Jump to content

Christian Stück

Members
  • Content Count

    27
  • Joined

Everything posted by Christian Stück

  1. Hello Forum, my AV-sceptic Colleagues brought up a Problem with ERAAgent i found on some Machines: ERAAgent opens TCP-Connections up to the OS-Limit so no more connections e.g. for DNS or other services are left. Example: ERAAgent 7.0.577.0 on Windows Server 2012 R2 Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending Count Name ProcessName Group ----- ---- ----------- ----- 16374 Bound, 2404 ERAAgent {MSFT_NetTCPConnection (InstanceID = "::??65535??::??0"), MSFT_NetTCPConnection (InstanceID = "::??65534??::?... 8 Listen, 3520 vmms {MSFT_NetTCPConnection (InstanceID = "fe80::c5e5:78b5:ee3c:3191%15??6600??::?...), MSFT_NetTCPConnection (Ins... 6 Established, 3440 dsm_om_connsvc64 {MSFT_NetTCPConnection (InstanceID = "127.0.0.1??49683??127.0.0.1??49682"), MSFT_NetTCPConnection (InstanceID... 5 Listen, 4 System {MSFT_NetTCPConnection (InstanceID = "::??47001??::??0"), MSFT_NetTCPConnection (InstanceID = "::??5985??::??... 4 Listen, 1732 lsass {MSFT_NetTCPConnection (InstanceID = "::??49670??::??0"), MSFT_NetTCPConnection (InstanceID = "::??49667??::?... 3 Bound, 3440 dsm_om_connsvc64 {MSFT_NetTCPConnection (InstanceID = "::??49683??::??0"), MSFT_NetTCPConnection (InstanceID = "::??49681??::?... 2 Listen, 1864 svchost {MSFT_NetTCPConnection (InstanceID = "::??3389??::??0"), MSFT_NetTCPConnection (InstanceID = "0.0.0.0??3389??... 2 Listen, 1904 svchost {MSFT_NetTCPConnection (InstanceID = "::??135??::??0"), MSFT_NetTCPConnection (InstanceID = "0.0.0.0??135??0.... 2 Listen, 1808 svchost {MSFT_NetTCPConnection (InstanceID = "::??49666??::??0"), MSFT_NetTCPConnection (InstanceID = "0.0.0.0??49666... 2 Listen, 1724 services {MSFT_NetTCPConnection (InstanceID = Any Ideas what ERAAgent is doing or how i could stop it? Thanks in Advance!
  2. Hello Forum, something everybody knows i think: Customer says Application XY runs slower since Installation of ESET... With Realtime-Scanner it was quite easy so see which files it touched. Is there a way do do something similar with hips, network protection and so on? On Example is an application that uses a webserver and local database and i want to find out what might be affected by eset. customer dreams of a report like "everything eset touched on that system today". Thanks for any ideas! Christian
  3. Hi everyone, i am doing ESETv7 Workshops withs Admins from time to time and want to show them how to troubleshoot / react to security issues. For Antivirus i use EICAR for demonstration. Are there any ways to do this for HIPS, Ransomware-Shield, Network-Protection and other v7-Features? Thanks in Advance! Christian
  4. Hello Nates, i don't want to outsmart ESET and this is a bit dirty but it worked for me once going from ESMC1 (VA) to ESMC2 (Windows) My old database crashed, so it was not a bit loss anyway. Export Certs on ESMC1 Setup ESMC2 from Scratch (with new ip / hostname) Import Certs from ESMC1 in ESMC2 Set ESMC2 to use old Server Cert from ESMC1 (in Server Settings) Resetup Policies in ESMC2 (or maybe export/import), set groups etc. Create Policy on ESMC1 with ESMC2 as Server Address Clients will connect to ESMC2 When alle clients know ESMC2 shutdown ESMC1 Create Client Policy to use new Agent Cert (created at installation) Set Server to use new Cert from ESMC2 (created at installation) For some reason it works with both certs crossed for some time (as long as anybody knows both CAs?) I even tried once to set up ESMC2 with the old ip Export Certs on ESMC1 Shutdown ESMC1 Setup ESMC2 from Scratch (with old ip / hostname) Import Certs from ESMC1 in ESMC2 Set ESMC2 to use old Server Cert from ESMC1 (in Server Settings) Resetup Policies in ESMC2 (or maybe export/import), set groups etc. Clients will connect to ESMC2 Create Client Policy to use new Agent Cert (created at installation) Set Server to use new Cert from ESMC2 (created at installation)
  5. Hey Forums, i am planning to migrate ERA6 to ESMC on a new Server with different ip (kb) i did similar things before but now kb says to set all clients to new ESMC first and then migrate database to new server. i have quite a big environment and would prefer to run ERA and ESMC side by side for some weeks while switching over the clients in blocks. Are there any thoughts why this could be a bad idea? Thanks in advance! Christian
  6. Hmm, i would think if you do "clean install with same ip" it should work. Of course thats more a manual move than a migration because you have to reconfigure everything like polices etc. Did this once for a customer who wanted to move from VA to Windows and ist was less effort than i thougth. By my experience its easier to keep all clients when you choose "same ip, same certs".
×
×
  • Create New...