Jump to content

Christian Stück

Members
  • Content Count

    28
  • Joined

  • Last visited

Posts posted by Christian Stück

  1. Hi Forum!

    We use squid proxy in our dmz for remote users to talk to esmc without vpn.

    log files show, the service is attacked very often (no surprise opening that port in the internet).

    Anyone got any ideas hardening the proxy eg

    1. by using a different port

    2. by using the Agent-Certificate to authenticate against the proxy service? Could the not be done by just adding the CA-cert to squid?

    Thanks in advance!

    Christian 

  2. Hello Forum,

    my AV-sceptic Colleagues brought up a Problem with ERAAgent i found on some Machines:

    ERAAgent opens TCP-Connections up to the OS-Limit so no more connections e.g. for DNS or other services are left.

    Example: ERAAgent 7.0.577.0 on Windows Server 2012 R2

    Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending
    Count Name              ProcessName                 Group
    ----- ----              -----------                 -----
    16374 Bound, 2404       ERAAgent                    {MSFT_NetTCPConnection (InstanceID = "::??65535??::??0"), MSFT_NetTCPConnection (InstanceID = "::??65534??::?...
        8 Listen, 3520      vmms                        {MSFT_NetTCPConnection (InstanceID = "fe80::c5e5:78b5:ee3c:3191%15??6600??::?...), MSFT_NetTCPConnection (Ins...
        6 Established, 3440 dsm_om_connsvc64            {MSFT_NetTCPConnection (InstanceID = "127.0.0.1??49683??127.0.0.1??49682"), MSFT_NetTCPConnection (InstanceID...
        5 Listen, 4         System                      {MSFT_NetTCPConnection (InstanceID = "::??47001??::??0"), MSFT_NetTCPConnection (InstanceID = "::??5985??::??...
        4 Listen, 1732      lsass                       {MSFT_NetTCPConnection (InstanceID = "::??49670??::??0"), MSFT_NetTCPConnection (InstanceID = "::??49667??::?...
        3 Bound, 3440       dsm_om_connsvc64            {MSFT_NetTCPConnection (InstanceID = "::??49683??::??0"), MSFT_NetTCPConnection (InstanceID = "::??49681??::?...
        2 Listen, 1864      svchost                     {MSFT_NetTCPConnection (InstanceID = "::??3389??::??0"), MSFT_NetTCPConnection (InstanceID = "0.0.0.0??3389??...
        2 Listen, 1904      svchost                     {MSFT_NetTCPConnection (InstanceID = "::??135??::??0"), MSFT_NetTCPConnection (InstanceID = "0.0.0.0??135??0....
        2 Listen, 1808      svchost                     {MSFT_NetTCPConnection (InstanceID = "::??49666??::??0"), MSFT_NetTCPConnection (InstanceID = "0.0.0.0??49666...
        2 Listen, 1724      services                    {MSFT_NetTCPConnection (InstanceID = 

    Any Ideas what ERAAgent is doing or how i could stop it?

    Thanks in Advance!

  3. Hello Forum,

    something everybody knows i think: Customer says Application XY runs slower since Installation of ESET...

    With Realtime-Scanner it was quite easy so see which files it touched. Is there a way do do something similar with hips, network protection and so on? On Example is an application that uses a webserver and local database and i want to find out what might be affected by eset.

    customer dreams of a report like "everything eset touched on that system today".

    Thanks for any ideas!

    Christian

  4. Hello Nates,

    i don't want to outsmart ESET and this is a bit dirty but it worked for me once going from ESMC1 (VA) to ESMC2 (Windows)

    My old database crashed, so it was not a bit loss anyway.

    1.     Export Certs on ESMC1
    2.     Setup ESMC2 from Scratch (with new ip / hostname)
    3.     Import Certs from ESMC1 in ESMC2
    4.     Set ESMC2 to use old Server Cert from ESMC1 (in Server Settings)
    5.     Resetup  Policies in ESMC2 (or maybe export/import), set groups etc.
    6.     Create Policy on ESMC1 with ESMC2 as Server Address
    7.     Clients will connect to ESMC2
    8.     When alle clients know ESMC2 shutdown ESMC1
    9.     Create Client Policy to use new Agent Cert (created at installation)
    10.     Set Server to use new Cert from ESMC2 (created at installation)
    11.     For some reason it works with both certs crossed for some time (as long as anybody knows both CAs?)

    I even tried once to set up ESMC2 with the old ip

    1.     Export Certs on ESMC1
    2.     Shutdown ESMC1
    3.     Setup ESMC2 from Scratch (with old ip / hostname)
    4.     Import Certs from ESMC1 in ESMC2
    5.     Set ESMC2 to use old Server Cert from ESMC1 (in Server Settings)
    6.     Resetup  Policies in ESMC2 (or maybe export/import), set groups etc.
    7.     Clients will connect to ESMC2
    8.     Create Client Policy to use new Agent Cert (created at installation)
    9.     Set Server to use new Cert from ESMC2 (created at installation)
  5. Hey Forums,

    i am planning to migrate ERA6 to ESMC on a new Server with different ip (kb)
    i did similar things before but now kb says to set all clients to new ESMC first and then migrate database to new server.

    i have quite a big environment and would prefer to run ERA and ESMC side by side for some weeks while switching over the clients in blocks.

    Are there any thoughts why this could be a bad idea?

    Thanks in advance!

    Christian

  6. Hmm, i would think if you do "clean install with same ip" it should work.

    Of course thats more a manual move than a migration because you have to reconfigure everything like polices etc.
    Did this once for a customer who wanted to move from VA to Windows and ist was less effort than i thougth.

