roga

I have just uninstalled esmc from a windows 2012r2 server (from "appwiz.cpl"), however it appears that some components are left behind. e.g. sql server and winpcap. (BTW is there a different way to uninstall ESMC which gets rid of the sql instance and things like winpcap?) I have other services on this machine, some of which use their own instance of sql server. (Actually just one other service, which is a cloud backup service) I can see in my list of services "SQL Server (ERASQL)" So how do I delete the sql server(s) associated with ESMC\ERA, and leave my other services alone? This server used to have ERA, then ESMC. I think different versions of the sql server were installed at different times by eset. This is my list of sql and associated files. Sql Server Customer Experience Improvement Program 10.53.6000.34 Microsoft SQL Server 2008 R2 Native Client 10.53.6560.0 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 9.0.30729.4148 Microsoft SQL Server 2008 R2 RsFx Driver 10.53.6000.34 Sql Server Customer Experience Improvement Program 12.3.6024.0 Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 10.0.40219 Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 10.0.40219 Microsoft SQL Server 2014 Setup (English) 12.3.6329.1 SQL Server 2008 R2 SP2 Database Engine Services 10.53.6000.34 SQL Server 2008 R2 SP2 Database Engine Services 10.53.6000.34 SQL Server 2014 Database Engine Services 12.3.6024.0 Microsoft SQL Server 2008 Setup Support Files 10.1.2731.0 Microsoft SQL Server 2008 Setup Support Files 10.3.5500.0 SQL Server 2014 Common Files 12.3.6024.0 Microsoft VSS Writer for SQL Server 2014 12.3.6024.0 Microsoft Command Line Utilities 11 for SQL Server 11.0.2270.0 SQL Server Browser for SQL Server 2014 12.3.6024.0 SQL Server 2008 R2 SP2 Common Files 10.53.6000.34 Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 9.0.30729.6161 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161 Microsoft SQL Server 2012 Native Client 11.4.7462.6 SQL Server 2014 Database Engine Shared 12.3.6024.0 SQL Server 2008 R2 SP2 Common Files 10.53.6000.34 SQL Server 2014 Database Engine Shared 12.3.6024.0 Microsoft SQL Server 2008 R2 Setup (English) 10.53.6560.0 Microsoft ODBC Driver 11 for SQL Server 12.3.6329.1 SQL Server 2014 Common Files 12.3.6024.0 SQL Server 2008 R2 SP2 Database Engine Shared 10.53.6000.34 SQL Server 2008 R2 SP2 Database Engine Shared 10.53.6000.34 Microsoft SQL Server 2014 RsFx Driver 12.3.6329.1 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 9.0.30729 SQL Server 2014 Database Engine Services 12.3.6024.0 Microsoft SQL Server 2014 Transact-SQL ScriptDom 12.3.6329.1 regards Roger

Sorry @Michalj if I wasn't clear. I do have agents installed on the cleints. I thought perhaps that I might need to roll out an updated agent, but from what I understand from what you have said I can introduce password both on agent and client software by policy, without needing to do anything else. Thanks

Thanks @MichalJ I had already guessed that, so I guess I should clarify my question: I have esmc, all of the clients are managed (windows servers and workstations). In the above scenario, what is the easiest (least work) way to deploy the agent? Is this something that can be done as a client task, or do I need to run that agentinstall bat file?

So back to original question - what is easiest way to roll out password protection of agent on a managed system?

Hi @MichalJ Thanks for the quick response I am trying to mitigate the system following a ransomeware infection which managed to disable eea and efs, will password protection from policy prevent diasabling of protection? - it was my understanding that we also need to protect agent to stop it being disabled

My understanding is that to password protect eset products on a managed system (esmc) the agent needs to be password protected. 1) Am I correct that this is the way to password protect? 2) What is the easiest way to do this for a managed network? regards Roga

Thanks @Marcos that's helpful. Only thing I hadn't done with ESET is to set a password to protect settings. A couple of other things I might do in future: 1) Rename the domain admin account 2) Disable local admin accounts on servers and workstations Also noted remark from @itman re limiting amount of logons before lock out All of these disasters are a learning experience Roga

Hi @Marcos Eset wasn't "deactivated by an attacker" as such in my case, EEA appears to have been deactivated by the malware, i.e. it is not as though a person paused protection and then the computer was attacked. BTW HIPS and " enable detection of potentially unsafe application" was on and everything else up to date. So can I ask when you say "ESET had recognized the ransomware", in theory should ESET have recognised the malware attempting to disable EEA? (Perhaps my variant of the worm hadn't been recognised yet)

I have a small domain managed by ERA with up to date versions and definitions @Marcos said: " The detection was added on June 24. " However I had a win10 machine, which was not open to the internet, running win10 and ESET Endpoint Antivirus, which got infected on Monday 5th Aug. So I'm not sure how that happened?

That appears to have worked, but I ended up having a stale record (i guess linked to the original agent) which I have since deleted, and now all looks OK.

