Markwd
-
Posts
40 -
Joined
Posts posted by Markwd
-
-
Description: More/better options to set the gui on (Terminal) Servers
Detail: Just like the ESET Endpoint products for workstations now use, it would be much better to have the options to set the gui to Full, Minimal, Manual and Silent in stead of just Full and Terminal (in which the last one I think is not the right term). -
Thanks!
So both Online Help as the KB suggest to disable the gui entirely and do not warn the users when they open malicious content? In my opinion you would want the user to be informed immediately as they open malicious content to create a certain level of awareness. But you do not want the users to mess around in the gui itself. As I see it, only the option to set the GUI to Minimal (the way Endpoint Protection has) would solve that?
-
Hello @foneil,
I was referring to this kb:https://help.eset.com/efsw/8.0/en-US/work_ui_disable_gui.html
The title "Disable GUI on Terminal Server" and the text "This is usually undesirable on Terminal Servers" implicates to me, that it is adviced to turn off the gui on Terminal Servers.
Also the term "Terminal" mode for the setting of the gui implicates that you want set this mode for Terminal Servers.
I would still prefer the modes for Server Security to be the same as being used in the Endpoint software for Workstations (Full, Minimal, Manual, Silent).
-
Thanks for your respons @Marcos
In that case I will try and pilot with the gui on. It would be nice if the gui could be set to minimal (where users only get notifications onscreen).
-
Hello,
As advised in your KB, we have disabled the gui (set to Terminal) on all of our Terminal Servers.
This means that the users on the Terminal Servers will not receive a (popup) notification when they open malicious e-mails, websites, or executables. Because of this the awareness amongst the users of these dangers will not grow, because they are not notified when they click on for example a malicious link.
What would be the consequence if the gui would be enabled? Would this have impact on the performance of the terminal server?
Also, I noticed that the Endpoint Antivirus and Security have also an option to set the Gui to:
Minimal ( The graphical user interface is running, but only notifications are displayed to the user)
Manual (Graphical user interface is not started automatically on logon. Any user may start it manually.)
Silent (No notifications or alerts will be displayed. Graphical user interface can only be started by the Administrator.)What is the reason that ESET Server Security does not have these options for the gui?
-
Hello,
I'm not sure if this forum is the right place for feature requests, but I have 2 feature requests regarding this product:
1) It would be nice if the preboot password and the Recovery Password screens could have a countdown option that displays the remaining attempts for entering your (Recovery) password.
2) Sometimes a user manages to disable the EFDE login and also the Password Recovery login. The only way to recover this (as far as I know) is to use the Data Recovery option to fully decrypt the disk(s) and then re-encrypt the disk(s) which can be a time consuming action (and all you want is to restore the EFDE login). It would be nice if there was a possibility to bypass the loginscreen or change the login password with the help of the USB Recovery media.
-
Hello,
Will the most recent version of ESET Server Security be fully functiontional on a Windows Server 2022 server environment? (We are currently testing this new OS)?
Thanks!
Markwd
-
So your saying that major releases will also be installed by MicroPCU, but the difference is that the major releases will require a restart whereas Hotfixes will not?
And if so, will the RTS be disabled untill the restart will be done if this major update has been provided through MicroPCU or will the driver be replaced after restarting the server?
In other words: Would it be possible / advised to enable MicroPCU on servers and let it do the version updates all the way (including major versions) and have a reboot through a different maintenance windows provide the restart of the server (in some cases) days later?
-
Hello,
ESET Server and Mail Security (v8) have been officially released now with the MicroPCU function built in. I was going through the knowledgebase to find more information about this function, and noticed the following kb:
Program component update | ESET Endpoint Security | ESET Online Help
It advices to set the PCU setting in the policies to Never for ESET server installations
Furthermore, looking at the official statement about the best way ESET advices to do upgrades (Upgrading to a newer version | ESET Server Security | ESET Online Help)
It advices us to fully uninstall the currently installed version, then restart the server and then install the new version. Also I noticed the IMPORTANT section stating that you need to have no pending Windows Updates or Restarts prior to installing the upgrades of ESET Server products.
I have tested the upgrade to the new version 8 on several testservers and noticed that both the serverproduct as well as ESET Protect state that a Restart is required, but not mentioning that the Realtime Scanner is Non-functional anymore.
Our local ESET Support channel also states, that the MicroPCU function only works for minor upgrades, so upgrading from version 8.0 to 8.1 will not work through MicroPCU. In those cases you still need to re-install the product.
From upgrading of version 7.2 upwards every single upgrade on every server disables the Realtime scanner engine until the restart has been done. Before that, the products just kept working on the older drivers, until the server was restarted.
I would really like to know what ESET officially advices for keeping their serverproducts up-to-date without major interference or security risks on servers of different classes that mostly require high availability.
Markwd
-
-
Hello @Kstainton,
We would like to also store the Workstation ID as a Custom Property in Solarwinds N-Central. In case the workstation has lost connection to the ESET Protect environment, we can then create a Recovery Password by looking at this Custom Property, wthout having to ask the customer to provide this.
I noticed a tool C:\Program Files\ESET\ESET Full Disk Encryption\EFDEcmd.exe and was hoping this was a commandline utility for such commands, but until now that utility seems of no use.
-
Hi,
I Was wondering if there is an option to obtain the EFDE Workstation ID remotely through a Windows script or commandline utility.
Thanks
-
Hello Peter,
I would also like to participate in this Beta (if it is not too late).
Thanks!
Markwd
-
Hello MartinK,
Thank you for your respons.
