Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 5458 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ESET Updates blocked by IPS

RaymondPalms

Hi There,

SFOS 17.1.2 MR-2

 

Have been trying for the last few hours to allow my ESET Internet Security client to update but not getting anywhere even after creating rules to allow traffic to the "eset.com" domains and allow traffic to/from the Eset update servers to skip IPS, the only  way I managed to get it to work is by adding an allow packet for "1180501012 FILE-OTHER 7-Zip RAR CVE-2018-10115 Solid Compression Remote Code Execution"  to the "generalpolicy" IPS Policy however I'm not comfortable turning off one of the signatures for the whole network.

 

How can I simply allow communication with either "*.eset.com" or a list of IP addresses (IP Host > Creat a new a IP List with all Eset update server IP's) to skip IPS ?

 

Thanks



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    Thanks for the reply.

     

    I tried to create a firewall with an exception for the *.eset.com FQDN with no IPS but that did not help, the issue is the data being flagged on the return by IP address, so when I look at the IPS log is shows "

    Signatures
    Drop
    		  
    91.228.167.21
    192.168.X.X
    1180501012
    FILE-OTHER 7-Zip RAR CVE-2018-10115 Solid Compression Remote Code Execution
    Application and Software
    BSD,Linux,Mac,Other,Solaris,Unix,Windows
  • 0 in reply to LuCar Toni

    Think I figured it out now, I didn't want to add an allow for that Signature network wide, so I did the following which works now.

     

    Hosts and Services > IP Host  > Create new IP Host with type "IP List" and add all ESET Update IP Addresses in that list.

    Intrusion Prevention > IPS Policies > Add a new Policy, then add a new rule within that policy with only that signature selected and Action is "Allow Packet"

    Firewall > Create a new Firewall rule with the following settings:

     

    I beleive this now allows that Signature through when the destination/source is one of the ESET update servers.