Leaderboard

You have a very complicated program here, lots of features, menus, pull-down menus. As a user seeing the program for the first time (not really), I want to find what I want with minimum effort. For the best layout for the user (not the programmer), I stumble around a lot in trying to find what I am looking for. If I were the lead programmer, I would get a pack of 3X5 cards and lay out a system of logic, with features set up the way I would expect to see it as a User. I had to fish around quite a bit to find, for example, how to schedule a scan. For another example of what's wrong, take a look at Tools and see the three unlikely items under it -- and "More tools," hidden away so I did not see it the first four times looking for what I wanted. When I finally noticed "More tools," I saw the eleven items under. All items should be under "Tools," and I should see such subcategories as Scheduling and logs, Network issues, Cleaning (system; malware); Send to Eset; Reports, and more. A lot of research has gone into how to lay out a program for the user, see https://www.uie.com/ .

An FYI for anyone else searching - ESET ECA currently can't do this directly, but ESET UK support helpfully provided a sh script which can install the ESET remote agent silently, connecting endpoints directly to the correct ECA instance. This worked for me - Meraki can deploy the script by wrapping it into a DMG package and deploying as a custom app. ESET ECA can then install ESET sofware/licences etc, with everything being 100% remote.

You should reply them that the memory dump from a crash has been already analyzed by an AV vendor and Microsoft and both confirmed a bug in a VMWare driver which is unrelated to the mentioned exclusions. We at ESET are willing to help them and provide details about the problem. You as a customer of VMWare could provide them with a memory dump for perusal.

Dear Camilo, is there any chance to provide log files from the ESMC Server? If possible please try to replicate the situation with enabled "trace" verbosity (https://help.eset.com/esmc_admin/70/en-US/admin_server_settings.html?admin_server_settings.html) and please provide us with logs - we are curious about the "trace.log" from the ESMC Server. Logs can be collected by ESET Log Collector (https://support.eset.com/kb3466/?locale=en_US&viewlocale=en_US)

My first recommendation (just to allow the deletion) would be to uncheck the option to "automatically deactivate such seats". What you can do, is to deactivate them manually via ESET License Administrator or shorten the removal interval there. What might also help for us to check is to try manual removal of such computers from ELA. If that works, then it might be caused by network connectivity issues on your / our side. It might help us to actually see the PLID, so we can check whether ESMC server was able to contact our licensing infrastructure, to perform deactivation.

If I remember correctly, it should happen after the next service release in 1-2 months. By the way, it will be uPCU, not PCU.

What about this how you like it?

Hello, for this, you should use Client task -> Mobile -> Anti-Theft Actions -> Platform: iOS DEP -> Command: Find (Turn on Lost Mode). The device can be unlocked afterward only from ESMC Web Console with "Turn off Lost Mode " task.

Hello @ofer1954 & @Roger Nock We have experienced unexpected difficulties during upgrade of ESET Cloud Administrator backend to the newest version. As a result some instances were temporarily started with "empty DB" meaning that previous configurations and state was temporarily lost. We have re-setup the instances from the DB backup, meaning all should be back to normal and policies were restored to the original state. We are sorry for the inconvenience and issues caused. We are working with the teams involved to further optimize our internal processes to prevent such issues from happening in the future. @ofer1954 You have said that it was not a first time that problems occurred. Can you please tell us more details about the specific issues you have experienced? Thank you both for understanding. Michal

Could maybe removing the more tools part help e.g. all tools shown in tool area by default?

First, we would like to thank the user Daren for spotting and reporting this unusual communication to LiveGrid, as well as for reporting it to this forum. We can confirm that anonymized domain statistics (statistics about domain and their IP addresses performed by the client) were indeed sent to us despite the fact that this functionality had been switched off. This was due to a flaw in an update on 2019.3.25 at 10:25 CET. The user report triggered an immediate investigation by ESET, and on the afternoon of March 26th at 15:03 CET, LiveGrid servers were adjusted to no longer receive the statistics. Two hours later, with the release of update 1549.3 of the Antivirus and Anti-Spyware scanner module, the issue was fixed. We would like to apologize for the behavior of the scanner and respect the wishes and options our users make in the settings of our products. Although the statistics sent were anonymized at all times, we immediately removed any and all data that may have been collected in error. The users’ privacy was not affected.

Hello @MichalJ just make an AD synchronization and get the computers from there.

Yes, you understand it correctly.

This is a known issue with VMWare drivers which was also confirmed by Microsoft. We recommend contacting VMWare re. the issue. If necessary, we can provide more details about the issue to their programmers.

Cheers for the clarification. Never use it so wasn't sure.

You still get to set a scheduled scan or use it as on demand scanner but not as real time , indeed it does get disabled when ESET is installed in order to avoid conflicts.

