roga

That sounds a good idea, as far as the services, I have just set anything obviously related to ESMC to "disabled" regards Roga

I have just uninstalled esmc from a windows 2012r2 server (from "appwiz.cpl"), however it appears that some components are left behind. e.g. sql server and winpcap. (BTW is there a different way to uninstall ESMC which gets rid of the sql instance and things like winpcap?) I have other services on this machine, some of which use their own instance of sql server. (Actually just one other service, which is a cloud backup service) I can see in my list of services "SQL Server (ERASQL)" So how do I delete the sql server(s) associated with ESMC\ERA, and leave my other services alone? This server used to have ERA, then ESMC. I think different versions of the sql server were installed at different times by eset. This is my list of sql and associated files. Sql Server Customer Experience Improvement Program 10.53.6000.34 Microsoft SQL Server 2008 R2 Native Client 10.53.6560.0 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 9.0.30729.4148 Microsoft SQL Server 2008 R2 RsFx Driver 10.53.6000.34 Sql Server Customer Experience Improvement Program 12.3.6024.0 Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 10.0.40219 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 10.0.40219 Microsoft SQL Server 2014 Setup (English) 12.3.6329.1 SQL Server 2008 R2 SP2 Database Engine Services 10.53.6000.34 SQL Server 2008 R2 SP2 Database Engine Services 10.53.6000.34 SQL Server 2014 Database Engine Services 12.3.6024.0 Microsoft SQL Server 2008 Setup Support Files 10.1.2731.0 Microsoft SQL Server 2008 Setup Support Files 10.3.5500.0 SQL Server 2014 Common Files 12.3.6024.0 Microsoft VSS Writer for SQL Server 2014 12.3.6024.0 Microsoft Command Line Utilities 11 for SQL Server 11.0.2270.0 SQL Server Browser for SQL Server 2014 12.3.6024.0 SQL Server 2008 R2 SP2 Common Files 10.53.6000.34 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 9.0.30729.6161 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161 Microsoft SQL Server 2012 Native Client 11.4.7462.6 SQL Server 2014 Database Engine Shared 12.3.6024.0 SQL Server 2008 R2 SP2 Common Files 10.53.6000.34 SQL Server 2014 Database Engine Shared 12.3.6024.0 Microsoft SQL Server 2008 R2 Setup (English) 10.53.6560.0 Microsoft ODBC Driver 11 for SQL Server 12.3.6329.1 SQL Server 2014 Common Files 12.3.6024.0 SQL Server 2008 R2 SP2 Database Engine Shared 10.53.6000.34 SQL Server 2008 R2 SP2 Database Engine Shared 10.53.6000.34 Microsoft SQL Server 2014 RsFx Driver 12.3.6329.1 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 9.0.30729 SQL Server 2014 Database Engine Services 12.3.6024.0 Microsoft SQL Server 2014 Transact-SQL ScriptDom 12.3.6329.1 regards Roger

Sorry @Michalj if I wasn't clear. I do have agents installed on the cleints. I thought perhaps that I might need to roll out an updated agent, but from what I understand from what you have said I can introduce password both on agent and client software by policy, without needing to do anything else. Thanks

Thanks @MichalJ I had already guessed that, so I guess I should clarify my question: I have esmc, all of the clients are managed (windows servers and workstations). In the above scenario, what is the easiest (least work) way to deploy the agent? Is this something that can be done as a client task, or do I need to run that agentinstall bat file?

So back to original question - what is easiest way to roll out password protection of agent on a managed system?

Hi @MichalJ Thanks for the quick response I am trying to mitigate the system following a ransomeware infection which managed to disable eea and efs, will password protection from policy prevent diasabling of protection? - it was my understanding that we also need to protect agent to stop it being disabled

My understanding is that to password protect eset products on a managed system (esmc) the agent needs to be password protected. 1) Am I correct that this is the way to password protect? 2) What is the easiest way to do this for a managed network? regards Roga

Thanks @Marcos that's helpful. Only thing I hadn't done with ESET is to set a password to protect settings. A couple of other things I might do in future: 1) Rename the domain admin account 2) Disable local admin accounts on servers and workstations Also noted remark from @itman re limiting amount of logons before lock out All of these disasters are a learning experience Roga

Hi @Marcos Eset wasn't "deactivated by an attacker" as such in my case, EEA appears to have been deactivated by the malware, i.e. it is not as though a person paused protection and then the computer was attacked. BTW HIPS and " enable detection of potentially unsafe application" was on and everything else up to date. So can I ask when you say "ESET had recognized the ransomware", in theory should ESET have recognised the malware attempting to disable EEA? (Perhaps my variant of the worm hadn't been recognised yet)

I have a small domain managed by ERA with up to date versions and definitions @Marcos said: " The detection was added on June 24. " However I had a win10 machine, which was not open to the internet, running win10 and ESET Endpoint Antivirus, which got infected on Monday 5th Aug. So I'm not sure how that happened?

That appears to have worked, but I ended up having a stale record (i guess linked to the original agent) which I have since deleted, and now all looks OK.

Only way to restart service is to restart the machine, which I have done, but no change. WMI is fine, I can query and get info. So since yesterday, I have rebooted the server, but no change in status

Thanks MichalJ, the "one click" is a helpful idea, will be even better if we can schedule.

That only makes sense if there is a delay in "start ASAP" Yes there is a new task created, but by the time you get to it, might already have started. So, do you know if there is a delay with the default for tasks created this way? How long is that delay for? Most of the software upgrades need a reboot, this is not something that you want to happen on many machines during the working day so wouldn't it be better to be able to select a scheduled time when using context menu? The reason why I use the context menu is to save time (as targets automatically selected), please ESET can you add an option to schedule from here. regards Roga

??? When you click on the context menu from dashbaord, it does create a new client task, but is set to run ASAP. My question is "is it possible to set a scheduled time from the context menu". When using context menu there are a number of options to click to accept, but time of schedule is not one of them. btw my mistake, is not "right click", here is what I mean: