Jump to content


  • Posts

  • Joined

  • Last visited

Posts posted by V2TW

  1. On Linux, you have to enable real-time protection(on-access protection) for specific processes and folder you want to protect. ESET provides you with 2 options to do real-time protection, one is Dazuko kernel module which requires you to download the source code, compile and load the module yourself, generally speaking this is not a very good option for most people. Another one is using preload LIBC library, which doesn't require you to compile anything but you have to specify the processes you want to protect by setting LD_PRELOAD variable before running these processes(generally daemons)

    For instance, a typical scenario is to protect Samba (smbd) by modifying its init script (/etc/systemd/system/multi-user.targets.wants/smb.service in CENTOS7) by adding 


    to Environment= configuration(see attached screenshot), then restarting the service:

    systemctl daemon-reload && systemctl restart smb

    This way when any user tries to copy infected files from shared folder, it gets detected and cleaned.

    Likewise, if you want to protect wget, you have to set LD_PRELOAD everytime you call wget, for instance using wget to download Eicar:

    LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so wget hxxp://www.eicar.org/download/eicar.com

    Check in /var/log/messages that eicar file is detected and quarantined.

    Besides setting LD_PRELOAD variable, you also have to add the directories you want to monitor under [pac] ctl_intl in esets.cfg (I can see you already did it using the web interface Agent PAC). It's not necessary to set the one in Agent DAC if you're not using the Dazuko module.

    Another option is to put LD_PRELOAD in /etc/ld.so.preload so that all processes are monitored globally on boot, but there might be a significant impact on performance and stability of the system according to the docs. Interestingly NOD32 for Linux Desktop uses /etc/ld.so.preload.


  2. 1 hour ago, leviu said:

    Thanks V2TW for confirming my assumptions =).

    Would there by any point in placing the same update  server configuration in the policy? Not sure how would I client loose that though...

    Yea it's unlikely that client loses that setting. But I would have the policy set just in case. For instance if the client had to reset it's settings to default or something, you only have to remember to set the ERA Server location and policies will take care of the rest.  

  3. Quote

    1. The package configuration gets deployed initially with the package and never again?



    2. If I update the configuration of the installation package does it propagate to all of the clients that used this package?

    No, only new installs using that package will apply the updated configuration.


    3. Does policy override any package configuration after installation?

    Yes, in case of configuration conflicts policies will override package configuration.


    Package configuration is just initial configuration, nothing more. It's better to set just ERA Server location and update server in package configuration and leave the rest to policies(which is more or less now the standard method in V6). Unless you have clients that won't be connecting to ERA there's not a lot of point in using package configuration for anything else other than ERA server location and update server.

  4. On 2017-3-24 at 11:35 PM, MichalJ said:

    You can create report for HIPS events, using the reporting framework in ERA V6.

    Basically create a new report, with "HIPS" symbols (symbol = mapped database column, created from a particular log column on the computer). In the report, you will be able to see, particular HIPS rule hits. It is not collected by default (as HIPS could create excessive loads of data), but it is possible to collect it as of now.  You can play with the columns per your need.

    Concerning the firewall, only high severity firewall events, are collected. Not the "custom rule" triggered ones. This is planned to be adjusted into ERA V7. ERA V7 release date is not scheduled, but won´t happen sooner than by Q4/2017 (but this is preliminary information, and is still a subject of a possible change).


    Both of my ERA and clients are on 6.5 now, it seems HIPS client logs aren't reported to the server no matter what. Basically I have set some generic HIPS rules with logging on the client, and I can see the logs on the client. But the custom HIPS report is always empty. Is there anything I'm missing here? 

  5. 15 hours ago, dennyx said:


    Please, could anyone help me with this issue to solve it? I don't want to set my endpoints in learning mode and rules would help me as much as you can imagine. :-) 

    Thank you.

    Does it work if you either add your subnet to trusted zone or set netowork type to Work/Office? The original post was over 2 years ago, I think they already added the required default trusted zone rules in newer versions.

  6. 7 hours ago, MartinK said:

    If I recall correctly, AGENTS v. 6.1 defaulted to 20 minutes -> this interval has been changed as a part of "modules" update and that is why even those old AGENTs should be now connecting in minute interval in case they are updating from ESET servers and interval is not explicitly specified by configuration policy.

    Thanks for the clarification.

  7. As titled I have a customer saying some of their users are using Kaspersky Small Office Security installer to uninstall their password protected ESET Endpoint Security deployed to get around access restrictions. I have tested myself steps below:


    1. Set an access password for Endpoint Security, either via policy or on the Endpoint.

    2. Make sure access password is working by trying to uninstall Endpoint via Programs and Features applet, password prompt should appear.

    3, Download Kaspersky Small Office Security 5: https://support.kaspersky.com/ksos5pc , run the installer, ESET Endpoint Security gets detected and fully uninstalled without user interaction(besides clicking next).

