ludolf

I mean, I requested the actual policy in ESMC and I saw it differs from what configured for that client with policy. Today issue: EES 7.0.2073.1, esmc components upgraded, and on the client got this error in chrome: "Your internet access is blocked. etc. ERR_NETWORK_ACCESS_DENIED" The issue has gone after some minutes without changing anything in the policy.

Similar issue today: client: EES 6.6.2052 Policy fixed (Not categorized->custom category group) And the client didn't apply correctly the policy. When I requested the current configuration, it showed the "Not categorized" category instead of the custom one. Tried to: - switch off the rule. It has been switched off on the client - create new rule with the custom category group. Client received this new rule, but still with the "Not categorized" group - created new custom category group, nothing - updated security components on the client, nothing Finally upgraded the security product to EES 7, and it works fine. Until now only one client was affected.

ah, didn't notice that option, it works, thanks

Description: don't send notifications to all configured recipients Detail: we have 3 static groups: group1, group2, group3 All of them are maintained by different admin teams. For this reason we configured 3 notifications: Access group: group1 -> "threat notification" -> send email to group1@domain.com Access group: group2 -> "threat notification" -> send email to group2@domain.com Access group: group3 -> "threat notification" -> send email to group3@domain.com If an alert triggered in a group, all 3 groups receive an email about it. Only the affected group should to receive the email.

Hello Before the upgrade: - ERA 6.5 - webcontrol is enabled in two policies - created category group: "Torrent", selected some predefined urlgroup - created rule: "Torrent (block)", type category based. URL/category: "Torrent" (as above) Did the upgrade to ESMC 7 the URL/Category value changed to "Not categorized" and blocked some internal websites This happened after the upgrade, the policies haven't changed by us, and this occured in two policies, symptoms are the same. Unfortunately I couldn't reproduce this, maybe somebody could confirm. BR, Vilmos

MichalJ, thanks for the answer. Audit log filter: for example somebody changed a server setting and broke a feature by doing this. I know what has been changed, but currently I cannot filter to it. If I could to filter, I would know who changed it, and ask him why did it.

Description: possibility to export webcontrol/url groups/addresses Detail: possibility to export webcontrol/url groups/addresses. Usage example: ERA/ESMC used for more groups (more admin teams), with similar policies, and a group needs an existing url group in a separate policy . Export/import would the elegant way to migrate url addresses.

Description: more details in audit log Detail: Reports/Audit log. If somebody modifies a policy, only one event added to the Audit log: "Modifying policy xxx" it would be nice to know more. What settings have been modified and before and after values.

Description: more granulate audit log filter Detail: Reports/Audit log. If I would like to search for a specific setting ("who changed it"), I have to scroll down from page to page, or use CTRL-F Please add possiblity to filter string in "Action detail" column.

+1

Hello Eset endpoint security for MAC (latest version) is installed, which is managed by remote administrator. User has root privileges. How would you protect the agent+product from uninstalling? thanks, Vilmos

Exactly. If somebody change product accidentally and saves the policy, the settings are lost. This shouldn't be happen. If the admin selects a product within a policy, and change any setting, the product selection list should be disabled. After this, if the admin would like to point the settings to other product, he should to create a new policy. IMHO

Hello Description: disable product change possibility after any settings have been configured in a policy Detail: imagine the following: - create a policy - change some setting - change product within this policy - save the policy In this case all of the previous settings are gone.

Description: Notify about completed task execution Detail: It would be nice to have a setting on the new task creation page, to send an email to the task creator user, when the task is finished. The email could contain only a link to the task execution results, and maybe a summary about completion success or a successful/unsuccessful percent. Maybe if era is waiting for computers to be online, it could send reports repeatadly, containing the partial result, for example every 8 hour (or customizable intervals). Description: Sysinspector log viewer lists Detail: In ERA5 we could view the process list when clicked "Running process". And we could do some sorting for example company, to see non-usual entries for first sight. In ERA6 we only see the list of processes when open the "Running processes" tree. Same apply for "File Details". It would be nice, if we could see the items below these "subkey" and could sort them. Example situation: check processes/filedetails running from outside windows\programfiles folders.

