Mikespo 0 Posted July 23, 2015 Share Posted July 23, 2015 We just got ESET ERA 6 up and going, and we have 2 virtual servers that run Spiceworks tools to inventory and monitor the network. However, our Threat log on ERA is now full of 'Detected covert channel exploit in ICMP packet' [see attached], Is there any way to prevent this from being detected, or exclude the machines? How do I erase these from the Threat window as well? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted July 24, 2015 Administrators Share Posted July 24, 2015 Probably you have an application installed that utilizes ICMP protocol for its own communication. It's possible to exclude specific IP addresses or subnet from from a specific attack detection. Link to comment Share on other sites More sharing options...
Mikespo 0 Posted July 24, 2015 Author Share Posted July 24, 2015 Probably you have an application installed that utilizes ICMP protocol for its own communication. It's possible to exclude specific IP addresses or subnet from from a specific attack detection. The application is Spiceworks, which like I said inventories the entire network; by way of ICMP etc. I tried making a Policy for 'ESET Security Product for Windows' with Personal Firewall -> IDS Exceptions -> Any Alert / Spiceworks / IP / No / No / No but I'm still getting flooooooded by these alerts, is there another way to go about this? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted July 24, 2015 Administrators Share Posted July 24, 2015 If these are older reports, select them and click Mute (this will be renamed to Resolve as of ERA 6.2). Link to comment Share on other sites More sharing options...
Mikespo 0 Posted July 24, 2015 Author Share Posted July 24, 2015 If these are older reports, select them and click Mute (this will be renamed to Resolve as of ERA 6.2). That helps for the previous detections, but the policy isn't doing anything, I'm still getting these threat reports. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted July 24, 2015 Administrators Share Posted July 24, 2015 Maybe you didn't enter a full path to the executable that triggers the detection and thus the exception is not applied. Try creating an exclusion for this particular detection but with no application or other parameters specified. Link to comment Share on other sites More sharing options...
Mikespo 0 Posted July 24, 2015 Author Share Posted July 24, 2015 (edited) Maybe you didn't enter a full path to the executable that triggers the detection and thus the exception is not applied. Try creating an exclusion for this particular detection but with no application or other parameters specified. This is the full readout of the threat log, there are hundred of these now, and more coming every few minutes. This is what the Firewall threat generated report shows These 2 are from the Policies and what I set up. This policy is applied to ALL machines in active directory. Any help appreciated. Edited July 24, 2015 by Mikespo Link to comment Share on other sites More sharing options...
Administrators Marcos 5,281 Posted July 25, 2015 Administrators Share Posted July 25, 2015 As I assumed, you don't have a full path to Spiceworks entered in the Application field. For now leave it empty so that the exception is applied regardless of the application and see if that helps. Link to comment Share on other sites More sharing options...
Recommended Posts