In case a user does not know their preboot password anymore, we need to identify which workstation the user is working on at that moment. As the user does not know their preboot password (for what reason), he/she does not have access to the Windows Operating System to provide us unique details of the workstation (such as Computername or ip-address). The only unique point of recognition I can find in the preboot login page is the Workstation ID.
In our EEE (Deslock) environment we use this all the time to match the workstation the user is dealing with, with the device in the EEE Server environment.
This is also described as part of the procedure for decrypting an FDE disk in KB7150:
https://support.eset.com/en/kb7150-remove-eset-endpoint-encryption-from-a-workstation
(Verify that the WorkstationID value displayed matches the Workstation ID on the client. How do I find my Workstation ID?)
(I was almost certain at some point this was also described as part of the password recovery procedure, but I cannot find this anymore).
Also thank you for clearifying the usage of the usage for the Encryption Recovery option under Help. From my view this was the only point for matching the Workstation ID (and then from that point on do a Password Recovery). I can see from your point of view why this has been blocked.
-
Hello,
I am missing some options in ESMC that would allow me to quickly find the Workstation ID of a device through the ESMC console.
As far as I can see, the only option for this is to use Help - Encryption Recovery
It would be nice if you could also see the Workstation ID under Computer Details or (even maybe better) see the Workstation ID as a column row in the Computers overview in ESMC.
At this moment when I log in with an account that has limited rights (on just one Static Group for example) I cannot use the Encryption Recovery option under Help, although I have set the Encryption Recovery Read and Use Rights in the Permission Set of that account.
Any thoughts on this?
-
@MichalJ For business proposal I would say data removal and data loss prevention would be the main reason. A possibilty to report the laptop as stolen (through a task in ESMC) so the person who then has the laptop, cannot use it and will be notified how to contact the owner of the laptop.
Tracking down the laptop or making screenshots and/or photo's by webcam would not be priority (and I can imagine this is violating at least the GDPR rules).
-
Hi,
Not sure if this is the right topic for this, but why does the consumer version (Smart Security) have options for anti theft, while the business products don't offer this feature? In most cases the data on business laptops are way more valuable for users than data on consumer laptops. It would be great if Endpoint Security could have Anti Theft which could be managed by ESMC and also is accessible for the laptop owner through https://anti-theft.eset.com
-
Hello, I am also very interested in participating. Thank you!
-
Hello Peter,
Could you sign me up please?
Thank you!
Markwd
-
Hello Martin,
I have indeed tried to login with the credentials of one of the customers (with privileges to modify both reports and server tasks), but still the trigger goes with every threat detection in every Static Group..
I am thinking the Threat Event trigger is simply looking at a global threat log and ticks with every threat detection, not looking at where the threat is coming from. I wonder if that is true and if so, that log also contains information about where the threat was detected. Maybe the trigger works before "seeing" the infrastructure of the era and therefore does not know in wich Static Group the client is where the threat was detected?
I have also tried to think about a way to get this managed with dynamic templates, but all my tries lead to a dead end.
In my opinion, if I could work this out and could send the "technical" contacts of my customers a mail when a real threat is detected, this could help creating a kind of security awareness under my customers.
-
Hello Marcos,
Thanks for your response.
The filtering of the Static group under the report template only filters the content of the report. It does not filter the server report task that runs when a threat detection has been logged.
So when I use the Static Group filtering on the report template, it generates a report on every threat detection (in every Static Group), but will only show the threats detected of that specific Static Group in the report.
-
Hello,
I have set up ERA (6.5) in a multi tenancy way, so all my customers are connected through one server and every customer has it's own Static Group and login into the ERA Console.
Now I wanted to have ERA generate reports automatically on detection of threats and mail these reports to the customer on the moment a detection is logged. Of course the report only needs to see the clients under the customers Static Group and the report task only needs to run when a detection is made under the Static Group of the customer itself.
Creating the report was easy and that part works fine. The creating a report task however, is not working. When I create a report task that is triggered by threat detection, I cannot have it run on detection of threats under the Static Group of the customer itself. The task runs on every threat detection of every customer (Static Group). I have tried to workaround this by hanging the task under the customers Access Group and also I tried to workaround this by disabling the option "SEND EMAIL IF REPORT IS EMPTY". Still the outcome is not right.
I specifically do not want to use the smtp settings at the customers site, because of the fact that I do not want to find out those specific settings everytime and the fact that the reporting task has the possibility to filter out the "threats" that are not severe enough to mention.
Is there a way to have this functional and set up within the ERA environment, so I can send threat reports per customer (Static Group)?
Any thoughts about this would be appreciated...
-
Hello. I would also like to test the BETA version of ERA 6.5. Could you sign me up for this one?
HTTP/Exploit.CVE-2021-41773 on a Apache Tomcat server
in Malware Finding and Cleaning
Posted
Hello,
Just a quick (global) question:
We have a webserver containing an instance of Apache Tomcat version 9 (not fully up-to-dat).
The server also has ESET Server Security version 9 on it.
Once in a while ESET Server Security detects an attempt to exploit HTTP/Exploit.CVE-2021-41773 on the Tomcat.exe process.
The exploit is bound to a vulnerability in Apache HTTPD instead of Tomcat.
Would that be an attempt of the attacker to try if the webserver accidentally has a vulnerable httpd version on it, what is triggering ESET to detect the exploit attempt? Could it be a FP, because Tomcat.exe is not vulnerable to this exploit, or could something else be the reason ESS is triggered?
Thanks!