ESET Protect Web Access and Web Protect policy setup issues?

[Richard Wakefield 0]

Hello,

I have recently been trying to setup a policy in our web protect admin portal to apply to a group of computers. My end goal is a block all web site rule for web browsing and then a whitelist for any urls that we allow.

I have setup how I would expect this to look and following the online guides, but so far it is not applying for some reason. if anyone can help me find what i am missing it would be appreciated, below is my current setup:

 

web access protection enabled

web control enabled

url groups setup 

block all - set as *

allowed websites - one url included

both set to replace

rules setup with the allow url group at the top and the block group second in the list.

blocked webpage message

 

ESET PROTECT (version: 5.4.7.1)

[Marcos 5,299]

Please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Access a site that should be blocked but isn't
3. Stop logging
4. Collect logs with ESET Log Collector and upload the generated archive here.

Provide the url of the site you accessed and expected ESET to block.

[Marcos 5,299]

[14:27:44.103] WARNING: Not running under administrator account.

The Endpoint configuration as well as some logs were therefore not collected. Please run ELC as an administrator and provide fresh ELC logs.

[Richard Wakefield 0]

Please see attached logs as requested.

I was trying to access the website
https://www.premierleague.com/

This should be blocked from my block all rule but it allows me to browse fine.

ees_logs.zip

[Marcos 5,299]

59 minutes ago, Richard Wakefield said:

Please see attached logs as requested.

I was trying to access the website
https://www.premierleague.com/

This should be blocked from my block all rule but it allows me to browse fine

1, Please disable this setting:

 

2, Web Control doesn't support wildcards. You'd need to block all sites by selecting all categories.

Instead of Web Control you can use the URL management in Web access protection which supports wildcards.

Please keep in mind that websites often load certain content from other sites. In case a site loads css from a blocked site, it will not be rendered properly.

[Richard Wakefield 0]

On 8/23/2024 at 4:35 PM, Marcos said:

2, Web Control doesn't support wildcards. You'd need to block all sites by selecting all categories.

Instead of Web Control you can use the URL management in Web access protection which supports wildcards.

Please keep in mind that websites often load certain content from other sites. In case a site loads css from a blocked site, it will not be rendered properly.

So my block all rule i currently have setup in the URL groups for block all is just *, will this not work?

I then have this URL group within the Rules section set as Block?

Then in my allow rule i have a website to allow as https://url.co.uk/* ,my thinking was that the start of the URL would then allow anything after with the *?

 

On 8/23/2024 at 4:35 PM, Marcos said:

1, Please disable this setting:

Can i also please ask what disabling this does and why this is required to get web control block all to work?

[itman 1,758]

3 hours ago, Richard Wakefield said:

Can i also please ask what disabling this does and why this is required to get web control block all to work?

In regards to this domain: https://www.premierleague.com/ you stated Eset Web filtering wasn't blocking in spite of your "*" wildcard block entry, refer to the below screen shot;

Observe that the website is using an Amazon issued certificate.

Eset in regards to SSL/TLS protocol scanning will exclude from scanning by default, select Trusted Publishers; Amazon being one of those publishers. This processing will override any custom Eset web filtering block rules; of note the global block all; i.e. "*", specification and bypass that processing. Hence the need to bypass Trusted Publisher processing by disabling the "Do not scan traffic with domains trusted by Eset" setting in Eset SSL/TLS protocol scan settings.

Edited August 25 by itman

[Marcos 5,299]

3 hours ago, Richard Wakefield said:

So my block all rule i currently have setup in the URL groups for block all is just *, will this not work?

Correct. If you want to use wildcards, don't use Web Control but URL management in the Web access protection setup.

In order for Web Control to block all websites, create a group with all categories selected and use it in a blocking rule.

[Richard Wakefield 0]

10 hours ago, Marcos said:

Correct. If you want to use wildcards, don't use Web Control but URL management in the Web access protection setup.

In order for Web Control to block all websites, create a group with all categories selected and use it in a blocking rule.

Thank you, I did have a policy using web access protection and URL list management in place, working fine apart from the below two issues (if you could help please) which is why I began investigating web control;

 

1. I wanted to create a report that displays all websites/URLs that get blocked at user level and then schedule that report daily, but upon researching i came to the conclusion this could only be achieved with web control?
2. I find if I add a new URL to my URL list management in my allow list it does not deploy to the users upon clicking finish and I have to remove the user from the group the policy is applied and then re-add them?

Thank you everyone for all the information so far.

[Marcos 5,299]

URLs blocked by too generic blocks (e.g. *) are not sent to ESET PROTECT, otherwise it could result in sending of dozens or hundreds of MB of data multiplied by the number of computers managed by ESET PROTECT, making the server overloaded and unresponsive.

That's why it's possible to use a generic block only with diagnostic severity:

Diagnostic logging can be enabled in client details for a limited time.

[Richard Wakefield 0]

13 minutes ago, Marcos said:

URLs blocked by too generic blocks (e.g. *) are not sent to ESET PROTECT, otherwise it could result in sending of dozens or hundreds of MB of data multiplied by the number of computers managed by ESET PROTECT, making the server overloaded and unresponsive.

That's why it's possible to use a generic block only with diagnostic severity:

Diagnostic logging can be enabled in client details for a limited time.

thank you that makes sense.

Could I also then please ask:

1. With web control you can set a customer block message is this not possible with URL list management and web access protection?
2. If I was to block all categories with web control and then also have a block * on web access protection with then an allowed list in the URL list management, which would take precedence? Would this allow list bypass both block rules?
3. If a user gets a web page blocked rule is there a location to actually get the exact URL that has been blocked?
   1. Sometimes they can see the main web page but it could be some stylesheet/script that is being blocked that the web page is pulling from, how do i see what that URL might be as the main URL is ok?

[Marcos 5,299]

1, A custom message is possible only with Web Control.

2, I've made a test, Web Control rules were evaluated first and access to sites allowed by the URL allow list was blocked.

3, You should see blocked urls in the Filtered websites and Web Control logs.

[Richard Wakefield 0]

16 hours ago, Marcos said:

3, You should see blocked urls in the Filtered websites and Web Control logs.

Where do i locate these please? Are they on the local users PC or in the admin cloud central portal?

[Marcos 5,299]

It depends on the level of logging severity. Warnings and critical records are sent to ESET PROTECT where they can be used in reports then.

They can be also viewed locally In Endpoint:

[Richard Wakefield 0]

thank you I can see the blocked URLs on the users PC via endpoint fine now.

Also I have a report setup to report any blocked URLs from web control but for some reason I am not getting any blocks reported from my policy only from the top level eset blocking rule:

So on the users PC i can see in end point a successful block of https://www.ebay.co.uk at 10:13 today (27/08/2024) but on the cloud portal when i run the report i have created this URL does not get listed?

So on the users PC i have a succesful block on 

[Marcos 5,299]

Please provide ELC logs from the machine. For me it works: