Jump to content

Christian Stück

  • Content Count

  • Joined

  • Last visited

Everything posted by Christian Stück

  1. Hi Forum! We use squid proxy in our dmz for remote users to talk to esmc without vpn. log files show, the service is attacked very often (no surprise opening that port in the internet). Anyone got any ideas hardening the proxy eg 1. by using a different port 2. by using the Agent-Certificate to authenticate against the proxy service? Could the not be done by just adding the CA-cert to squid? Thanks in advance! Christian
  2. Hello Forum, my AV-sceptic Colleagues brought up a Problem with ERAAgent i found on some Machines: ERAAgent opens TCP-Connections up to the OS-Limit so no more connections e.g. for DNS or other services are left. Example: ERAAgent 7.0.577.0 on Windows Server 2012 R2 Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending Count Name ProcessName Group ----- ---- -----
  3. Hello Forum, something everybody knows i think: Customer says Application XY runs slower since Installation of ESET... With Realtime-Scanner it was quite easy so see which files it touched. Is there a way do do something similar with hips, network protection and so on? On Example is an application that uses a webserver and local database and i want to find out what might be affected by eset. customer dreams of a report like "everything eset touched on that system today". Thanks for any ideas! Christian
  4. Hi everyone, i am doing ESETv7 Workshops withs Admins from time to time and want to show them how to troubleshoot / react to security issues. For Antivirus i use EICAR for demonstration. Are there any ways to do this for HIPS, Ransomware-Shield, Network-Protection and other v7-Features? Thanks in Advance! Christian
  5. Hello Nates, i don't want to outsmart ESET and this is a bit dirty but it worked for me once going from ESMC1 (VA) to ESMC2 (Windows) My old database crashed, so it was not a bit loss anyway. Export Certs on ESMC1 Setup ESMC2 from Scratch (with new ip / hostname) Import Certs from ESMC1 in ESMC2 Set ESMC2 to use old Server Cert from ESMC1 (in Server Settings) Resetup Policies in ESMC2 (or maybe export/import), set groups etc. Create Policy on ESMC1 with ESMC2 as Server Address Clients will connect to ESMC2
  6. Hey Forums, i am planning to migrate ERA6 to ESMC on a new Server with different ip (kb) i did similar things before but now kb says to set all clients to new ESMC first and then migrate database to new server. i have quite a big environment and would prefer to run ERA and ESMC side by side for some weeks while switching over the clients in blocks. Are there any thoughts why this could be a bad idea? Thanks in advance! Christian
  7. Hmm, i would think if you do "clean install with same ip" it should work. Of course thats more a manual move than a migration because you have to reconfigure everything like polices etc. Did this once for a customer who wanted to move from VA to Windows and ist was less effort than i thougth. By my experience its easier to keep all clients when you choose "same ip, same certs".
  8. Support helped: There seems to be a bug in ESA when the realm in radius client settings is set to anything except "Current AD Domain". When set to "current AD Domain", the radius auth is working.
  9. Hello Forum, i have two Installations with Sonicwall and ESA using Radius. One is working fine, the other Sonicwall keeps telling me "Failed to decode RADIUS reply (check the shared secret)". There is not that much you can do wrong with the Shared Secret so i'm a bit out of ideas. If i remove the Sonicwall as a client, ESA Radius logs "INFO EIP.Radius.EsaRadiusServer Invalid Auth. packet received from :" and Sonicwall gets a timeout. If i have the client, ESA Radius logs nothing. Is anyone using this or has any ideas for RADIUS? Thanks in advance.
  10. Hello Forum, after some work i got my first iPhone registered at mdm 😄 But it only connects once and i get the error "APNS service certificate validation failed" I allready checked kb for mdm troubleshooting and investigated root certs: grep Entrust /etc/pki/tls/certs/ca-bundle.crt # Entrust Root Certification Authority # Entrust Root Certification Authority - G3 # Entrust.net Certification Authority (2048) # Entrust Root Certification Authority - EC1 # Entrust Root Certification Authority - G2 i tried openssl: openssl s_client -connect gateway.push.apple.com:2195 [..
  11. i think i figured it out. i changed multiple things, so i don't know which one did it: - set server to advanced security (for ios12) - generated a new proxy-cert without a passphrase and with * as servername - works.
