roga
-
Posts
98 -
Joined
-
Last visited
Posts posted by roga
-
-
Sorry @Michalj if I wasn't clear. I do have agents installed on the cleints.
I thought perhaps that I might need to roll out an updated agent, but from what I understand from what you have said I can introduce password both on agent and client software by policy, without needing to do anything else.
Thanks
-
14 minutes ago, MichalJ said:
- Deploy agent
- Configure the password protection policy for it (for agent)
- Configure the password protection policy for all of the security products deployed
Thanks @MichalJ
I had already guessed that, so I guess I should clarify my question:
I have esmc, all of the clients are managed (windows servers and workstations).
In the above scenario, what is the easiest (least work) way to deploy the agent? Is this something that can be done as a client task, or do I need to run that agentinstall bat file? -
8 minutes ago, MichalJ said:
The best things to do is to:
- Password protect the install of Endpoint
- Password protect the install of Agent
- Make sure the self-defense of Endpoint is enabled (it protects also the process of the agent)
So back to original question - what is easiest way to roll out password protection of agent on a managed system?
-
Hi @MichalJ Thanks for the quick response
I am trying to mitigate the system following a ransomeware infection which managed to disable eea and efs, will password protection from policy prevent diasabling of protection? - it was my understanding that we also need to protect agent to stop it being disabled
-
My understanding is that to password protect eset products on a managed system (esmc) the agent needs to be password protected.
1) Am I correct that this is the way to password protect?
2) What is the easiest way to do this for a managed network?regards
Roga
-
26 minutes ago, Marcos said:
This is a proof that just having a security software installed is not enough; firstly RDP must be secured. Secondly, all critical operating system updates must be installed. Fourthly, ESET must be protected with a password and detection of potentially unsafe applications enabled to prevent protection from being tampered by unauthorized persons.
Thanks @Marcos that's helpful. Only thing I hadn't done with ESET is to set a password to protect settings.
A couple of other things I might do in future:
1) Rename the domain admin account
2) Disable local admin accounts on servers and workstations
Also noted remark from @itman re limiting amount of logons before lock out
All of these disasters are a learning experienceRoga
-
1 hour ago, Marcos said:
ESET didn't fail to protect the user. This is proved by the fact that ESET had recognized the ransomware for a long time before the user got infected which means that ESET must have been paused or otherwise deactivated by an attacker.
Hi @Marcos
Eset wasn't "deactivated by an attacker" as such in my case, EEA appears to have been deactivated by the malware, i.e. it is not as though a person paused protection and then the computer was attacked. BTW HIPS and " enable detection of potentially unsafe application" was on and everything else up to date.
So can I ask when you say "ESET had recognized the ransomware", in theory should ESET have recognised the malware attempting to disable EEA? (Perhaps my variant of the worm hadn't been recognised yet)
-
I have a small domain managed by ERA with up to date versions and definitions
@Marcos said: " The detection was added on June 24. "
However I had a win10 machine, which was not open to the internet, running win10 and ESET Endpoint Antivirus, which got infected on Monday 5th Aug.
So I'm not sure how that happened?
-
On 7/26/2019 at 10:14 AM, MichalJ said:
Then the only option will be to remove the agent, and try to install it again.
That appears to have worked, but I ended up having a stale record (i guess linked to the original agent) which I have since deleted, and now all looks OK.
-
13 hours ago, MartinK said:
I would recommend to restart ESMC Agent service if possible (might be problem in case ESET product is also installed). There seems to be some problem with fetching so called "HW fingerprint", either there is some problem with system interface or something is stuck. could you also verify status of WMI on this machine? Especially whether it is functional.
Only way to restart service is to restart the machine, which I have done, but no change.
WMI is fine, I can query and get info.
So since yesterday, I have rebooted the server, but no change in status -
13 minutes ago, MichalJ said:
@roga This is actually not possible as of now. The "one click" upgrade triggers the task right away, with the ASAP trigger. ASAP trigger means, the task is started as soon as it reaches the client / computer (after successful replication attempt). We can create improvement request, to add a "fork" in the journey, to "upgrade right away" & "schedule for later". I have to say, that I really like the IDEA, so thanks for reporting.
