V2TW

Wouldn't it be easier if you set the condition to "Application version" "doesn't have prefix" "6.5"? When 6.6 comes out you can just either change it 6.6 or add as a new condition. Even if you can make your regex work, you'll still have to update it anyway once new version comes out.

Thanks for clarification Filips.

There's a report called something like "Automation" - "Server tasks for the last 30 days"

Try doing a Windows update and make sure all updates are appled, or install Visual C++ 2015 redistributable (if Agent is v6.5) https://www.microsoft.com/en-US/download/details.aspx?id=48145 We once ran into this problem where the Agent service cannot start, turns out that agent needs some dlls available as part of certain Windows update, or C++ redistributable(trying installing 2012 if Agent is below 6.4).

Hi, One of my clients have 2 question below regarding the latest version of Mail Security for Exchange: 1. When mails are released from quarantine, is there any log that logs who and when released which mail? 2. Is it possible to tell if a mail has been quarantined because of DNSBL specifically? Any help is appreciated, thanks!

On Linux, you have to enable real-time protection(on-access protection) for specific processes and folder you want to protect. ESET provides you with 2 options to do real-time protection, one is Dazuko kernel module which requires you to download the source code, compile and load the module yourself, generally speaking this is not a very good option for most people. Another one is using preload LIBC library, which doesn't require you to compile anything but you have to specify the processes you want to protect by setting LD_PRELOAD variable before running these processes(generally daemons) For instance, a typical scenario is to protect Samba (smbd) by modifying its init script (/etc/systemd/system/multi-user.targets.wants/smb.service in CENTOS7) by adding LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so to Environment= configuration(see attached screenshot), then restarting the service: systemctl daemon-reload && systemctl restart smb This way when any user tries to copy infected files from shared folder, it gets detected and cleaned. Likewise, if you want to protect wget, you have to set LD_PRELOAD everytime you call wget, for instance using wget to download Eicar: LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so wget hxxp://www.eicar.org/download/eicar.com Check in /var/log/messages that eicar file is detected and quarantined. Besides setting LD_PRELOAD variable, you also have to add the directories you want to monitor under [pac] ctl_intl in esets.cfg (I can see you already did it using the web interface Agent PAC). It's not necessary to set the one in Agent DAC if you're not using the Dazuko module. Another option is to put LD_PRELOAD in /etc/ld.so.preload so that all processes are monitored globally on boot, but there might be a significant impact on performance and stability of the system according to the docs. Interestingly NOD32 for Linux Desktop uses /etc/ld.so.preload.

Yea it's unlikely that client loses that setting. But I would have the policy set just in case. For instance if the client had to reset it's settings to default or something, you only have to remember to set the ERA Server location and policies will take care of the rest.

Yes No, only new installs using that package will apply the updated configuration. Yes, in case of configuration conflicts policies will override package configuration. Package configuration is just initial configuration, nothing more. It's better to set just ERA Server location and update server in package configuration and leave the rest to policies(which is more or less now the standard method in V6). Unless you have clients that won't be connecting to ERA there's not a lot of point in using package configuration for anything else other than ERA server location and update server.

Thanks for clarification MichalJ.

Both of my ERA and clients are on 6.5 now, it seems HIPS client logs aren't reported to the server no matter what. Basically I have set some generic HIPS rules with logging on the client, and I can see the logs on the client. But the custom HIPS report is always empty. Is there anything I'm missing here?

Does it work if you either add your subnet to trusted zone or set netowork type to Work/Office? The original post was over 2 years ago, I think they already added the required default trusted zone rules in newer versions.

Thanks for the clarification.

Hi MchalJ, Sorry for the side-track but can you elaborate a little more on this? I always thought all 6.x Agent defaults to 1 minute connection interval.

We're facing the same issue, however we got it working on one of the XP machines and this is the activation server IP recorded by that machine, try put this is hosts file instead: edf.eset.com 13.64.235.23

As titled I have a customer saying some of their users are using Kaspersky Small Office Security installer to uninstall their password protected ESET Endpoint Security deployed to get around access restrictions. I have tested myself steps below: Steps. 1. Set an access password for Endpoint Security, either via policy or on the Endpoint. 2. Make sure access password is working by trying to uninstall Endpoint via Programs and Features applet, password prompt should appear. 3, Download Kaspersky Small Office Security 5: https://support.kaspersky.com/ksos5pc , run the installer, ESET Endpoint Security gets detected and fully uninstalled without user interaction(besides clicking next). Tested on Endpoint Security 6.5.2094, Wndows 7 There certainly seems to be some bypass that Kaspersky is using for the uninstall. Is there any way to prevent this?