://help.eset.com/protect_cloud/en-US/ct_isolate_computer.html , this shouldn't be happening. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted August 21 Administrators Share Posted August 21 Do you actually see "Network access blocked" in the protection status pane? Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted August 21 Author Share Posted August 21 @Marcos I tested on another Windows workstation with latest versions of all components. As you can see, the GUI shows 'Network access blocked', but I can ping the client and RDP into it to get this screenshot. You can see that the blocked client can ping Google's DNS server, as well as browse the web. I can't find documented what the prerequisites are for this functionality. What ESET component actually does the blocking and how is it effected? Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted August 21 Author Share Posted August 21 17 hours ago, itman said: According to this: https://help.eset.com/protect_cloud/en-US/ct_isolate_computer.html , this shouldn't be happening. Thanks. Yes, this is the document I was working from, but it's quite vague. For example, what exactly is allowed for "login to domain"? We assume that DNS, NTP, LDAPS, etc. will have to work at the very least. SMB for group policy, etc. And there's no indication of what component is leveraged. I'm starting to believe it must rely on the ESET firewall. Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted August 21 Share Posted August 21 I reviewed a couple other forum postings on this Network Isolation feature. Awaiting comment from Eset, my opinion is the feature's purpose is to isolate the device from the other devices on the local subnet. The equivalent to setting the device's Eset network connection to Public. The isolated device itself still has full Internet connectivity. j-gray 1 Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted August 21 Author Share Posted August 21 @itman Thanks for the reply and for checking. This doesn't appear to be the case either, though. I hopped on another Windows workstation on the same subnet and can still ping, remote manage, RDP, etc. to the 'isolated' workstation. From the 'isolated' workstation I can browse UNC shares on file servers, printers, etc on other subnets. My network drive maps when logged in. I can ping other systems on the same subnet. So it seems like it's really not blocking anything as far as I can tell, inbound or outbound either one. Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted August 21 Share Posted August 21 1 minute ago, j-gray said: From the 'isolated' workstation I can browse UNC shares on file servers, printers, etc on other subnets. My network drive maps when logged in. I can ping other systems on the same subnet. Definitely not good! Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted August 22 Administrators Share Posted August 22 I've tested it with ESET Endpoint Antivirus 11.1 and RDP, SMB, ICMP communication was blocked. Please provide logs collected with ESET Log Collector from the machine to start off. Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted August 22 Author Share Posted August 22 @Marcos Are you able to confirm what component(s) this functionality relies upon? My suspicion is that the ESET firewall would be responsible for network isolation but I can't find anything documented. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted August 23 Administrators Share Posted August 23 The functionality is in EpfwWfp.sys driver which is used by all ESET products on Windows. j-gray 1 Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted August 27 Author Share Posted August 27 @Marcos I opened a support case with collected logs and screenshot (00811157 and 00811158) in case you're interested. Not sure how/why I got two cases and expect one will be closed. FWIW, Network Isolation appears to be working across our Server platforms, just not Win10/11. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted August 27 Administrators Share Posted August 27 It appears that ESET Endpoint Antivirus was installed without the Network protection component. Standard EEA drivers installed: Yours: Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted August 27 Share Posted August 27 3 minutes ago, Marcos said: It appears that ESET Endpoint Antivirus was installed without the Network protection component. What's missing are the firewall drivers. Now for the $64,000 question. Does EEA support Network Isolation since it doesn't include a firewall component as EES does? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted August 27 Administrators Share Posted August 27 Endpoint Antivirus contains Network protection so it's capable of isolating the network as long as the network protection component and its drivers are installed. Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted August 27 Author Share Posted August 27 (edited) 25 minutes ago, Marcos said: It appears that ESET Endpoint Antivirus was installed without the Network protection component. We use the standard EP Console provided install task, so I'm not sure how any components would be omitted. I'm guessing a specific policy needs to be enabled, then? Though again I'm finding no prerequisites documented. Edited August 27 by j-gray Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted August 27 Share Posted August 27 (edited) Here's what I don't understand. When you open the EEA GUI on a device, you should be receiving a red display that Network Protection is disabled. Edited August 27 by itman Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted August 27 Author Share Posted August 27 25 minutes ago, itman said: Here's what I don't understand. When you open the EEA GUI on a device, you should be receiving a red display that Network Protection is disabled. Probably getting at the root here; we don't enable IDS nor Botnet protection on Win10/11 clients. Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,277 Posted August 28 Administrators Solution Share Posted August 28 Yes, in case of a security product without the firewall IDS must be enabled for network isolation to work. We track it as a bug now, maybe the wording of the warning will be adjusted or we'll come up with a more convenient solution, if programmatically possible. P_EESW-11780 j-gray 1 Quote Link to comment Share on other sites More sharing options...
itman 1,751 Posted August 28 Share Posted August 28 (edited) 13 hours ago, j-gray said: Probably getting at the root here; we don't enable IDS nor Botnet protection on Win10/11 clients. Note that with Network Protection disabled not only is IDS protection disabled, but also Eset Brute Force RDP logon protection disabled. Edited August 28 by itman j-gray 1 Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted August 28 Author Share Posted August 28 13 hours ago, Marcos said: Yes, in case of a security product without the firewall IDS must be enabled for network isolation to work. We track it as a bug now, maybe the wording of the warning will be adjusted or we'll come up with a more convenient solution, if programmatically possible. P_EESW-11780 Awesome -thank you! This would be super helpful to have documented here. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.