Jump to content

'Detected covert channel exploit in ICMP packet'


Recommended Posts

We just got ESET ERA 6 up and going, and we have 2 virtual servers that run Spiceworks tools to inventory and monitor the network. However, our Threat log on ERA is now full of 'Detected covert channel exploit in ICMP packet' [see attached], Is there any way to prevent this from being detected, or exclude the machines? How do I erase these from the Threat window as well?

post-8085-0-95745200-1437674432_thumb.png

Link to comment
Share on other sites

  • Administrators

Probably you have an application installed that utilizes ICMP protocol for its own communication. It's possible to exclude specific IP addresses or subnet from from a specific attack detection.

Link to comment
Share on other sites

Probably you have an application installed that utilizes ICMP protocol for its own communication. It's possible to exclude specific IP addresses or subnet from from a specific attack detection.

 

The application is Spiceworks, which like I said inventories the entire network; by way of ICMP etc.

I tried making a Policy for 'ESET Security Product for Windows' with Personal Firewall -> IDS Exceptions -> Any Alert / Spiceworks / IP / No / No / No 

but I'm still getting flooooooded by these alerts, is there another way to go about this?

Link to comment
Share on other sites

  • Administrators

If these are older reports, select them and click Mute (this will be renamed to Resolve as of ERA 6.2).

Link to comment
Share on other sites

If these are older reports, select them and click Mute (this will be renamed to Resolve as of ERA 6.2).

 

That helps for the previous detections, but the policy isn't doing anything, I'm still getting these threat reports.

Link to comment
Share on other sites

  • Administrators

Maybe you didn't enter a full path to the executable that triggers the detection and thus the exception is not applied. Try creating an exclusion for this particular detection but with no application or other parameters specified.

Link to comment
Share on other sites

Maybe you didn't enter a full path to the executable that triggers the detection and thus the exception is not applied. Try creating an exclusion for this particular detection but with no application or other parameters specified.

 

post-8085-0-09293700-1437762300_thumb.png
This is the full readout of the threat log, there are hundred of these now, and more coming every few minutes.
 
post-8085-0-70375200-1437762300_thumb.png
This is what the Firewall threat generated report shows
 
post-8085-0-32444700-1437762301_thumb.pngpost-8085-0-98704300-1437762300_thumb.png
These 2 are from the Policies and what I set up. This policy is applied to ALL machines in active directory.
 
Any help appreciated.
Edited by Mikespo
Link to comment
Share on other sites

  • Administrators

As I assumed, you don't have a full path to Spiceworks entered in the Application field. For now leave it empty so that the exception is applied regardless of the application and see if that helps.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...