How to see the threat found on a blocked website in PROTECT dashboard ?

[Decker2124 0]

In ESET PROTECT dashboard, I received a detection about a website being blocked. I was curious because the reason indicate I set up/enabled some kind of blacklist "Blocked by internal blacklist".

Visiting the website for investigation purposes makes ESET throw a notification about "HTML/ScrInject.B" on my computer, which is fine because it got detected, but why can't I see the the actual reason for detection on the dashboard ?

The current reason is... wrong. It detected a malware, it wasn't blocked due to some kind of blacklist.

 

(Since I don't want to ruin the reputation of a maybe-legetimate-website now infected, I blurred the domain name)

 

 

Thanks for your assistance !

[Marcos 5,259]

Unfortunately the url was blurred so we can't check why it was blacklisted. The HTML/ScrInject detection might be triggered if the url was added on the url allowlist in the Web access protection url management setup. Please provide the url that was blocked.

[Decker2124 0]

Hey @Marcos, here is the URL: https://www.cliniqueantiaging.com

To my knowledge, nobody added the link to a whitelist.

 

Where I checked:

Protect dashboard > Computers > Right-click on the computer > Details > Configuration > Applied Exclusions

 

Since the user saw an alert about a threat, I was expecting I could see the same alert/threat on the console.

[Marcos 5,259]

I meant this url allowlist:

[Decker2124 0]

Good morning, and thanks for your (very fast!) reply.

I have multiple policies, but none use this feature. I'm wondering if there is a central place to see the settings applied by all the policies. If the enduser themselves allowed the url, where would I find it?

Note that on my computer, I receive the same alert and the console shows the same message and I did not whitelist such domain on my computer (hard to accidentally whitelist a domain, the linux ESET interface is very bare bone, and I would need to create a policy to whitelist the domain).

Also, it wouldn't make sense for the console to show "Blocked by internal blacklist" if the domain is whitelisted somewhere, and still show the Trojan alert on the enduser computer. The console should still display the Trojan threat no matter what.

Edited 15 hours ago by Decker2124

[Marcos 5,259]

Please provide logs collected with ESET Log Collector from the machine where the detection HTML/ScrInject.B occurred.

[Decker2124 0]

6 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector from the machine where the detection HTML/ScrInject.B occurred.

Does the zip file contain any PII or contain information that can be a potential breach of privacy ?

• In the VM, I did get the blocked webpage and I had to turn off "Web access protection" to get the threat alert.
• After 20-30 minutes, the PROTECT dashboard finally showed the name of the threat found 🎉
  • I can assume then that I might have confused the alert "blacklisted" with "trojan" because of the "up to 30 minutes delay between infection and dashboard report" and the multiple reports for that website showing on the console.
  • I can also assume the enduser didn't recall the events as they were, because testing on Linux with web access protection off obviously show the threat blocked notification. (it's broken on Fedora, but I'll have to test it again).
• Since the VM and the enduser PC have the same policies, I assume that if somehow "Web access protection" is turned off on the enduser machine, I would receive an alert inside the PROTECT dashboard ?

(Forum logged me out while writing the reply and testing on the VM, I had to redo it, hopefully I'm not forgetting something 😅)