Internal reference: P_ESMC-19442
Thanks MichalJ, the "one click" is a helpful idea, will be even better if we can schedule.
-
5 minutes ago, Rami said:
Try to go to Clients' Tasks on your left hand , Make a new task and see if there is a time for execution
That only makes sense if there is a delay in "start ASAP"
Yes there is a new task created, but by the time you get to it, might already have started.
So, do you know if there is a delay with the default for tasks created this way? How long is that delay for?
Most of the software upgrades need a reboot, this is not something that you want to happen on many machines during the working day so wouldn't it be better to be able to select a scheduled time when using context menu?
The reason why I use the context menu is to save time (as targets automatically selected), please ESET can you add an option to schedule from here.
regards
Roga
-
18 minutes ago, Rami said:
I believe you could set time for the tasks to run in the Client Tasks , where you just make a new client task and assign it to software installation and assign the software you want , and I believe there you have somewhere an option to put time where you could update.
???
When you click on the context menu from dashbaord, it does create a new client task, but is set to run ASAP.My question is "is it possible to set a scheduled time from the context menu". When using context menu there are a number of options to click to accept, but time of schedule is not one of them.
btw my mistake, is not "right click", here is what I mean:
-
Yes I do have some logs, this from trace.log:
2019-07-13 16:59:49 Error: CReplicationModule [Thread a64]: InitializeFailOverScenario: Skipping fail-over scenario (stored replication link is the same as current) 2019-07-13 16:59:49 Error: CReplicationModule [Thread a64]: CAgentReplicationManager: Replication finished unsuccessfully with message: InitializeConnection: Initiating replication connection to 'host: "foo.bar" port: 2222' failed with: GetAuthenticationSessionToken: Failed to fetch device session token in timeReplication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: foo.bar:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 8b516388-61e4-4298-b909-c8b9c8477811, Sent logs: 0, Cached static objects: 0, Cached static object groups: 0, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0] 2019-07-13 17:03:47 Warning: CReplicationModule [Thread a64]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2019-07-13 17:04:49 Warning: CReplicationModule [Thread a64]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2019-07-13 17:04:49 Error: CReplicationModule [Thread a64]: InitializeConnection: Initiating replication connection to 'host: "foo.bar" port: 2222' failed with: GetAuthenticationSessionToken: Failed to fetch device session token in time 2019-07-13 17:04:49 Warning: CReplicationModule [Thread a64]: InitializeConnection: Not possible to establish any connection (Attempts: 1)This from status:
Status log
Scope Time Text Last authentication 2019-Jul-25 09:52:08 Enrollment OK Last replication 2019-Jul-25 09:48:10 ERROR: InitializeConnection: Initiating replication connection to 'host: "foo.bar" port: 2222' failed with: GetAuthenticationSessionToken: Failed to fetch device session token in time - Replication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: foo.bar:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: ***, Sent logs: 0, Cached static objects: 0, Cached static object groups: 0, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0]
- All replication attempts: 10
Peer certificate 2019-Jul-25 09:14:48 OK - Agent peer certificate with subject 'CN=Agent at *, OU=foo, O=bar, S=london, C=GB' issued by 'CN=Server Certification Authority, OU=foo, O=bar, S=london, C=GB' with serial number "***" is and will be valid in 30 days
Product 2019-Jul-25 09:14:33 Product install configuration: - Product type: Agent
- Product version: 7.0.577.0
- Product locale: en_US
Replication security 2019-Jul-25 09:18:21 OK - Remote host:foo.bar
- Remote product: Server
-
esmc 7.0.577.0 on win 2012r2
server seems to work OK, but lost communication with itself over a month ago.
I had to change some java paramaters to apache tomcat 7, and every so often MS sql gets updated, apart from that no idea why the problem.
See attached file
regards
roga
-
There is a very handy feature on the dashboard which allow you to right click and update out of date software versions.
However I would like to schedule these updates, so they take place out of office hours.
Is there a way to right click and schedule for a later time?
regards
Roga
EDIT: esmc 7.0.577.0 on win 2012r2
-
36 minutes ago, roga said:
"The import failed because the store was read-only, the store was full, or the store did not open correctly."
I am unable to import security certificate in internet explorer. I have checked registry and file permissions and all seem OK
Looks like it wasn't anything to do with ESMC, I deleted the user profile I was using, then logged in again with new profile, and import was OK.