You can create even more install tasks that you will assign to different dynamic groups for instance. A license (seat) is consumed only after activation which will be performed on clients just once so it won't depend on the number of install tasks.

With regards to what Marcos said, let me add that we are currently discussing an option to block new files before the result from EDTD is obtained. Main advantage of EDTD is the additional sensitivity threshold and the quicker speed. Via LG we block 100% confirmed malware, via EDTD you can block also highly suspicious / suspicious files, based on the sandbox result automatically without waiting for the LG / detection engine update.

Hello Maneet, version 7.1 is newer compared to 7.0. Under normal conditions you can find the “latest available version” in the “installed applications” dashboard, in table “outdated applications”. You can setup notification or follow the ESET news RSS feed when release news are published.

Thank you for the replies!! Indeed i contacted support and they were very helpful. I managed to solve my problem and improve my security!

I would suggest raising a support ticket for customer care since further logs will be needed and to have the case properly handled and tracked.

Check the logs in your server and the logs for ESCM

Hi Guys, this thing was identified as malicious, however, it's False Positive. We've added that to whitelist not to trigger, however, we're investigating what has happened, which system and why it was identified that as malicious. The issue will be fixed properly after that investigation. Anyway, for imagination if that would not be FP, then to your questions: Was it really a threat file that got deleted thanks to EDTD? - YES Would the ESET EndPoint Antivirus (without EDTD) still catch it? - No, it would not. Into EDTD are sent only files which Endpoint identified as clean, but "interesting" to further investigation

From the link TomFace posted 23. Why is there no ESET product available for Windows Phone and Apple iOS (iPhone, iPad, iPod Touch)? Windows Phone and Apple iOS are proprietary operating systems with their own application stores. The only way to install software on your device is through these stores. Publishers verify each application and guarantee it is malware free. The applications from these stores cannot be run in the background, nor can they scan and delete other programs. Additionally, each application runs in its own segment– a sandbox–so that even if there is any malware bundled in with an application, it cannot be installed and spread to other programs.

Choose smart mode which is a kind of interactive mode with minimum interactions.

Glad it worked. No idea why you Un-Chk it one time, Close/Re-Open, Re-chk the box, and it keeps working (so far). Bookmark this Thread for future needs.

same problem here. Same observation with disabling automatic exclusions. No update on this post?

Hope all is okay

I am also starting to lean toward Port 0 usage by Microsoft as the possible culprit. This would not be the first instance I had in that regard using Eset. I believe in ver. 11, Eset changed something in this regard. My ISP for reasons beyond me does ICMPv6 pinging against my router; probably for connectivity purposes. My Win firewall event log was expanding a phenomenal rate from block activity related to this. That plus Eset's firewall wizard showed the same phenomenal counts. I resolved this one by just creating firewall rules to allow the activity for the IPv6 IP addresses involved.

I just checked and was updated to this version. It has fixed my issue (minor irritation really) of the main gui window popping up when doing non-gui things such as checking file reputation of a file from explorer. Many thanks for this

Installed a new cable modem/router, no difference. It is likely ESET or Microsoft or both. Time for ESET to start collaborating and fix the issue with Network Attack Protection (IDS) and IPv6...

In general, my recommendation would be as following: Create a base image computer, with ESMC agent and not activated Endpoint Let it connect at least once to ESMC, and in the ESMC interface mark the machine as "master for cloning" (navigate to computer details, click on the button "hardware" in the footer, select option "mark as master for cloning" and choose option "create new computers") By doing this, every new computer cloned from the image will be automatically created as a new system in ESMC By default, there is a dynamic group "not activated security product". What you should do is to create a "product activation task", using your license, and setting it with two triggers on this dynamic group (click on the dynamic group, select "new task", choose "product activation" and them set a trigger: First would be "joined dynamic group trigger" - anytime a new machine is connected, it would be activated Second would be "hourly" (you can specify this by CRON expression, guidance is in the product documentation). Therefore, if a client fails to activate on the first attempt it will repeat again every hour. If the client is activated, task won´t be executed.. Set a server task "rename computers" for the group, where the VDI machines will be created. Therefore, once the machine is renamed, correct name will be updated in ESMC automatically. Please note, that you can specify target group directly in the installer of the agent, each cloned instance would then respect this setting.

Msg.exe is run to display the message: Display message task uses native API of the operating system. On the Windows OS, it will trigger a native Microsoft Windows dialog box. On Linux and macOS, it will write the notification only into terminal.

Thank itman for all the advice and information. But I have more then one ip address to block. I'm not very computer savvy so I turned my wifi back on and wait to see if this gets corrected by Eset.

Disabling Network Attack Protections (IDS) on the PC being accessed has addressed the issue of accessing the fileshare quickly and allowing access to the app hosting machine (screenshot reflects my PC which has IDS still enabled, but is initiating the access). I need guidance what disabling the IDS affects and what is my risk if I leave it disabled.

