Settings to deny ESET EndPoint updates from client PCs
Hi all,
I'm looking to setup preventing client PCs' Antivirus updating from online ESET servers from the Internet (we want them to update from the local ESET SMC server instead).
The following has been configured on the client side network:
HTTP-proxy action
URL Paths > If match: Deny for all IP or domains listed from ESET
HTTP Proxy Exception > confirm no ESET's listed domains
HTTP WebBlocker Exception > Deny action for pattern match .eset.com/
HTTPS-proxy action
HTTPS WebBlocker Exception > Deny action for pattern match .eset.com/
With the above configuration, the PCs are unable to visit eset.com via web browser (even I added eset.com:80 from the address bar), however the Antivirus app still find their way to perform updates from eset.com.
When I check out the HostWatch from WSM, I can see client PCs are able to establish connection with *.eset.com via 80 / tcp.
Is there something I'm missing there?
Many thanks!
Comments
What is the domain name which is being accessed from the PCs?
Hi Bruce,
The below are the exhausive list of domain names from ESET, which we added all of them into the "URL Path > deny list" and "WebBlocker Exception > deny action for mattern match" for both HTTP & HTTPS proxy action.
https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall.
As said, browser won't reach to these address but the AV app still find their way to reach them via 80 / tcp.
Many thanks!
HostWatch does a reverse DNS lookup - IP to DNS name.
Is the IP addr shown in HostWatch in your block list?
Hi Bruce,
Thanks for the response!
Yes, on HostWatch, for instance, I can see one of the IPs, 91.228.167.25 is established with HTTP.
I did a reverse lookup showing this DNS name is h3-repository02-v.eset.com; this is one of the IPs listed on ESET's website above.
I really have no clue what I missed as I added deny action for pattern match for *.eset.com.
Grateful for your advice.
Many thanks!
Could be that the firewall did not see a DNS lookup for this domain name or any domain name which resolves to the IP addr.
For example, a hard coded IP addr, or a remembered DNS resolution on a PC or internal DNS server from some while back could be the cause.
From the docs:
Domain mappings are not saved when you reboot your Firebox. You must flush the local DNS cache of your clients and your internal DNS server to make sure domain/IP mappings are refreshed.
Hi Bruce,
Thank you, I confirm we do have an internal DNS and client PCs are using it for resolving external domains. In such case, what can we do? Does it mean we can't use WebBlocker for such purpose at all?
Many thanks!
See the "Internal DNS on Local Network" section here:
About Policies by Domain Name (FQDN)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/fqdn_about_c.html