Decker2124 0 Posted September 19 Share Posted September 19 In ESET PROTECT dashboard, I received a detection about a website being blocked. I was curious because the reason indicate I set up/enabled some kind of blacklist "Blocked by internal blacklist". Visiting the website for investigation purposes makes ESET throw a notification about "HTML/ScrInject.B" on my computer, which is fine because it got detected, but why can't I see the the actual reason for detection on the dashboard ? The current reason is... wrong. It detected a malware, it wasn't blocked due to some kind of blacklist. (Since I don't want to ruin the reputation of a maybe-legetimate-website now infected, I blurred the domain name) Thanks for your assistance ! Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 19 Administrators Share Posted September 19 Unfortunately the url was blurred so we can't check why it was blacklisted. The HTML/ScrInject detection might be triggered if the url was added on the url allowlist in the Web access protection url management setup. Please provide the url that was blocked. Quote Link to comment Share on other sites More sharing options...
Decker2124 0 Posted September 19 Author Share Posted September 19 Hey @Marcos, here is the URL: https://www.cliniqueantiaging.com To my knowledge, nobody added the link to a whitelist. Where I checked: Protect dashboard > Computers > Right-click on the computer > Details > Configuration > Applied Exclusions Since the user saw an alert about a threat, I was expecting I could see the same alert/threat on the console. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 19 Administrators Share Posted September 19 I meant this url allowlist: Quote Link to comment Share on other sites More sharing options...
Decker2124 0 Posted September 19 Author Share Posted September 19 (edited) Good morning, and thanks for your (very fast!) reply. I have multiple policies, but none use this feature. I'm wondering if there is a central place to see the settings applied by all the policies. If the enduser themselves allowed the url, where would I find it? Note that on my computer, I receive the same alert and the console shows the same message and I did not whitelist such domain on my computer (hard to accidentally whitelist a domain, the linux ESET interface is very bare bone, and I would need to create a policy to whitelist the domain). Also, it wouldn't make sense for the console to show "Blocked by internal blacklist" if the domain is whitelisted somewhere, and still show the Trojan alert on the enduser computer. The console should still display the Trojan threat no matter what. Edited September 19 by Decker2124 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,277 Posted September 19 Administrators Share Posted September 19 Please provide logs collected with ESET Log Collector from the machine where the detection HTML/ScrInject.B occurred. Quote Link to comment Share on other sites More sharing options...
Decker2124 0 Posted September 19 Author Share Posted September 19 6 hours ago, Marcos said: Please provide logs collected with ESET Log Collector from the machine where the detection HTML/ScrInject.B occurred. Does the zip file contain any PII or contain information that can be a potential breach of privacy ? In the VM, I did get the blocked webpage and I had to turn off "Web access protection" to get the threat alert. After 20-30 minutes, the PROTECT dashboard finally showed the name of the threat found 🎉 I can assume then that I might have confused the alert "blacklisted" with "trojan" because of the "up to 30 minutes delay between infection and dashboard report" and the multiple reports for that website showing on the console. I can also assume the enduser didn't recall the events as they were, because testing on Linux with web access protection off obviously show the threat blocked notification. (it's broken on Fedora, but I'll have to test it again). Since the VM and the enduser PC have the same policies, I assume that if somehow "Web access protection" is turned off on the enduser machine, I would receive an alert inside the PROTECT dashboard ? (Forum logged me out while writing the reply and testing on the VM, I had to redo it, hopefully I'm not forgetting something 😅) Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,277 Posted September 20 Administrators Solution Share Posted September 20 ELC collects ESET logs as well as Windows logs. As for ESET logs, the scope of collected information is listed in the Privacy policy: https://help.eset.com/esi/1/en-US/?privacy_policy.html. Quote I assume that if somehow "Web access protection" is turned off on the enduser machine, I would receive an alert inside the PROTECT dashboard ? Yes, you should see the appropriate application status in the PROTECT console unless the particular app status is disabled via a policy: Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.