    Tested on Endpoint Security 6.5.2094, Wndows 7

    There certainly seems to be some bypass that Kaspersky is using for the uninstall. Is there any way to prevent this?

  8. Hi Michal,

    Thanks for the response. Then I guess the current only alternative is to schedule a report which lists all computers under "Lost & Found" and send to admin at regular intervals. The goal is to remind admins to move these PCs to appropriate groups, this isn't perfect but good enough.

    I'd still like to know why doesn't my previous Notification template work though. It sounds like it's comparing the number of clients in the dynamic group every 5 minutes, and the notification should send if it has added 1 or more clients compared to 5 minutes ago. Is this a bug that it's not working or I misunderstood how it works?

  9. Hi,


    Is it possible to create a notification that whenever any new clients are added to the Lost & Found group, the admin gets notified? I tried to do it like below but didn't work:

    1. Create a dynamic group under Lost & Found with a template that basically matches any clients

    2. Create a notification with setting as shown in the attached images.

    I've checked the email settings, other notifications are working fine so definitely not SMTP server or email typo issue. Anything I'm overlooking here?




  10. Hi There,

    I noticed something strange regarding when setting the new 6.5 Endpoint policy: "Also evaluate rules from Windows Firewall", it cannot be set. Just create a new Endpoint policy with this setting set to "Apply" or "Force", save policy. Open the policy again the setting is unset.

    Please check if this is a bug. Module versions:


    ESET Remote Administrator (Server), Version 6.5 (6.5.417.0)
    ESET Remote Administrator (Web Console), Version 6.5 (6.5.388.0)


    Update module 1069 (20161122)
    Translation support module 1592 (20170315)
    Configuration module 1461.10 (20170214)
    SysInspector module 1266 (20161222)
  11. Hi There,

    I have a customer with Linux version of ERA Agent and File Security for Linux installed. However for some reason agent will not connect to ERA server. Upon closer inspection it looks like in agent trace.log ERAAgent process is constantly crashing when trying to start NetworkModule with "Host not found":

    2017-03-27 07:22:33 Information: SchedulerModule [Thread 7f6f161fc700]: Received message: RegisterSleepEvent
    2017-03-27 07:22:33 Information: Kernel [Thread 7f6f27874700]: Started module SchedulerModule (used 164 KB)
    2017-03-27 07:22:33 Information: Kernel [Thread 7f6f27874700]: Starting module NetworkModule
    2017-03-27 07:22:33 Information: CAgentSecurityModule [Thread 7f6f16bfd700]: Agent peer certificate with subject 'CN=Agent at *, OU=IT, O=Gorilla, L=Taipei, S=Taiwan, C=TW' issued by 'CN=Server Certification Authority, OU=IT, O=Gorilla, L=Taipei, S=Taiwan, C=TW' with serial number '012681d76c305440bf9d1d16ff0f4dfc5801' is and will be valid in 30 days
    2017-03-27 07:23:09 Information: NetworkModule [Thread 7f6f27874700]: CContainer stopping statusLogGenerator
    2017-03-27 07:23:09 Error: Service [Thread 7f6f27874700]: Kernel start: Last starting module failed with: resolve: Host not found (non-authoritative), try again later
    2017-03-27 07:23:09 Information: Service [Thread 7f6f27874700]: Preparing to stop
    2017-03-27 07:23:09 Information: Kernel [Thread 7f6f27874700]: Used memory before modules shutdown is 45448 KB

    The server has no connectivity to the internet, and ERA server is specified as IP address, with no firewall in between. The server is being used as an internal nameserver.

    logs from info_get command is attached, we tried re-installing but it's not helping, please help to check.

    customer_info (002).zip

  12. Hi,

    This is listed under new features for v6.5:

    • Added: Ability to enable / disable protection features from the command line by running “Run Command” task from ESET Remote Administrator (for example, to allow “advanced CMD commands” such as command line export / import of configuration)

    How is this done? I don't see any command-line references anywhere for ecmd.exe.


  13. Do you still have the default proxy policies applied to All group in ERA? If so then the server-side policies will still override the policies you selected in the All-In-One installer after connecting to the server. So what may have happeed is that the client did connect to ERA Proxy initially, but after policy replication Proxy Server setting gets overwritten by server-side policies. I reckon it's better to think of the all-in-one installer policy selection as a temporary configuration used before connecting to ERA.

  14. Hi There,

    I noticed that whenever I initiate an on-demand scan from ERA to my Linux servers, a /var/log/esets/ndlXXXXXX.dat log file gets created. However the log files are taking up huge amount of disk space (something like 3GB each, taking up total of 20GB). I can see that it's probably because these scans log all scanned files regardless of whether files are infected, but is there anyway to avoid logging everything but just the infected files to reduce the log file size? 

  • Create New...