ludolf
-
Posts
52 -
Joined
-
Last visited
Posts posted by ludolf
-
-
Similar issue today:
client: EES 6.6.2052
Policy fixed (Not categorized->custom category group)And the client didn't apply correctly the policy. When I requested the current configuration, it showed the "Not categorized" category instead of the custom one.
Tried to:
- switch off the rule. It has been switched off on the client
- create new rule with the custom category group. Client received this new rule, but still with the "Not categorized" group
- created new custom category group, nothing
- updated security components on the client, nothing
Finally upgraded the security product to EES 7, and it works fine.
Until now only one client was affected. -
ah, didn't notice that option, it works, thanks
-
Description: don't send notifications to all configured recipients
Detail: we have 3 static groups: group1, group2, group3
All of them are maintained by different admin teams. For this reason we configured 3 notifications:
Access group: group1 -> "threat notification" -> send email to group1@domain.com
Access group: group2 -> "threat notification" -> send email to group2@domain.com
Access group: group3 -> "threat notification" -> send email to group3@domain.comIf an alert triggered in a group, all 3 groups receive an email about it.
Only the affected group should to receive the email. -
Hello
Before the upgrade:
- ERA 6.5
- webcontrol is enabled in two policies
- created category group: "Torrent", selected some predefined urlgroup
- created rule: "Torrent (block)", type category based. URL/category: "Torrent" (as above)Did the upgrade to ESMC 7
the URL/Category value changed to "Not categorized" and blocked some internal websites
This happened after the upgrade, the policies haven't changed by us, and this occured in two policies, symptoms are the same.
Unfortunately I couldn't reproduce this, maybe somebody could confirm.
BR,
Vilmos -
-
Description: possibility to export webcontrol/url groups/addresses
Detail: possibility to export webcontrol/url groups/addresses. Usage example: ERA/ESMC used for more groups (more admin teams), with similar policies, and a group needs an existing url group in a separate policy . Export/import would the elegant way to migrate url addresses.
-
-
-
-
Hello
Eset endpoint security for MAC (latest version) is installed, which is managed by remote administrator.
User has root privileges.
How would you protect the agent+product from uninstalling?
thanks,
Vilmos
-
Exactly. If somebody change product accidentally and saves the policy, the settings are lost. This shouldn't be happen. If the admin selects a product within a policy, and change any setting, the product selection list should be disabled. After this, if the admin would like to point the settings to other product, he should to create a new policy. IMHO
-
Hello
Description: disable product change possibility after any settings have been configured in a policy
Detail:
imagine the following:
- create a policy
- change some setting
- change product within this policy
- save the policy
In this case all of the previous settings are gone. -
Description: Notify about completed task execution
Detail: It would be nice to have a setting on the new task creation page, to send an email to the task creator user, when the task is finished.
The email could contain only a link to the task execution results, and maybe a summary about completion success or a successful/unsuccessful percent.
Maybe if era is waiting for computers to be online, it could send reports repeatadly, containing the partial result, for example every 8 hour (or customizable intervals).Description: Sysinspector log viewer lists
Detail: In ERA5 we could view the process list when clicked "Running process". And we could do some sorting for example company, to see non-usual entries for first sight.
In ERA6 we only see the list of processes when open the "Running processes" tree.
Same apply for "File Details". It would be nice, if we could see the items below these "subkey" and could sort them.
Example situation: check processes/filedetails running from outside windows\programfiles folders. -
Hello
Description: modify links in threat notification to unclickable
Detail: admin/itsec receives plain text threat notification. He copies to another program, or forward as html. Receiver accidentally can click on the link (for example, when he tries to copy only the link).
Computer name;Severity;Time of occurrence;Threat type;Threat name;Threat flags;Scanner;Scan log reference;Object type;Object URI;Action performed;Action error;Threat handled;Restart required;User;Process name;Circumstances;Virus signature database;Hash of detected file
COMPNAME;3;2018-02-17 16:35:10;trojan;JS/Tivso.Gen;;HTTP filter;virlog.dat;file;hxxp://maliciouslink.com/?width=640&height=360;connection terminated;;1;0;USERNAME;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;;16920 (20180217);A7F533A141F411DBDBBC376F3F348E7B59925E11
replace bolded part to something like this: hxxp://maliciouslink.com/?width=640&height=360
(forum motor replaces correctly :))
-
Hello
How could we generate a daily audit log, without the synchronize events?