  12. Hello ESET, i have an issue with MDM and peer certificates (not https): Agent on MDM (based on VA) is replicating to ESMC-Server. MDMCore is not replicating, gets "SSL Error" MDMCore is using a proxy certificate provided by ESMC-Server. At first i should say that i created a new CA and server/agent-certificates after installation of ESMC and configured the new server-cert in server-settings. Everything is running fine except MDM. While installing MDM with webconsole-connection it got a proxy-certificate from old CA. I tried to change this (unneccessarily while hunting othe
  13. Hi Marcos, hi Michalj, do you have any news on this? Thanks! Christian
  14. Any Agent not reporting to ESMC any more could be defeated by some malware .... but maybe thats paranoid ? Actually i am thinking of events and triggers to tell it-support if any action is required (besides any outbreaks): 0% red Computers less than 10% yellow computers no Computers that were seen > 4 weeks ago (you can not just delete them, you have to investigate.) 0% of computers that where never seen
  15. Hi Kieran, wow, good work! My most common Problems are: computer replaced but not deactivated, user on vacation, laptop offline. We have multiple admin-teams on multiple locations and not all are devoted to ESET the same amount ? Good to hear, that it IS possible to get 100% Regards, Christian
  16. Hello Forum, when managing some of our clients (and talking to new ones) i'm thinking a lot about coverage: How many of the PCs in a domain are actually green in your ERA an how close did you ever get to a 100% coverage of all Clients and Servers with up-to-date AV? Okay, the first interesting question is: How many is 100%? Are all in the AD, are all old accounts deactiviated and so on. I would like to exchange real-life-experience about managing clients - if anyone's up to that i would be happy. Greetz from Germany, Christian
  17. Hello Forum, the manual says, there should be a client task to upgrade ERA to ESMC. In my VA i can't select a reference server other than 6.5. Will there be in-place-upgrades for ERA-VAs and, if yes, does anybody know about a timetable? A read somwhere, there is a testing-repository? At another post i read, it might be impossible to upgrade the VA because of outdated CentOS-base? Thanks in advance, i need something to tell my customers ? Christian
  18. My problem is, changed policy order in one group is not saved. After Close and re-open policies are in old sort order again (sorted by creation time).
  19. Thanks Marcos, "prepend" will help! for now i add all policy to one group to get the customer happy. The actual problem they have is: we can't change policy order. I mark a policy and klick "apply later" but after closing and reopening it is at the old position again. From some testing i would say, the policies for a group are automatically ordered by date or id: Every new policy i add is always applied last and i cant' change that. I don't see this behaviour at another era-server. Is there a general setting for policy order i am missing? Both Servers run as applia
  20. Hi Forum, i‘m trying to build a modular device control whitelist: allow stick 123 for user abc allow devices from vendor xyz in group hij block all other I was trying to append the „block all“ last rule by policy order, but its really hard to keep the rule last - when i add another rule in a child group this ist added later (of course). is there any way to default-block (or default-warn) everything not explictily allowed? One idea would be, to throw all usb-rules in one policy, but that would get quite long. Thanks in advance! christian
  21. problem disappears by upgrading usb-drivers on pc. Still strange why EEA reads wrong serial and usbdeview doesn't - different way to talk to usb-devices? Customer now is uncertain if they should roll-out devcontrol to all pcs :-(
  22. I just upgraded to 6.6.2068.1 and retested: 2 of my 8 Optiplex 7010 with Windows7 read wrong serials - in EEA only. usbdeview shows correct serial:
  23. Hi qwerty, i tested it by setting up an "warn" rule for any usb-storage-device. When plugged in EEA shows the device info. On most PCs i saw the correct serial, on at least one i got a too short serial. The problem occured at a customer site and i will go there for further testing on wednesday. Before that i wanted to ask here for any known-problems. I will also have a look a the "populate" button, maybe it just shows different infos. Thanks for your help!
  24. Hi all, i'm testing DeviceControl for the first time at a bigger site and we tried to whitelist a bunch of usb-sticks. The Problem was: The same stick gets different Serial-Numbers on two similar computers. On one of them sees about half the length than on the other. We had Sandisk-Sticks that work well on my Laptop. Any ideas? Thanks in Advance!
  • Create New...