Decker2124 0 Posted yesterday at 12:24 AM Share Posted yesterday at 12:24 AM In ESET PROTECT dashboard, I received a detection about a website being blocked. I was curious because the reason indicate I set up/enabled some kind of blacklist "Blocked by internal blacklist". Visiting the website for investigation purposes makes ESET throw a notification about "HTML/ScrInject.B" on my computer, which is fine because it got detected, but why can't I see the the actual reason for detection on the dashboard ? The current reason is... wrong. It detected a malware, it wasn't blocked due to some kind of blacklist. (Since I don't want to ruin the reputation of a maybe-legetimate-website now infected, I blurred the domain name) Thanks for your assistance ! Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted yesterday at 01:42 AM Administrators Share Posted yesterday at 01:42 AM Unfortunately the url was blurred so we can't check why it was blacklisted. The HTML/ScrInject detection might be triggered if the url was added on the url allowlist in the Web access protection url management setup. Please provide the url that was blocked. Quote Link to comment Share on other sites More sharing options...
Decker2124 0 Posted 16 hours ago Author Share Posted 16 hours ago Hey @Marcos, here is the URL: https://www.cliniqueantiaging.com To my knowledge, nobody added the link to a whitelist. Where I checked: Protect dashboard > Computers > Right-click on the computer > Details > Configuration > Applied Exclusions Since the user saw an alert about a threat, I was expecting I could see the same alert/threat on the console. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted 15 hours ago Administrators Share Posted 15 hours ago I meant this url allowlist: Quote Link to comment Share on other sites More sharing options...
Decker2124 0 Posted 15 hours ago Author Share Posted 15 hours ago (edited) Good morning, and thanks for your (very fast!) reply. I have multiple policies, but none use this feature. I'm wondering if there is a central place to see the settings applied by all the policies. If the enduser themselves allowed the url, where would I find it? Note that on my computer, I receive the same alert and the console shows the same message and I did not whitelist such domain on my computer (hard to accidentally whitelist a domain, the linux ESET interface is very bare bone, and I would need to create a policy to whitelist the domain). Also, it wouldn't make sense for the console to show "Blocked by internal blacklist" if the domain is whitelisted somewhere, and still show the Trojan alert on the enduser computer. The console should still display the Trojan threat no matter what. Edited 15 hours ago by Decker2124 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted 10 hours ago Administrators Share Posted 10 hours ago Please provide logs collected with ESET Log Collector from the machine where the detection HTML/ScrInject.B occurred. Quote Link to comment Share on other sites More sharing options...
Decker2124 0 Posted 4 hours ago Author Share Posted 4 hours ago 6 hours ago, Marcos said: Please provide logs collected with ESET Log Collector from the machine where the detection HTML/ScrInject.B occurred. Does the zip file contain any PII or contain information that can be a potential breach of privacy ? In the VM, I did get the blocked webpage and I had to turn off "Web access protection" to get the threat alert. After 20-30 minutes, the PROTECT dashboard finally showed the name of the threat found 🎉 I can assume then that I might have confused the alert "blacklisted" with "trojan" because of the "up to 30 minutes delay between infection and dashboard report" and the multiple reports for that website showing on the console. I can also assume the enduser didn't recall the events as they were, because testing on Linux with web access protection off obviously show the threat blocked notification. (it's broken on Fedora, but I'll have to test it again). Since the VM and the enduser PC have the same policies, I assume that if somehow "Web access protection" is turned off on the enduser machine, I would receive an alert inside the PROTECT dashboard ? (Forum logged me out while writing the reply and testing on the VM, I had to redo it, hopefully I'm not forgetting something 😅) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.