Jump to content

False Positive detections by Anti-Phishing Protection

rduckie

By rduckie
in ESET Endpoint Products

 Share

Recommended Posts

rduckie

rduckie 0

Posted
Posted

Hello all,

 

I resell Eset licensing as a partner and I've received multiple reports that users are unable to access certain legitimate websites.

 

So far I've had reports that Well's Fargo's login page, Microsoft's office365 login page, and Yahoo mail login page were all being blocked by the Anti-Phishing protection within Eset. Each page was reported by a different user from three completely different network environments. Two were using Eset Endpoint Antivirus and the third was using Endpoint Security.

 

So far the fastest way to resolve the issue was to temporarily disable the Anti-Phishing protection module. Has anyone else reported this issue, and is there a way permanently resolve it?

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

This FP was fixed shortly after you reported it yesterday. We responded quickly to it by pausing updates and releasing a fixed module.

Link to comment
Share on other sites
kingoftheworld

kingoftheworld 10

Posted
Posted

This FP was fixed shortly after you reported it yesterday. We responded quickly to it by pausing updates and releasing a fixed module.

More importantly, how is this being corrected for the future?  This is the second time in two weeks that a bad definition file has been released and has caused significant issues.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

 

This FP was fixed shortly after you reported it yesterday. We responded quickly to it by pausing updates and releasing a fixed module.

More importantly, how is this being corrected for the future?  This is the second time in two weeks that a bad definition file has been released and has caused significant issues.

 

 

In this case, users had an option to click a button to continue to the desired web page. Usually issues are not caused by a single failure and it's a chain of events that cause an issue in the end.

While the former FP was caused by changes in an internal tool for pre-processing URLs, this time it was a false positive of a phishing database provider that also some other vendors use but made it to the update in error. We have taken measures to prevent FPs like that on popular domains.

Link to comment
Share on other sites
kingoftheworld

kingoftheworld 10

Posted
Posted

Well

 

 

 

This FP was fixed shortly after you reported it yesterday. We responded quickly to it by pausing updates and releasing a fixed module.

More importantly, how is this being corrected for the future?  This is the second time in two weeks that a bad definition file has been released and has caused significant issues.

 

 

In this case, users had an option to click a button to continue to the desired web page. Usually issues are not caused by a single failure and it's a chain of events that cause an issue in the end.

While the former FP was caused by changes in an internal tool for pre-processing URLs, this time it was a false positive of a phishing database provider that also some other vendors use but made it to the update in error. We have taken measures to prevent FPs like that on popular domains.

 

Well actually this was not the case.  This false positive blocking https://login.microsoftonline.comprevented the proper use of our Microsoft Skype for Business client as it continuously prompted for a username and password and rejected any entry.  Since this was not presented in a web browser, there was not option for the end user to override.  The only work around was to disable protection or roll back updates.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...