Hello Description: modify links in threat notification to unclickable Detail: admin/itsec receives plain text threat notification. He copies to another program, or forward as html. Receiver accidentally can click on the link (for example, when he tries to copy only the link). Computer name;Severity;Time of occurrence;Threat type;Threat name;Threat flags;Scanner;Scan log reference;Object type;Object URI;Action performed;Action error;Threat handled;Restart required;User;Process name;Circumstances;Virus signature database;Hash of detected file COMPNAME;3;2018-02-17 16:35:10;trojan;JS/Tivso.Gen;;HTTP filter;virlog.dat;file;hxxp://maliciouslink.com/?width=640&height=360;connection terminated;;1;0;USERNAME;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;;16920 (20180217);A7F533A141F411DBDBBC376F3F348E7B59925E11 replace bolded part to something like this: hxxp://maliciouslink.com/?width=640&height=360 (forum motor replaces correctly :))

Hello How could we generate a daily audit log, without the synchronize events? We are triggering sync every 2 minutes, so it floods the audit log, hiding the more valuable "configuration change" or "login attempt" type events. It would be nice, if we could filter at least for those colums, which are appear in the audit log (most important: Action, Action detail, Result) thanks, Vilmos

This is exactly what I wanted! Thanks!

Hello We are using ERA 6.5.522.0. As I noted, static group syncronization can only happen only one times per day per task. If we would like to sync more frequently, we have to create more tasks (1. task: sync at 5:00, 2.task: sync at 6:00, etc) This limitation is a bit painful, because if we install new computers, we have to wait the next scheduled sync, or initiate a manual sync in order to the new computers appear in the admin. Could you please add option to create more frequent sync tasks? Or provide an alternate solution to the issue described above. thanks, Vilmos

Found it: It makes an ldap query for msRTCSIP-Backendserver in the configuration partition. This stores the sql instance for xds database Then tries to connect to this sql instance. xds database contains the information about the Lync topology. Probably ekrn tries to get the path of Lync file share from xds, in order to exclude the path from scanning.

hello We are using EFS 6.5.0.12010 and Skype for Business 2015 Server. We have installed EFS on several servers (Server 2016). it seems that if SQL server components installed on the server and "Microsoft Lync/Skype for Business Server file share"* is enabled, the ekrn.exe tries to connect to the "xds" database on the lync server, and this error message will be recorded in the lync\sql errorlog: 2018-01-10 12:10:05.49 Logon Login failed for user 'NAME-OF-THE-SERVER-WITH-EFS$"'. Reason: Failed to open the explicitly specified database 'xds'. [CLIENT: IP-OF-THE-SERVER-WITH-EFS] Is this normal? thanks, Vilmos edit: * "Automatic exclusions to generate->Microsoft Lync/Skype for Business Server file share"

Hello We are using EES 6.6.2052 and ERA 6.5.522 and we are in GMT+1. Threat notification is enabled to send to email and syslog. The timestamp used in them is in GMT, but if I check the events locally in EES (tools/logs), it shows GMT+1. The used timezone is not included in the timestamp in both (email, syslog, local). Is there any configuration to include it? if not, could you please add timezone information to the timestamps, or change the timestamps in email/syslog to the current one? thanks, Vilmos

Thanks!

Hello To install this update, compatible antivirus has to be installed on the computers. https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV has updated the ALLOW REGKEY. Contact your Anti-Virus AV to confirm that their software is compatible and have set the following REGKEY on the machine Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000” Where can we find the list of compatible products? Only found information regarding NOD32 antivirus. thanks, Vilmos

we have two permission sets (perm1, perm2) with "static group access" correspondingly to group1, group2 perm1, perm2 are mapped to adgroup1, adgroup2 ("mapped domain security groups") Admin / notifications, duplicate a notification, click on one of them, Access group, Move It doesn't look like. I have testuser from both ad groups. When I log in with them, only see that one group, what it should to see (this is ok). However, each threat notification emails are sent out two times, with different recipients.

Hello I have multiple static groups, for example, group1 and group2. I duplicated the "Threat detection notification" default notification and assigned the original copy to group1, and the duplicated copy to the group2 group. I configured email sending distribution for both notifications, and used different recipients addresses in them (recipients1 and recipients2) Currently, if we have a threat on a computer in group1 or group2, recipients1 _and_ recipients2 will receive an email. How can we set up the notifications in order to events occured in a group trigger only the notifications assigned to that group? thanks, Vilmos