We are triggering sync every 2 minutes, so it floods the audit log, hiding the more valuable "configuration change" or "login attempt" type events.
It would be nice, if we could filter at least for those colums, which are appear in the audit log (most important: Action, Action detail, Result)
thanks,
Vilmos -
This is exactly what I wanted! Thanks!
-
Hello
We are using ERA 6.5.522.0.
As I noted, static group syncronization can only happen only one times per day per task.
If we would like to sync more frequently, we have to create more tasks (1. task: sync at 5:00, 2.task: sync at 6:00, etc)
This limitation is a bit painful, because if we install new computers, we have to wait the next scheduled sync, or initiate a manual sync in order to the new computers appear in the admin.
Could you please add option to create more frequent sync tasks? Or provide an alternate solution to the issue described above.
thanks,
Vilmos -
Found it:
It makes an ldap query for msRTCSIP-Backendserver in the configuration partition. This stores the sql instance for xds database
Then tries to connect to this sql instance.
xds database contains the information about the Lync topology. Probably ekrn tries to get the path of Lync file share from xds, in order to exclude the path from scanning.
-
hello
We are using EFS 6.5.0.12010 and Skype for Business 2015 Server.
We have installed EFS on several servers (Server 2016).
it seems that if SQL server components installed on the server and "Microsoft Lync/Skype for Business Server file share"* is enabled, the ekrn.exe tries to connect to the "xds" database on the lync server, and this error message will be recorded in the lync\sql errorlog:
2018-01-10 12:10:05.49 Logon Login failed for user 'NAME-OF-THE-SERVER-WITH-EFS$"'. Reason: Failed to open the explicitly specified database 'xds'. [CLIENT: IP-OF-THE-SERVER-WITH-EFS]
Is this normal?
thanks,
Vilmosedit: * "Automatic exclusions to generate->Microsoft Lync/Skype for Business Server file share"
-
Hello
We are using EES 6.6.2052 and ERA 6.5.522 and we are in GMT+1.
Threat notification is enabled to send to email and syslog.
The timestamp used in them is in GMT, but if I check the events locally in EES (tools/logs), it shows GMT+1. The used timezone is not included in the timestamp in both (email, syslog, local).
Is there any configuration to include it?
if not, could you please add timezone information to the timestamps, or change the timestamps in email/syslog to the current one?thanks,
Vilmos
-
-
Hello
To install this update, compatible antivirus has to be installed on the computers.
https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV has updated the ALLOW REGKEY.Contact your Anti-Virus AV to confirm that their software is compatible and have set the following REGKEY on the machine
Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type="REG_DWORD”
Data="0x00000000”Where can we find the list of compatible products? Only found information regarding NOD32 antivirus.
thanks,
Vilmos -
we have two permission sets (perm1, perm2) with "static group access" correspondingly to group1, group2
perm1, perm2 are mapped to adgroup1, adgroup2 ("mapped domain security groups")
Quoteso I am not sure how you configured the notification for a static group
Admin / notifications, duplicate a notification, click on one of them, Access group, Move
QuoteThis way the notification will report the events only for computers available to the user.
It doesn't look like. I have testuser from both ad groups. When I log in with them, only see that one group, what it should to see (this is ok).
However, each threat notification emails are sent out two times, with different recipients.
-
Hello
I have multiple static groups, for example, group1 and group2.
I duplicated the "Threat detection notification" default notification and assigned the original copy to group1, and the duplicated copy to the group2 group.
I configured email sending distribution for both notifications, and used different recipients addresses in them (recipients1 and recipients2)
Currently, if we have a threat on a computer in group1 or group2, recipients1 _and_ recipients2 will receive an email.
How can we set up the notifications in order to events occured in a group trigger only the notifications assigned to that group?
thanks,
Vilmos
Possible bug during the upgrade (Web Control)
in ESET PROTECT On-prem (Remote Management)
Posted
I mean, I requested the actual policy in ESMC and I saw it differs from what configured for that client with policy.
Today issue: EES 7.0.2073.1, esmc components upgraded, and on the client got this error in chrome: "Your internet access is blocked. etc. ERR_NETWORK_ACCESS_DENIED"
The issue has gone after some minutes without changing anything in the policy.