Mauricio Osorio

Hi guys, My client has lost his access to the eba.eset.com portal and when we try to regain access to that portal, the portal eba.eset.com does not send us the email for the change, although it is the same email that appears registered in the licensing. We have asked for local assistance but they haven't answered us for 7 days and the customer is very upset. How can you help us? Please for things like these, which are very simple but very important, you can lose a customer.

Hi guys, On this occasion I would like you to clarify this case for me. We have a customer who has an Oracle Linux server and has a problem with this malware. We have performed the installation of ESET File Security and we have these results after the system scan: Here they are in text in case you want to copy it: 14 de octubre de 2021 10:02 file:///u01/Oracle/Middleware/Oracle_Home/coherence/plugins/maven/com/oracle/coherence/coherence-work/o84www Linux/CoinMiner.RT troyano Eliminado 0FE31D4AAA7C108C62532F68BC18DC8427F053A8 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/xmrig Linux/CoinMiner.BK aplicación potencialmente no deseada Desinfectado por eliminación 04FCE56E89D790C3EDAA808E29BDDCE0147962D3 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/config_background.json Win64/CoinMiner.RO aplicación potencialmente no deseada Desinfectado por eliminación 25135CEB79CA61F723029CFA430B3965B91FE1F4 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/config.json Win64/CoinMiner.RO aplicación potencialmente no deseada Desinfectado por eliminación DDBDF28407927F39C16A4E0EB0F731E87C50A408 The problem is that the process that led us to discover that it is a CoinMiner does not disappear and if we stop it it reappears again. Here is a screenshot of the process: As you can see, the entire processor is consumed by this process. We suspect that they may be tasks left by the miner but we don't know how to identify and remove them from the system. Shouldn't the antivirus remove them? I attach the logs taken after the removal of the malware with the ESET File Security antivirus. (customer_info.zip) What should I do in this case? customer_info.zip

Hi @MartinK thanks for your answer, This is the current proxy configuration in the agent policy: And this: It is unconfigured. I don't know what a good idea it is to configure the use of the http proxy in the agent because, as you saw above, the client has published the EP console with a public IP, but if that solves the problem we could do it. I will try to find another computer that has the problem with the connection, to enable full verbosity, because this one that we reviewed already connects well after restarting the eraserver service from SSH.

Here are the logs on the client side. I hope you can review them @MartinK ELC_logs.zip

I have been working with ESET products for a decade and I think it is one of the best options at the level of cybersecurity products and I would like to open this space so that we can share from day-to-day practice those security recommendations that we can make for you to our customers, but based on the findings of security solutions such as ESET Endpoint Security and then reported in the ESET Protect management console. Why? Because it is not usually very clear what I should do with those discoveries or reports that ESET Protect generates. I wish we could answer the following questions in this space: How can I reduce the number of incidents reported in the ESET Protect (EP) console ?: Based on the request of a client who belongs to the public health system of my country and who is alarmed because his network registers more than 2500 security incidents per month in the threats tab. Now my recommendation was to further limit users' internet access, block the use of USB storage devices and generic security recommendations, but I felt that we were wasting precisely all the information collected in EP and that the recommendations should rather than be generic. be based on the findings that are recorded in EP. At what time or scenario can I recommend to a customer that they should use ESET Dynamic Threat Defense or ESET Enterprise Inspector ?: In addition to the interest of cross-selling, how can I justify to my client that it is time to strengthen their network with any of these tools. Is there any non-generic factor that can justify making this recommendation? Example: We have detected that you have a large number of detections that come from emails and we think it would be a good idea for you to have sandboxing in the cloud at this time. And perhaps many other questions that you could contribute from your experience. As a purpose, what I would like is to take advantage of the information EP gives me and how I can make this information an added value for my clients. Welcome everyone!.

Hi @MartinK Those logs are from EP not from problematic device, im going to get you the logs of the problematic device as soon as possible. Regards.

Hi guys, I would like your help with this case. A customer uses OVA ESET Protect, but computers usually give this error when connecting to the console: And we have found a way to solve it and it is by restarting the eraserver service from the SSH connection. This is obviously is not a solution for the client because it is annoying to do this every time. If it is helpful I attach the logs of the OVA server. Regards!. customer_info.rar

Ok @Peter Randziak i'll let you know what's the result. Regards.

