Network protection


NOTE

On Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Small Business Server 2008 SP2 and Small Business Server 2011, installation of the Network protection component is disabled by default. If you want this feature to be installed, choose the Custom installation type. If you have ESET File Security already installed, you can run the installer again to modify your existing installation adding Network protection component.

Enable Network attack protection (IDS)

Allows you to configure access to some of the services running on your computer from the Trusted zone and enable/disable detection of several types of attacks and exploits that might be used to harm your computer.

Enable Botnet protection

Detects and blocks communication with malicious command and control servers based on typical patterns when the computer is infected and a bot is attempting to communicate

IDS exceptions

You can think of Intrusion Detection System (IDS) exceptions as network protection rules. Click edit to define IDS exceptions.

 

Intrusion detection:

Protocol SMB - Detects and blocks various security problems in SMB protocol

Protocol RPC - Detects and blocks various CVEs in the remote procedure call system developed for the Distributed Computing Environment (DCE).

Protocol RDP - Detects and blocks various CVEs in the RDP protocol (see above).

Block unsafe address after attack detection - IP addresses that have been detected as sources of attacks are added to the Blacklist to prevent connection for a certain period of time.

Display notification after attack detection - Turns on the system tray notification at the bottom right corner of the screen.

Display notifications also for incoming attacks against security holes - Alerts you if attacks against security holes are detected or if an attempt is made by a threat to enter the system this way.

 

Packet inspection:

Allow incoming connection to admin shares in SMB protocol - The administrative shares (admin shares) are the default network shares that share hard drive partitions (C$, D$, ...) in the system together with the system folder (ADMIN$). Disabling connection to admin shares should mitigate many security risks. For example, the Conficker worm performs dictionary attacks in order to connect to admin shares.

Deny old (unsupported) SMB dialects - Deny SMB sessions that use an old SMB dialect unsupported by IDS. Modern Windows operating systems support old SMB dialects due to backward compatibility with old operating systems such as Windows 95. The attacker can use an old dialect in an SMB session in order to evade traffic inspection. Deny old SMB dialects if your computer does not need to share files (or use SMB communication in general) with a computer with an old version of Windows.

Deny SMB sessions without extended security - Extended security can be used during the SMB session negotiation in order to provide a more secure authentication mechanism than LAN Manager Challenge/Response (LM) authentication. The LM scheme is considered weak and is not recommended for use.

Allow communication with the Security Account Manager service - For more information about this service see [MS-SAMR] exlink.

Allow communication with the Local Security Authority service - For more information about this service see [MS-LSAD] exlink and [MS-LSAT] exlink.

Allow communication with the Remote Registry service - For more information about this service see [MS-RRP] exlink.

Allow communication with the Service Control Manager service - For more information about this service see [MS-SCMR] exlink.

Allow communication with the Server service - For information about this service see [MS-SRVS] exlink.

Allow communication with the other services - Other MSRPC services.