Only way to restart service is to restart the machine, which I have done, but no change. WMI is fine, I can query and get info. So since yesterday, I have rebooted the server, but no change in status

Thanks MichalJ, the "one click" is a helpful idea, will be even better if we can schedule.

That only makes sense if there is a delay in "start ASAP" Yes there is a new task created, but by the time you get to it, might already have started. So, do you know if there is a delay with the default for tasks created this way? How long is that delay for? Most of the software upgrades need a reboot, this is not something that you want to happen on many machines during the working day so wouldn't it be better to be able to select a scheduled time when using context menu? The reason why I use the context menu is to save time (as targets automatically selected), please ESET can you add an option to schedule from here. regards Roga

??? When you click on the context menu from dashbaord, it does create a new client task, but is set to run ASAP. My question is "is it possible to set a scheduled time from the context menu". When using context menu there are a number of options to click to accept, but time of schedule is not one of them. btw my mistake, is not "right click", here is what I mean:

Yes I do have some logs, this from trace.log: 2019-07-13 16:59:49 Error: CReplicationModule [Thread a64]: InitializeFailOverScenario: Skipping fail-over scenario (stored replication link is the same as current) 2019-07-13 16:59:49 Error: CReplicationModule [Thread a64]: CAgentReplicationManager: Replication finished unsuccessfully with message: InitializeConnection: Initiating replication connection to 'host: "foo.bar" port: 2222' failed with: GetAuthenticationSessionToken: Failed to fetch device session token in timeReplication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: foo.bar:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 8b516388-61e4-4298-b909-c8b9c8477811, Sent logs: 0, Cached static objects: 0, Cached static object groups: 0, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0] 2019-07-13 17:03:47 Warning: CReplicationModule [Thread a64]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2019-07-13 17:04:49 Warning: CReplicationModule [Thread a64]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2019-07-13 17:04:49 Error: CReplicationModule [Thread a64]: InitializeConnection: Initiating replication connection to 'host: "foo.bar" port: 2222' failed with: GetAuthenticationSessionToken: Failed to fetch device session token in time 2019-07-13 17:04:49 Warning: CReplicationModule [Thread a64]: InitializeConnection: Not possible to establish any connection (Attempts: 1) This from status: Status log Scope Time Text Last authentication 2019-Jul-25 09:52:08 Enrollment OK Last replication 2019-Jul-25 09:48:10 ERROR: InitializeConnection: Initiating replication connection to 'host: "foo.bar" port: 2222' failed with: GetAuthenticationSessionToken: Failed to fetch device session token in time Replication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: foo.bar:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: ***, Sent logs: 0, Cached static objects: 0, Cached static object groups: 0, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0] All replication attempts: 10 Peer certificate 2019-Jul-25 09:14:48 OK Agent peer certificate with subject 'CN=Agent at *, OU=foo, O=bar, S=london, C=GB' issued by 'CN=Server Certification Authority, OU=foo, O=bar, S=london, C=GB' with serial number "***" is and will be valid in 30 days Product 2019-Jul-25 09:14:33 Product install configuration: Product type: Agent Product version: 7.0.577.0 Product locale: en_US Replication security 2019-Jul-25 09:18:21 OK Remote host:foo.bar Remote product: Server

esmc 7.0.577.0 on win 2012r2 server seems to work OK, but lost communication with itself over a month ago. I had to change some java paramaters to apache tomcat 7, and every so often MS sql gets updated, apart from that no idea why the problem. See attached file regards roga

There is a very handy feature on the dashboard which allow you to right click and update out of date software versions. However I would like to schedule these updates, so they take place out of office hours. Is there a way to right click and schedule for a later time? regards Roga EDIT: esmc 7.0.577.0 on win 2012r2

Looks like it wasn't anything to do with ESMC, I deleted the user profile I was using, then logged in again with new profile, and import was OK. Also link has to read "localhost" rather than "machine_name". All working fine now. R

Have just upgraded from era 6.5 to esmc 7 on windows 2012r2 server. When running the shortcut I get a warning in browser that site is not trusted. I try to import I get the message: "The import failed because the store was read-only, the store was full, or the store did not open correctly." I am unable to import security certificate in internet explorer. I have checked registry and file permissions and all seem OK Any ideas? regards Roga

Thanks filips, that looks easy enough regards Roga

That looks promising filips, how do I modify my installation?

After a bit more investigation it appears that there are different options depending on the OS, see screen-shoots attached. 2008R2 does not have "web and email" option, but 2012R2 does. BTW using EFS 6.5.12010.0

Recent builds of eset products (ver 6 upwards) have not allowed EAV on servers. I run a number of remote desktop machines on windows, which of course have end user applications such as MS office (outlook). Does ESET File Security for Microsoft Windows Server protect email, web and similar apps on RD servers? regards Roga

Thanks for the reply. Not very impressed at misleading info in repository, particularly when other products do mention 2012 and 2016

I was about to roll out EFSW 6.5.12010.0, however repository says only for 2003 & 2008. Is this not also for 2012R2?