Also link has to read "localhost" rather than "machine_name".
All working fine now.
R -
Have just upgraded from era 6.5 to esmc 7 on windows 2012r2 server. When running the shortcut I get a warning in browser that site is not trusted. I try to import I get the message: "The import failed because the store was read-only, the store was full, or the store did not open correctly."
I am unable to import security certificate in internet explorer. I have checked registry and file permissions and all seem OK
Any ideas?regards
Roga
-
Thanks filips, that looks easy enough
regards
Roga
-
That looks promising filips, how do I modify my installation?
-
After a bit more investigation it appears that there are different options depending on the OS, see screen-shoots attached. 2008R2 does not have "web and email" option, but 2012R2 does.
BTW using EFS 6.5.12010.0
-
Recent builds of eset products (ver 6 upwards) have not allowed EAV on servers.
I run a number of remote desktop machines on windows, which of course have end user applications such as MS office (outlook).Does ESET File Security for Microsoft Windows Server protect email, web and similar apps on RD servers?
regards
Roga
-
Thanks for the reply.
Not very impressed at misleading info in repository, particularly when other products do mention 2012 and 2016
-
I was about to roll out EFSW 6.5.12010.0, however repository says only for 2003 & 2008. Is this not also for 2012R2?
how to delete correct sql server(s) from ex-esmc server
in ESET PROTECT On-prem (Remote Management)
Posted
I have just uninstalled esmc from a windows 2012r2 server (from "appwiz.cpl"), however it appears that some components are left behind. e.g. sql server and winpcap. (BTW is there a different way to uninstall ESMC which gets rid of the sql instance and things like winpcap?)
I have other services on this machine, some of which use their own instance of sql server. (Actually just one other service, which is a cloud backup service)
I can see in my list of services "SQL Server (ERASQL)"
So how do I delete the sql server(s) associated with ESMC\ERA, and leave my other services alone?
This server used to have ERA, then ESMC. I think different versions of the sql server were installed at different times by eset.
This is my list of sql and associated files.
Sql Server Customer Experience Improvement Program 10.53.6000.34
Microsoft SQL Server 2008 R2 Native Client 10.53.6560.0
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 9.0.30729.4148
Microsoft SQL Server 2008 R2 RsFx Driver 10.53.6000.34
Sql Server Customer Experience Improvement Program 12.3.6024.0
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 10.0.40219
Microsoft SQL Server 2014 Setup (English) 12.3.6329.1
SQL Server 2008 R2 SP2 Database Engine Services 10.53.6000.34
SQL Server 2008 R2 SP2 Database Engine Services 10.53.6000.34
SQL Server 2014 Database Engine Services 12.3.6024.0
Microsoft SQL Server 2008 Setup Support Files 10.1.2731.0
Microsoft SQL Server 2008 Setup Support Files 10.3.5500.0
SQL Server 2014 Common Files 12.3.6024.0
Microsoft VSS Writer for SQL Server 2014 12.3.6024.0
Microsoft Command Line Utilities 11 for SQL Server 11.0.2270.0
SQL Server Browser for SQL Server 2014 12.3.6024.0
SQL Server 2008 R2 SP2 Common Files 10.53.6000.34
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 9.0.30729.6161
Microsoft SQL Server 2012 Native Client 11.4.7462.6
SQL Server 2014 Database Engine Shared 12.3.6024.0
SQL Server 2008 R2 SP2 Common Files 10.53.6000.34
SQL Server 2014 Database Engine Shared 12.3.6024.0
Microsoft SQL Server 2008 R2 Setup (English) 10.53.6560.0
Microsoft ODBC Driver 11 for SQL Server 12.3.6329.1
SQL Server 2014 Common Files 12.3.6024.0
SQL Server 2008 R2 SP2 Database Engine Shared 10.53.6000.34
SQL Server 2008 R2 SP2 Database Engine Shared 10.53.6000.34
Microsoft SQL Server 2014 RsFx Driver 12.3.6329.1
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 9.0.30729
SQL Server 2014 Database Engine Services 12.3.6024.0
Microsoft SQL Server 2014 Transact-SQL ScriptDom 12.3.6329.1
regards
Roger