Settings to deny ESET EndPoint updates from client PCs

GrantLuiGrantLui
edited June 5 in Firebox - Proxies

Hi all,

I'm looking to setup preventing client PCs' Antivirus updating from online ESET servers from the Internet (we want them to update from the local ESET SMC server instead).

The following has been configured on the client side network:

HTTP-proxy action

URL Paths > If match: Deny for all IP or domains listed from ESET

https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall

HTTP Proxy Exception > confirm no ESET's listed domains

HTTP WebBlocker Exception > Deny action for pattern match .eset.com/

HTTPS-proxy action

HTTPS WebBlocker Exception > Deny action for pattern match .eset.com/

With the above configuration, the PCs are unable to visit eset.com via web browser (even I added eset.com:80 from the address bar), however the Antivirus app still find their way to perform updates from eset.com.

When I check out the HostWatch from WSM, I can see client PCs are able to establish connection with *.eset.com via 80 / tcp.

Is there something I'm missing there?

Many thanks!

Comments

  • Bruce_BriggsBruce_Briggs

    What is the domain name which is being accessed from the PCs?

  • GrantLuiGrantLui

    Hi Bruce,

    The below are the exhausive list of domain names from ESET, which we added all of them into the "URL Path > deny list" and "WebBlocker Exception > deny action for mattern match" for both HTTP & HTTPS proxy action.

    https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall.

    As said, browser won't reach to these address but the AV app still find their way to reach them via 80 / tcp.

    Many thanks!

  • Bruce_BriggsBruce_Briggs
    edited June 6

    HostWatch does a reverse DNS lookup - IP to DNS name.

    Is the IP addr shown in HostWatch in your block list?

  • GrantLuiGrantLui

    Hi Bruce,

    Thanks for the response!

    Yes, on HostWatch, for instance, I can see one of the IPs, 91.228.167.25 is established with HTTP.

    I did a reverse lookup showing this DNS name is h3-repository02-v.eset.com; this is one of the IPs listed on ESET's website above.

    I really have no clue what I missed as I added deny action for pattern match for *.eset.com.

    Grateful for your advice.

    Many thanks!

  • Bruce_BriggsBruce_Briggs

    Could be that the firewall did not see a DNS lookup for this domain name or any domain name which resolves to the IP addr.
    For example, a hard coded IP addr, or a remembered DNS resolution on a PC or internal DNS server from some while back could be the cause.

    From the docs:
    Domain mappings are not saved when you reboot your Firebox. You must flush the local DNS cache of your clients and your internal DNS server to make sure domain/IP mappings are refreshed.

  • GrantLuiGrantLui

    Hi Bruce,

    Thank you, I confirm we do have an internal DNS and client PCs are using it for resolving external domains. In such case, what can we do? Does it mean we can't use WebBlocker for such purpose at all?

    Many thanks!

  • Bruce_BriggsBruce_Briggs

    See the "Internal DNS on Local Network" section here:

    About Policies by Domain Name (FQDN)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/fqdn_about_c.html

Sign In to comment.