Hi guys I have a problem with a client's cloud console, because the console suddenly closes and shows this: How can i fix this? Regards.

Sorry I did not read your comment in full. If the problem is not the WMI on the computer then what would it be? Regards.

Hi @MartinK This is how that DG is configured: And this solve my main problem!. Now, is there a way to solve the WMI issue? Thanks a lot!

Hi @Marcos thanks for your answer, as you say we are using this DG: The result of the DG for the computers that correctly report the installed software, (we have enabled the detection of third-party software in the agent configuration) is positive. But as you can see in the following image, this computer reports the antivirus to EP: To achieve the result we want, which is that we can detect the computers that have an agent but do not have antivirus installed, should we use a different DG?. Now obviously there is a problem with detecting installed software, which may be a WMI problem, as you say. Can I fix this so that the installed software can be detected again? Because right now it is not detected on that computer: Best regards.

I have this case where an agent no matter how many times I reinstall it, it does not report correctly to the console. We show this case because we have an automatic installation task through a dynamic group that identifies the computers that do not have antivirus installed. But this computer always executed the installation task even when it had antivirus installed, that is why we realized that the agent is not reporting correctly in the console. Here you can see an image of the computer with your antivirus: And this is how the same computer looks on ESET Protect Server: As you can see highlighted, it does not report antivirus, or agent. I think it may be an operating system problem, but I would like you to help me find the problem, since I have 2 other computers with the same problem. How can i fix it? Thanks a lot!. You can download a Log Collector from here:

Can you tell me how? regards.

Hola Gonzalo, te escribo en español ya que veo que eres de Uruguay. Muchas gracias por tu respuesta. Ya he sugerido eso a mi cliente, pero mi interés consiste en verificar si se puede hacer desde las políticas. Gracias por tu respuesta. Hello Gonzalo, I am writing to you in Spanish since I see that you are from Uruguay. Thank you very much for your answer. I have already suggested that to my client, but my interest is to verify if it can be done from the policies. Thanks for your answer. Saludos.

Hi @Nightowl Thanks for your answer, yes, it has a password but that does not prevent it. The second option you propose could be my solution, but I would like not to have to do it if it is necessary. I would like to know if I can do it from politics.

How can I prevent a user from canceling a scan Some of them cancel the first scan and i wanted to prevent this. Is there an option in the policy that allows me to block that option for the user? Best Regards.

Hi guys, I want to make some dashboards in power BI, any ideas how to make this work? Regards.

Hi marcos, Thank you for your response, we have indeed overcome the incident thanks to your indication. Best regards.

Hi guys, In the company we have a general device control policy, which we apply from ESET Protect, at this time it is applied to 300 computers, that is, all of them have by default the use of disk storage devices blocked. When a user does the necessary procedure to enable a storage device, we go to the computer and verify the data of that device in the antivirus log (supplier, model and serial number) and then we create a rule with which we allow it to be used. the device, this has worked fine except with one device. The device for which the rule does not work is an external hard disk that reports all the data (supplier, model and serial number) but when the rule is created it continues to block it. The only thing that seems strange to me is that the serial number of the device in the log appears with empty spaces, I don't know if this has any effect on the problem: We have tried the rule with and without empty spaces but it still doesn't work. Can someone help me with this? Regards.

Hi Kieran, thanks for your answer, I will try that solution you give me. Regards.

In my company we have many commercials that rotate continuously and it is annoying to have to decrypt a computer every time they leave and re-encrypt it with the new user. Is it possible to inherit this encryption? We have the last version of EEE in our network. Best regards

Hi @kurco Thanks for your answer, with this finding we could solve the issue. Thanks a lot!.

Hi guys I have tried to install EFS on UBUNTU server but it fails. This is the Ubuntu version: This is the error: How can i solve this problem?. Regards. efs_logs.rar

Hi @Mirek S. Thanks for your answer, its pretty helpful to understand why is this happening. Do you have any procedure we can use to solve the issue? because i created a new certificate but the error persist. Best Regards.