jdashn

Ahh, When i was looking at the DB previously i had noticed that it didn't log logouts, so i had figured that ERA wouldn't be able to see if no one was logged in, because the DB only recorded 'who had logged in' .. at least that's how it appeared!
Regardless it's awesome that the test dynamic group i had setup, is now working. Once i get the other issues i've got with installing 6.5 cleared up this should really help for deployments!
Jdashn

Thanks for the reply, I know i've tried something similar a few times using Regex. I have not tried using 'Has Mask'. I've setup a group and a template and it's applied. I've got a few test machines i have setup to report back to ERA every min so i should see some computers populate shortly (that and it's getting to be pretty late on a friday for everyone to still be in the office lol).
 
I will let you know if i see any machines there within an hour!
 
Thanks,
 
Jdashn

Good morning/afternoon/evening!
 
I've heard some of the ESET staff here talk about setting up a dynamic group based on who is logged into a computer. It would be nice to setup a dynamic group of computers where No user is logged into the machine. This would be very helpful as that is one of the major deciding factors that go into whether we can start to preform a software update on a client machine. We obviously don't want to restart a user's machine while they're using it. Is there a way to setup a dynamic group that contains computers with no users logged into it? How often does eset check this information (the same time it reports to ERA, or?)? 
 
Thanks 
 
Jdashn

The FP should be already resolved. You can enforce update of the blacklist by rebooting the machine.

Awesome!! thanks a ton to both of you for your quick replies!

As of this morning i'm getting a lot of alerts across the orginization for:
hxxp://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgRY8NzrWAjZ4J4grl19QqsePQ=
For each alert the last bit of the address changes, but this part is the same:
hxxp://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEg
They all also have a target address of :
104.91.166.211
Just wondering if there is more information on this, what might be causing it, if this is an indicator of a primary infection, etc.
 
Thank you!!
Jdashn
 

I am guessing there are parts of what is in pre-release that are more complex to test, and could have further reaching impact than the exclusion of a port for scanning. Which would be why they've not released this 'fix' as it's a part of a larger update package, that is still being tested.
I wonder, though, if this piece could be released to the general codebase, before the testing on the rest of the 'update' is completed. I would guess that you're just going to be doing the exclusion of the ports for scanning on the back end, so pretty simple to test and know is working. 
Is this maybe one of those cases where Dev and Testing don't know that this part of the update is turning away home use customers, and causing a lot of consternation among the client base (likely a TON more than what you see here, we all know in support you only ever get 1% of complaints via forums, or email -- easier to buy a new product than complain). Heck maybe if Dev and Testing knew they'd be able to put this available for release, but I can't see that with a fully functional forum like this that the moderators here aren't regularly working with dev/test and letting them know of the daily buzz on the forums (heck a few might even have accounts and read?).
I'd imagine that releasing a portion of an Update is relatively simple, seeing as how everything has been made more modular with eset, but honestly I dont know how development works here, could be that to uncouple this update from others would mean far more work and delays in other areas. Could be that a large enterprise customer is asking for a feature, and that has been fast-tracked, and other projects have to wait.
 
I guess really what i'm saying is that who knows why it's taking so long, yes it could be that they're waiting to click that button for no 'good reason' aside from 'thats how we do it' .. or it's a lot more complex than the minimal information that we get via the forums would lead us to believe.
 
 

Peter stay on top of it. State clear expectations "formally" (and again DOCUMENT it).
Do not dance around, if you do, nothing will change (and your position will then be on the line).
Build your case carefully, but make it expedient as it's not a matter of if something bad will happen, but how soon will something bad happen. It WILL happen.
It sounds like a small business, but if there is any Union organization there and you have a working relationship, after talking with HR (or the owner), you might consider involving them to gain some leverage and buy-in.
I've been there and done that dozens of times.
It's never easy, but sometimes you have no choice.
Good luck,
Tom
 

There are some good free softwares out there for viewing browser history logs, and usb access logs.
I'd just make sure that keeping browser history is enforced via gpo (if you can). Then they can't delete out the logs after each use, keeping you blind to their activities. While you're at it with the GPO, lock down the browsers so they can't install extensions/addins.
You could also lock down (via ESET Device Control) exactly which (down to Serial number, but as broad as make, or model) usb keys' they're allowed to use. I'd also look to disable booting from USB via the bios, and lock the bios with a PW (if you can boot to usb you can run tails or some such with no IT visibility).
And like tom said... document, document, document... Talk to your boss, make sure you're in the clear for the 'watching'.
Is this user an Admin on the computer in question?