I am also having this issue and now I am unable to share files on the network. This occurred after the most recent windows 10 update on 4-9-19.

Please provide ELC logs gathered from the machine with also quarantined files included.

As far as I am aware of, you can't. There is not separate user alert setting controlling the popup status alert. You can just close the popup alert by clicking on the "x" associated with it.

I can get behind the search option but not the different protection bits with the paranoid option causing more issues. People will activate it not knowing what it is just thinking it will give the best protection then will get shocked when they get asked to confirm every action. In the long run it could lead to people being unhappy about the amount of prompts, possibly blaming eset and damaging their image. As Itman has noted eset is very customisable so you can do what you want, add custom stuff etc. but users do this at their own risk and eset reccomends the default setting for average users

@Palps, Thank you for sharing this information. In my case, I already had HIPS disabled in the client policy and I had the application status disabled as well. I'm not sure why using the Security Management Center Components Upgrade task was still hit and miss. As @tmuster2k pointed out, I got all my clients updated by downloading the .msi files for EEA and ERA and then using my patch management software to deploy. At least it is working for you though and you are able to get your clients updated. Thanks again for the information!

Hello, @T3chGuy007 I had the same issue for each update of the Agent version sind the beginning of v6. Every time I have contacted the support but they couldn't help. I have figured out, that the HIPS Module is blocking the deletion/stop of the process ERAAgent.exe and the service EraAgentSVC. So as a result the agent cannot be updated. Currently I am doing the upgrade to EMA 7.0.577.0 and EEA 7.0.2100.4. For this I have changed the default policy for all clients, so that HIPS is disabled but not shown as Critical on the device itself, so that the users are not getting confused. Then I am waiting until they have rebootet and trying to do the Agent update from time to time. As soon as HIPS is disabled and a reboot has been done, the Security Management Center Components Upgrade task is working like a charm because the process and the service is not secured by the HIPS anymore. I have figured this out by myself as the support was never able to help me. Currently we are considering to switch to another AV solution. (Disabled HIPS) (Change application statuses) (Disable to show the issues on the client)

Yeah as the above mentioned there are programs you can use for logging. Does your company have a USB policy as a lot ban USBs from home and taking work ones out to avoid loss/infection. As mentioned speak to HR and warn the person that failing to comply could lead to dismissal. Remember no Antivirus solution is 100 percent and so users going to risky sites etc. could put your company in danger e.g. ransomware. For the reason mentioned above I would also make sure you have a good routine backup system in place. Also make sure to inform staff about the dangerous of things such as social engineering, getting them to sign things to cover you

There are some good free softwares out there for viewing browser history logs, and usb access logs. I'd just make sure that keeping browser history is enforced via gpo (if you can). Then they can't delete out the logs after each use, keeping you blind to their activities. While you're at it with the GPO, lock down the browsers so they can't install extensions/addins. You could also lock down (via ESET Device Control) exactly which (down to Serial number, but as broad as make, or model) usb keys' they're allowed to use. I'd also look to disable booting from USB via the bios, and lock the bios with a PW (if you can boot to usb you can run tails or some such with no IT visibility). And like tom said... document, document, document... Talk to your boss, make sure you're in the clear for the 'watching'. Is this user an Admin on the computer in question?

getting this default Mail Client Error when launching Outlook 365 64bit on a Win10 Pro machine. If I disable the ESET add-in it does not come up but we want this software protection ON. Have you guys found a fix for this?

Hi mogobjah It looks like some issue with corrupted installation or missing modules. At first check prerequisites which is GlibC: - It is needed to have instaled glibc to run 32bit applications at 64bit os yum install glibc.i686 - check if all modules are present, if some of them are missing it could be the issue. Anyway if they are present some of them can be corrupted somehow and therefore: - Login as root - Stop esets service - create backup folder - Move em00*_32.dat files from /var/opt/eset/esets/lib to backup folder - Run update all modules will be re-created again /opt/eset/esets/sbin/esets_update --verbose - Check content of /var/opt/eset/esets/lib if all modules are present Try to start service and check if issue is fixed or not.

This is very confusing to me, if it is dangerous why ESET gets it out of the blacklist?

You can refer to the FAQ section at the right-hand side of this forum:

In that case gui is supposed to pop up so that you can see the scan results.

Hello Howard, We are indeed in the process of switching from 32-bit modules to 64-bit modules. The 64-bit module are being tested and will be released via an update soon, so currently the app runs 32-bit modules, but there is full compatibility and full protection even on 64-bit systems and thus nothing to worry about. Now why you saw "64-bit" in the about screen earlier - this was simply a bug, which instead of the modules showed the bit-ness of the system. We fixed the bug in the latest release and now it correctly shows the bit-ness of the modules. Regards, Tomas

Thanks for the heads-up. We've been tracking this as a bug.