Jump to content

Archived

This topic is now archived and is closed to further replies.

Mikespo

'Detected covert channel exploit in ICMP packet'

Recommended Posts

We just got ESET ERA 6 up and going, and we have 2 virtual servers that run Spiceworks tools to inventory and monitor the network. However, our Threat log on ERA is now full of 'Detected covert channel exploit in ICMP packet' [see attached], Is there any way to prevent this from being detected, or exclude the machines? How do I erase these from the Threat window as well?

post-8085-0-95745200-1437674432_thumb.png

Share this post


Link to post
Share on other sites

Probably you have an application installed that utilizes ICMP protocol for its own communication. It's possible to exclude specific IP addresses or subnet from from a specific attack detection.

Share this post


Link to post
Share on other sites

Probably you have an application installed that utilizes ICMP protocol for its own communication. It's possible to exclude specific IP addresses or subnet from from a specific attack detection.

 

The application is Spiceworks, which like I said inventories the entire network; by way of ICMP etc.

I tried making a Policy for 'ESET Security Product for Windows' with Personal Firewall -> IDS Exceptions -> Any Alert / Spiceworks / IP / No / No / No 

but I'm still getting flooooooded by these alerts, is there another way to go about this?

Share this post


Link to post
Share on other sites

If these are older reports, select them and click Mute (this will be renamed to Resolve as of ERA 6.2).

Share this post


Link to post
Share on other sites

If these are older reports, select them and click Mute (this will be renamed to Resolve as of ERA 6.2).

 

That helps for the previous detections, but the policy isn't doing anything, I'm still getting these threat reports.

Share this post


Link to post
Share on other sites

Maybe you didn't enter a full path to the executable that triggers the detection and thus the exception is not applied. Try creating an exclusion for this particular detection but with no application or other parameters specified.

Share this post


Link to post
Share on other sites

Maybe you didn't enter a full path to the executable that triggers the detection and thus the exception is not applied. Try creating an exclusion for this particular detection but with no application or other parameters specified.

 

post-8085-0-09293700-1437762300_thumb.png
This is the full readout of the threat log, there are hundred of these now, and more coming every few minutes.
 
post-8085-0-70375200-1437762300_thumb.png
This is what the Firewall threat generated report shows
 
post-8085-0-32444700-1437762301_thumb.pngpost-8085-0-98704300-1437762300_thumb.png
These 2 are from the Policies and what I set up. This policy is applied to ALL machines in active directory.
 
Any help appreciated.

Share this post


Link to post
Share on other sites

As I assumed, you don't have a full path to Spiceworks entered in the Application field. For now leave it empty so that the exception is applied regardless of the application and see if that helps.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...