˄˅

IDS exceptions

In some situations the Intrusion Detection Service (IDS) may detect communication between routers or other internal networking devices as a potential attack. For example, you can add the known safe address to the Addresses excluded from IDS zone to bypass the IDS.

Illustrated instructions

The following ESET Knowledgebase articles may only be available in English:

•Create IDS exclusions on client workstations in ESET Endpoint Antivirus

•Create IDS exclusions for client workstations in ESET Security Management Center

Columns

•Alert – Type of alert.

•Application – Select the file path of an excepted application by clicking ... (for example C:\Program Files\Firefox\Firefox.exe). Do NOT enter the name of the application.

•Remote IP – A list of remote IPv4 or IPv6 address / ranges / subnets. Multiple addresses must be separated by a comma.

•Block – Each system process has its own default behavior and assigned action (block or allow). To override the default behavior for ESET Endpoint Antivirus you can choose to block or allow it using the drop-down menu.

•Notify – Select Yes to display Desktop notifications on your computer. Select No if you do not want desktop notifications. The available values are Default/Yes/No.

•Log – Select Yes to log events to ESET Endpoint Antivirus log files. Select No if you do not want to log events. The available values are Default/Yes/No.

CONFIG_EPFW_IDS_EXCEPTION

Managing IDS exceptions

•Add – Click to create a new IDS exception.

•Edit – Click to edit an existing IDS exception.

•Delete – Select and click if you want to remove an existing exception from the list of IDS exceptions.

• Top/Up/Down/Bottom – Allows you to adjust the priority level of exceptions (exceptions are evaluated from top to bottom).

CONFIG_EPFW_IDS_EXCEPTION_EDIT

Example

You want to display a notification and collect a log each time the event occurs:

1.Click Add to add a new IDS exception.

2.Select particular alert from the Alert drop-down menu.

3.Click ... and select the file path of the application to which you want to apply the notification.

4.Leave Default in the Block drop-down menu. This will inherit the default action applied by ESET Endpoint Antivirus.

5.Set both the Notify and Log drop-down menus to Yes.

6.Click OK to save this notification.

Example

You want to remove recurring notifications for a type of alert you do not consider to be a threat:

1.Click Add to add a new IDS exception.

2.Select particular alert from the Alert drop-down menu, for example SMB session without security extensions.

3.Select In from the direction drop-down menu in case it is from an inbound communication.

4.Set the Notify drop-down menu to No.

5.Set the Log drop-down menu to Yes.

6.Leave Application blank.

7.If the communication is not coming from a particular IP address, leave Remote IP addresses blank.

8.Click OK to save this notification.

˄˅