• Content count

  • Joined

  • Last visited

About V2TW

  • Rank

Profile Information

  • Gender
  1. As titled I have a customer saying some of their users are using Kaspersky Small Office Security installer to uninstall their password protected ESET Endpoint Security deployed to get around access restrictions. I have tested myself steps below: Steps. 1. Set an access password for Endpoint Security, either via policy or on the Endpoint. 2. Make sure access password is working by trying to uninstall Endpoint via Programs and Features applet, password prompt should appear. 3, Download Kaspersky Small Office Security 5: https://support.kaspersky.com/ksos5pc , run the installer, ESET Endpoint Security gets detected and fully uninstalled without user interaction(besides clicking next). Tested on Endpoint Security 6.5.2094, Wndows 7 There certainly seems to be some bypass that Kaspersky is using for the uninstall. Is there any way to prevent this?
  2. Quick and dirty way: hxxp://<proxy server>:3128/index.html if something shows up (default Apache index pages showing "It Works") or you get a 404 error, then Apache proxy is working.
  3. Hi Michal, I have a dynamic group template with no rules, all clients does show up in the group. Is it necessary to have at least 1 rule for this to work?
  4. Hi Michal, Thanks for the response. Then I guess the current only alternative is to schedule a report which lists all computers under "Lost & Found" and send to admin at regular intervals. The goal is to remind admins to move these PCs to appropriate groups, this isn't perfect but good enough. I'd still like to know why doesn't my previous Notification template work though. It sounds like it's comparing the number of clients in the dynamic group every 5 minutes, and the notification should send if it has added 1 or more clients compared to 5 minutes ago. Is this a bug that it's not working or I misunderstood how it works?
  5. Hi, Is it possible to create a notification that whenever any new clients are added to the Lost & Found group, the admin gets notified? I tried to do it like below but didn't work: 1. Create a dynamic group under Lost & Found with a template that basically matches any clients 2. Create a notification with setting as shown in the attached images. I've checked the email settings, other notifications are working fine so definitely not SMTP server or email typo issue. Anything I'm overlooking here?
  6. Hi There, I noticed something strange regarding when setting the new 6.5 Endpoint policy: "Also evaluate rules from Windows Firewall", it cannot be set. Just create a new Endpoint policy with this setting set to "Apply" or "Force", save policy. Open the policy again the setting is unset. Please check if this is a bug. Module versions: ESET Remote Administrator (Server), Version 6.5 (6.5.417.0)ESET Remote Administrator (Web Console), Version 6.5 (6.5.388.0) Update module 1069 (20161122) Translation support module 1592 (20170315) Configuration module 1461.10 (20170214) SysInspector module 1266 (20161222)
  7. Hi There, I have a customer with Linux version of ERA Agent and File Security for Linux installed. However for some reason agent will not connect to ERA server. Upon closer inspection it looks like in agent trace.log ERAAgent process is constantly crashing when trying to start NetworkModule with "Host not found": 2017-03-27 07:22:33 Information: SchedulerModule [Thread 7f6f161fc700]: Received message: RegisterSleepEvent 2017-03-27 07:22:33 Information: Kernel [Thread 7f6f27874700]: Started module SchedulerModule (used 164 KB) 2017-03-27 07:22:33 Information: Kernel [Thread 7f6f27874700]: Starting module NetworkModule 2017-03-27 07:22:33 Information: CAgentSecurityModule [Thread 7f6f16bfd700]: Agent peer certificate with subject 'CN=Agent at *, OU=IT, O=Gorilla, L=Taipei, S=Taiwan, C=TW' issued by 'CN=Server Certification Authority, OU=IT, O=Gorilla, L=Taipei, S=Taiwan, C=TW' with serial number '012681d76c305440bf9d1d16ff0f4dfc5801' is and will be valid in 30 days 2017-03-27 07:23:09 Information: NetworkModule [Thread 7f6f27874700]: CContainer stopping statusLogGenerator 2017-03-27 07:23:09 Error: Service [Thread 7f6f27874700]: Kernel start: Last starting module failed with: resolve: Host not found (non-authoritative), try again later 2017-03-27 07:23:09 Information: Service [Thread 7f6f27874700]: Preparing to stop 2017-03-27 07:23:09 Information: Kernel [Thread 7f6f27874700]: Used memory before modules shutdown is 45448 KB The server has no connectivity to the internet, and ERA server is specified as IP address, with no firewall in between. The server is being used as an internal nameserver. logs from info_get command is attached, we tried re-installing but it's not helping, please help to check. customer_info (002).zip
