Jump to content

Matus

Former ESET Employees
  • Posts

    67
  • Joined

  • Last visited

Posts posted by Matus

  1. Hi J-Gray,

    I'm very sorry, it's a bug. We're tracking it and plan to fix in version 7.1 (available most likely in May)

    Until that time you've 2 options which comes to my mind:

    - reboot computer so system popup will appear (or "sudo launchctl stop com.eset.protection" and then "sudo launchctl start com.eset.protection") and Allow Proxy configuration and you can keep it disabled.

    - or you'll have to approve it via MDM (Jamf): https://help.eset.com/eea_mac/7/en-US/installation.html?install_remote_pre-installation.html > part: Web access protection and keep it disabled in settings.

    Please accept my apology for inconvenience

  2. Hi J,

    thanks for the reply. 

    This "Security Alert that "Web and email protection is not configured."" in GUI should be fixable by by adjusting v7 policy:  User Interface > Application statuses please disable : Network content filtering integration warnings. (left checkbox)

    image.png

    Please can you confirm it works?

    "not report web and email status to server," - is the right checkbox unchecked from picture above?

    Enterprise Inspector supports ESET Endpoint AV for macOS 7+ from version 1.7, released a week ago. I think that you still have installed version 1.6, which has no support for Endpoint for macOS v7+. In such case, such message is present. Please can you confirm?

    Thank you

     

     

  3. Hi J-gray,

    thank you for contacting us. Please find root causes for understanding and some solutions/workarounds for your issues. 

    1, Users are prompt because integration to the system is happening during installation. If you're using JAMF and have configuration from v6, then this has to be changed, please see here: https://help.eset.com/eea_mac/7/en-US/installation.html?install_remote_pre-installation.html . It seems that you don't want WAP at all. Unfortunately, right now it's not possible to install the product without WAP component, therefore it always tries to integrate into the system. We're planning to have possibility to "exclude" components for installation later this year.

    2, New generation of product requires new configuration. As Michalj mentioned, you'll need to apply new policy tree. Now it works differently than in v6, which makes more sense. If GUI is opened, then icon in dock is present. If GUI is closed, an icon in dock disappears. You can set to disallow opening GUI to users or to disable showing a menubar icon as well. 

    3, Within the policy > User Interface > Application statuses please disable : Network content filtering integration warnings. That you "solve" the problem.

    Regarding "Disable by policy"... In ESET, Disable means something like "don't use it/pause using it", not "don't integrate into the system". When you disable it still stays integrated so when you enables it back, it just works. That's why even though you've disabled it, it's screaming that it's not configured, because it's not integrated into the system (user probably clicked Deny or manually erased integrated component (ESET Web&Email) in Network Preferences of macOS. 

    However, if you're not using JAMF it's recommended that this component will be allowed and if you're using it, then please allow it via JAMF (see guide above) and then feel free to disable it via policy. I'm also afraid that possibly you'll need to reinstall application.

  4. On 1/3/2022 at 1:07 PM, Bob van der Woude said:

    Description: Documents with macro to Eset Dynamic Threat Defense

    Detail: I would like to send Documents With macro's to Eset dynamic Threat Defense and not send other documents. Now Documents with macro's are not send if i choose to not send documents.

    Hi Bob,

    By default, we're sending to EDTD only documents with active content (e.g. Macro) and not standard documents.

    However, it's possible, that e.g. an ordinary document would be send to ESET LiveGrid Feedback system (not EDTD) in case this document would be downloaded from URL/domain, which is considered as dangerous based on historic data for further inspection (should not normally happen).

    That means, probability of sending an ordinary document to ESET which you receive e.g. from customer with sensitive data is close to zero.

  5. Hi Kostadin,

    If you set policy via Protect, you can't change that locally. 

    image.png

    Password protected settings are meant in case you're not managed or some settings are not managed... If you set every setting like that (even defaults) from Protect, user can't change that.

    On Mac, ESET Agent password protection is not present. To limit/protect against uninstallation ensure, that users are not administrators (root access) of a machine. In UNIX world, root can do everything. 

