Advanced filtering options

The Network attack protection section allows you to configure advanced filtering options to detect several types of attacks and vulnerabilities that can be carried out against your computer.


note

In some cases you will not receive a threat notification about blocked communications. Please consult the Logging and creating rules or exceptions from log section for instructions to view all blocked communications in the firewall log.


important

The availability of particular options in Advanced setup (F5) > Network Protection > Network attack protection may vary depending on the type or version of your ESET endpoint product and firewall module, as well as the version of your operating system. Some of them may be available only for ESET Endpoint Security.

icon_section Intrusion detection

Protocol SMB – Detects and blocks various security problems in SMB protocol, namely:

Rogue server challenge attack authentication detection – Protects against an attack that uses a rogue challenge during authentication in order to obtain user credentials.

IDS evasion during named pipe opening detection – Detection of known evasion techniques used for opening MSRPCS named pipes in SMB protocol.

CVE detections (Common Vulnerabilities and Exposures) – Implemented detection methods of various attacks, forms, security holes and exploits over SMB protocol. Please see the CVE website at cve.mitre.org to search and obtain more detailed info about CVE identifiers (CVEs).

Protocol RPC – Detects and blocks various CVEs in the remote procedure call system developed for the Distributed Computing Environment (DCE).

Protocol RDP – Detects and blocks various CVEs in the RDP protocol (see above).

Block unsafe address after attack detection – IP addresses that have been detected as sources of attacks are added to the Blacklist to prevent connection for a certain period of time.

Display notification after attack detection – Turns on the system tray notification at the bottom right corner of the screen.

Display notifications also for incoming attacks against security holes – Alerts you if attacks against security holes are detected or if an attempt is made by a threat to enter the system this way.

icon_section Packet inspection

Allow incoming connection to admin shares in SMB protocol – The administrative shares (admin shares) are the default network shares that share hard drive partitions (C$, D$, ...) in the system together with the system folder (ADMIN$). Disabling connection to admin shares should mitigate many security risks. For example, the Conficker worm performs dictionary attacks in order to connect to admin shares.

Deny old (unsupported) SMB dialects – Deny SMB sessions that use an old SMB dialect unsupported by IDS. Modern Windows operating systems support old SMB dialects due to backward compatibility with old operating systems such as Windows 95. The attacker can use an old dialect in an SMB session in order to evade traffic inspection. Deny old SMB dialects if your computer does not need to share files (or use SMB communication in general) with a computer with an old version of Windows.

Deny SMB sessions without extended security – Extended security can be used during the SMB session negotiation in order to provide a more secure authentication mechanism than LAN Manager Challenge/Response (LM) authentication. The LM scheme is considered weak and is not recommended for use.

Allow communication with the Security Account Manager service – For more information about this service see [MS-SAMR].

Allow communication with the Local Security Authority service – For more information about this service see [MS-LSAD] and [MS-LSAT].

Allow communication with the Remote Registry service – For more information about this service see [MS-RRP].

Allow communication with the Service Control Manager service – For more information about this service see [MS-SCMR].

Allow communication with the Server service – For information about this service see [MS-SRVS].

Allow communication with the other services – Other MSRPC services. MSRPC is the Microsoft implementation of the DCE RPC mechanism. Moreover, MSRPC can use named pipes carried into the SMB  (network file sharing) protocol for transport (ncacn_np transport). MSRPC services provide interfaces for accessing and managing windows systems remotely. Several security vulnerabilities have been discovered and exploited in the wild in the Windows MSRPC system (for example, Conficker worm, Sasser worm,…). Disable communication with MSRPC services that you do not need to provide to mitigate many security risks (such as remote code execution or service failure attacks).