  8. Hi, This is listed under new features for v6.5: Added: Ability to enable / disable protection features from the command line by running “Run Command” task from ESET Remote Administrator (for example, to allow “advanced CMD commands” such as command line export / import of configuration) How is this done? I don't see any command-line references anywhere for ecmd.exe.
  9. Do you still have the default proxy policies applied to All group in ERA? If so then the server-side policies will still override the policies you selected in the All-In-One installer after connecting to the server. So what may have happeed is that the client did connect to ERA Proxy initially, but after policy replication Proxy Server setting gets overwritten by server-side policies. I reckon it's better to think of the all-in-one installer policy selection as a temporary configuration used before connecting to ERA.
  10. Hi There, I noticed that whenever I initiate an on-demand scan from ERA to my Linux servers, a /var/log/esets/ndlXXXXXX.dat log file gets created. However the log files are taking up huge amount of disk space (something like 3GB each, taking up total of 20GB). I can see that it's probably because these scans log all scanned files regardless of whether files are infected, but is there anyway to avoid logging everything but just the infected files to reduce the log file size?
  11. hi Marcos, I have the same issue with some of my Endpoints, all of them already have Translation Support module 1583.1 installed, any ideas?
  12. Hi, I've successfully deployed EVS for NSX in my lab environment, however I ran into some problems: 1. For some reason, EVS appliance(the one that does the actual scan) would stop working at some point, all protected guest VMs becomes frozen, i.e. mouse cursor can still move but applications cannot run, looks like filesystem activity is entirely blocked. The only way to fix this is to force restart EVS appliance. I checked /var/log/messages and see a huge number of entries like this: Mar 3 01:09:07 evs-appliance evs_sva[12722]: [WARNING] (EPSEC) [0x3278] Exceeded maximum concurrent events for /vmfs/volumes/57687926-b4eb627e-80fe-1c98ec284388/XXX.vmx full log is attached. This happened twice already and I've only deployed it for 2 days. Is there anything I've mis-configured here? please help. evs_log_messages.zip 2. How to deal with quarantined files in case of false positive? I've tried Upload Quarantine task on protected VM and it fails with message "Ignoring invalid task for VAgentHost". 3. Is Linux guest supported? I tried installing guest introspection driver on a Linux guest and it gets picked up by VAgentHost as protected VM, but it doesn't seem there's any protection, I can download and read Eicar file without getting detected.
  13. I had some success using method below to deploy EEA 6.4 silently to clients with license, you're welcome to try: create an "install.ini" file with following content and put it in the same folder of EEA 6.4 MSI: [Property] INSTALLED_BY_ERA=1 ACTIVATION_DATA=key:<your 20 letter license key> Then use your standard MSI installation scripts to do the installation, install.ini will get picked up by the installer as long as they're in the same folder. Keep in mind that this is an undocumented feature so results may vary, also obviously this requires connection to ESET servers in order for activation to work.
  14. On a side note, it seems that in the 6.4 appliance the htcacheclean service isn't properly enabled regardless of whether ENABLE HTTP PROXY is selected during initial setup. I had to run following 2 commands to properly enable it: mkdir -p /etc/systemd/system/httpd.service.requires ln -s /usr/lib/systemd/system/htcacheclean.service /etc/systemd/system/httpd.service.requires
  15. Anything strange in /var/log/eset/RemoteAdministrator/Server/trace.log ?