  6. Hi, You can create a "remote installation" .pkg and install scripti file where you're able to choose which components should be installed exactly same as in "custom installation". With this I think you can achieve leaner agent as you want. You can install it using ssh, apple tools or any other way...

    image.png

     

  7. Hi, 

    OK I really got it now (I think:D)... Yes it works in a way that Disable policy is applied after product works fine... Disable is in a meaning like "Pause". So everything has to work, be integrated and then it can be "Paused" via policy (so you can enable/disable as you wish)...

    What you want to do is to not even install it & integrate with system. This is possible, and it has to be done via "custom installation": https://help.eset.com/ees_mac/6.10/en-US/?ud_install_custom.html

    where you can choose which components should not be installed - disabled for eternity... Please note, that you've to uninstall the product and then install it to see those options. Not just execute Installation on top of currently installed product. 

    image.png

    Now it'll not even try to integrate into a system. However you then can't "enable" them. They're not installed.

    Is that what you're looking for? If you're looking for some hybrid where disabling = un-integrating from system and enabling is integrating, this is not possible and not even on a roadmap as integrating on big sur is quite complicated process...

     

  8. @Matus If I understand correctly, the only way to allow system extensions and full disk access is via MDM? It's not possible via ssh/terminal? -

    Yes. that's how Apple designed it. You need https://support.apple.com/en-us/HT204142 and then use with some MDM (JAMF, simpleMDM...) to control things remotely. As far as I know, it's not possible via ssh/terminal.

    I got it. It's normal that user sees error messages. It's a warning that protection which SHOULD be enabled, is disabled and is risk for security. If you do not want to show those messages, you've to also disable showing of application statuses:

    ESET application preferences > alerts and notifications > Protection statuses:

    image.png

    or in ESET management console

    image.png

  9. Accepting of SEXT is possible (learn more or here), but so far we haven't figured out how to approve "Proxy Configuration".

    image.png

    We've contacted Apple about 1-2 month ago and we've received information that it's not possible to do remotely... But we're still looking into a way how to do it (so far without any results)...

    "Of course, we do not enable these two components..." - could you please elaborate a little more? Which components and how did you not enabled them. I'm not sure what is goal you're trying to achieve by not enabling them. 

    Thank you

  10. Hi J-Gray,

    Thank you for contacting us. Unfortunately this message is most likely caused by a bug causing error message in ESMC even though there is not an actual problem. This will be fixed in upcoming version available in March. To verify that, please check in Endpoint directly (in Endpoint GUI) there there is any error message or it's green. If it's green then it's a mentioned bug. 

    You can also check via terminal command: "systemextensionsctl list" and you should see:

    * * <somenumber> com.eset.network (6.10.800/6.10.800) ESET Web and Email Protection [activated enabled]

    You can also verify WEP module by visiting http phishing site, ideally on some testing environment as it's real phishing site (not not enter or click on anything), eg. http://<.>gilbaneco-validate<.>com/ (first you probably get Browser antiphishing message. if you proceed then you get ESET blocking message). 

    If you however see something wrong with WEP in GUI or terminal command, please check if:

    SEXT was approved: System Preferences > Security & Privacy > General

    Network Proxy was allowed: https://help.eset.com/ees_mac/6.10/en-US/?ud_install_typical.html Big Sur part, point 3. You can see it running in System Preferences > Network (see attachment)

     

    Screen Shot 2021-03-12 at 16.26.07.png

  11. Hi fascik,

    there was a problematic update of a module, which was fixed within few hours. However it seems that EVS machine some did not recovered from that.

    From Installation and Upgrade > Service Deployment if you erase EVS and then re-add, it'll work. I'm not sure right now if there is some less intrusive way of fixing:(

    However, thanks to vCenter it'll redeploy within a minutes and will work fine after that.

     

  12. @khalis711, I'd kindly ask you to elaborate more regarding following problem: "this setup also slows down my internet connection speed during download by huge margins."

    Can you please, for example, do a speedtest on https://www.speedtest.net/ with Proxy disconnected and with connected and paste here a screenshots? Or any other way how can we understand those huge margins? 

    We do scan http network traffic for malware. As you explicitly allowing us as a Proxy, we can discuss if it's unknowingly or not. This is however a way how every anti malware solution have to work on Big Sur if he wants to scan network traffic for malware. Of course, you can disable Web Access Protection in settings and disable Proxy to feel saver. We can assure you, we do not have other interest than keeping you save by looking for malware. We do not sell personal information or gather private details about our users other than necessary to protect you in a better way. 

  13. Hi Guys,

    we're working on adding support for RHEL 8 and Suse Linux Enterprise Desktop (SLED) 15.

    What is means is, that we're actively testing our product on those distributions and we're fixing bugs occured on those systems. It might happen that on other distribution the product will work, but it'll not be officially tested and in case of bugs specific for that system, fix is not guaranteed. There are just too many distributions and we're not capable of supporting everything. 

    Thank you for understanding

     

  14. Hello,

    Listed below are package dependencies. However, each of those dependencies can have its own dependencies on particular distro. Unfortunately, we don't have such a list of really master dependencies (dependencies of our dependencies).

    I'm sorry. Also, list of officially supported distributions is not that big. Therefore if you have really diverse environment outside of supported list, you may experience issues which we may not fix.

    RPM:

    • /bin/sh
    • /etc/cron.d
    • /usr/bin/crontab
    • gcc
    • kernel-devel
    • make
    • perl
    • rpmlib(CompressedFileNames) <= 3.0.4-1
    • rpmlib(PayloadFilesHavePrefix) <= 4.0-1

    DEB:

     

    • Depends: gcc, make, perl, linux-headers-generic | linux-headers-amd64, libelf-dev | libelf-devel | elfutils-libelf-devel, libudev1, cron | cronie | systemd-cron
  15. Hello KPS,

    hashes of malicious files are shared via LiveGrid Reputation System or other mechanism mentioned above as Marcos wrote. Please don't forget, that if you're the first with a new malware and you would not upload anything to ESET and non of detection layers on the endpoint itself would detect it, you get infected. That's why EDTD works only with when files are sent. Otherwise it's almost the same as LiveGris...

    Also, EDTD analysis can result in file being suspicious or highly suspicious... for Endpoint, it looks clean so far. For LiveGrid it looks clean as well. However, with EDTD, you can set a sensitivity to block also files with such result. 

  16. Hi guys,

    to question no.1, which is probably solved anyway, here is a guidance:

    https://help.eset.com/efs/7/en-US/realtime-protection-cannot-start.html?zoom_highlightsub=headers

    To question about CLI:

    1. To receive module updates, product have to be activated (CLI, ESMC, WebGUI).
    2.  When you initiate an update, you get a message that product is not activated (if it's not activated), other

       server:~$ sudo /opt/eset/efs/bin/upd -u
       Product is not activated.

    Otherwise you get following:

       server:~$ sudo /opt/eset/efs/bin/upd -u

       Update is not necessary - the installed modules are current.

    But yes, this could be solved better via some direct command on lic utility. We'll add that into the product.

  17. Hi Guys,

    this thing was identified as malicious, however, it's False Positive. We've added that to whitelist not to trigger, however, we're investigating what has happened, which system and why it was identified that as malicious. The issue will be fixed properly after that investigation.

    Anyway, for imagination if that would not be FP, then to your questions:

    Was it really a threat file that got deleted thanks to EDTD? - YES
    Would the ESET EndPoint Antivirus (without EDTD) still catch it? - No, it would not. Into EDTD are sent only files which Endpoint identified as clean, but "interesting" to further investigation

  18. On 3/7/2019 at 6:18 PM, hawkunsh said:

    I'd expect you to give a plausible explainaton to the circumstances described in my earlier posts. Your answers don't explain a) why only 1 out of 8 servers is affected and b) why the error suddenly goes away after awhile.

    Hi Hawkunsh,

    it's quite hard to say it just like that via forum, as we don't have any logs or other info, but in case you've a EDTD license and ESMC proxy, then:

    a, due to different replication times of servers to proxy and it seems that in exact time proxy wasn't available

    b, because there are healing methods during module updates period

    -------

    A & B will be improved in the next module update. If you however don't have EDTD license, such things should not happen and in such case I'd ask to contact support via official channel so they can troubleshoot that properly.

    Thank you very much

×
×
  • Create New...