    By my experience its easier to keep all clients when you choose "same ip, same certs".

  7. Hello Forum,

    i have two Installations with Sonicwall and ESA using Radius.

    One is working fine, the other Sonicwall keeps telling me "Failed to decode RADIUS reply (check the shared secret)". There is not that much you can do wrong with the Shared Secret so i'm a bit out of ideas.
    If i remove the Sonicwall as a client, ESA Radius logs "INFO EIP.Radius.EsaRadiusServer Invalid Auth. packet received from :" and Sonicwall gets a timeout.
    If i have the client, ESA Radius logs nothing.

    Is anyone using this or has any ideas for RADIUS?

    Thanks in advance.

  8. Hello Forum,

    after some work i got my first iPhone registered at mdm 😄

    But it only connects once and i get the error "APNS service certificate validation failed"
    I allready checked kb for mdm troubleshooting and investigated root certs:

    grep Entrust /etc/pki/tls/certs/ca-bundle.crt
    # Entrust Root Certification Authority
    # Entrust Root Certification Authority - G3
    # Entrust.net Certification Authority (2048)
    # Entrust Root Certification Authority - EC1
    # Entrust Root Certification Authority - G2
    
    

    i tried openssl:

    openssl s_client -connect gateway.push.apple.com:2195
    
    [...]
    
    SSL handshake has read 4066 bytes and written 338 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : DES-CBC3-SHA
        Session-ID:
        Session-ID-ctx:
        Master-Key: 3CE83A11424D2666E442824A8DE22C3576CB941119068687B2DD39BF337980B5F4D795D179454AC9F669437536654E7B
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        Start Time: 1544112439
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    

     

    i'm after this for a few hours now - maybe someone has some ideas for me?

    i was thinking about my firewall but no outgoing traffic is blocked at all.

    Thanks in advance!

    Christian

  9. Hello ESET,

    i have an issue with MDM and peer certificates (not https):

    Agent on MDM (based on VA) is replicating to ESMC-Server.
    MDMCore is not replicating, gets "SSL Error"
    MDMCore is using a proxy certificate provided by ESMC-Server.

    At first i should say that i created a new CA and server/agent-certificates after installation of ESMC and configured the new server-cert in server-settings.
    Everything is running fine except MDM. While installing MDM with webconsole-connection it got a proxy-certificate from old CA. I tried to change this (unneccessarily while hunting other errors) and in the end revoked all certificates by old CA and deleted the old CA (maybe not clever).

    I reinstalled MDM-VA with base64-certificates exported from ESMC.

    Is there any component in the ESMC that may still use a certificate provided by the old CA?
    How can i deploy a valid certificate to MDM?

    Thanks in advance!

    Christian

  10. Any Agent not reporting to ESMC any more could be defeated by some malware .... but maybe thats paranoid ?

    Actually i am thinking of events and triggers to tell it-support if any action is required (besides any outbreaks):

    0% red Computers
    less than 10% yellow computers
    no Computers that were seen > 4 weeks ago (you can not just delete them, you have to investigate.)
    0% of computers that where never seen

  11. On 9/17/2018 at 2:37 PM, Kieran Barry said:

    Hi Christian,

    I currently have 145 domain computers and all of them are covered with ESET v7, 100% of them are green and reporting no issues.

    Everything that we have in our AD is covered and is working absolutely fine.

    Regards,

    Kieran Barry

    Hi Kieran,

    wow, good work!

    My most common Problems are: computer replaced but not deactivated, user on vacation, laptop offline.
    We have multiple admin-teams on multiple locations and not all are devoted to ESET the same amount ?

    Good to hear, that it IS possible to get 100%

    Regards,

    Christian

  12. Hello Forum,

    when managing some of our clients (and talking to new ones) i'm thinking a lot about coverage:

    How many of the PCs in a domain are actually green in your ERA an how close did you ever get to a 100% coverage of all Clients and Servers with up-to-date AV?

    Okay, the first interesting question is: How many is 100%? Are all in the AD, are all old accounts deactiviated and so on.

    I would like to exchange real-life-experience about managing clients - if anyone's up to that i would be happy.

    Greetz from Germany,

    Christian

  13. Hello Forum,

    the manual says, there should be a client task to upgrade ERA to ESMC. In my VA i can't select a reference server other than 6.5.

    Will there be in-place-upgrades for ERA-VAs and, if yes, does anybody know about a timetable?
    A read somwhere, there is a testing-repository?

    At another post i read, it might be impossible to upgrade the VA because of outdated CentOS-base?

    Thanks in advance, i need something to tell my customers ?

    Christian

  14. Thanks Marcos, "prepend" will help!

    for now i add all policy to one group to get the customer happy.

    The actual problem they have is: we can't change policy order.
    I mark a policy and klick "apply later" but after closing and reopening it is at the old position again.

    From some testing i would say, the policies for a group are automatically ordered by date or id: Every new policy i add is always applied last and i cant' change that.
    I don't see this behaviour at another era-server.

    Is there a general setting for policy order i am missing?

    Both Servers run as appliance, ERA-Server version 6.5.417

    Thanks again!

    Christian

  15. Hi Forum,

    i‘m trying to build a modular device control whitelist:

    allow stick 123 for user abc

    allow devices from vendor xyz in group hij

    block all other

    I was trying to append the „block all“ last rule by policy order, but its really hard to keep the rule last - when i add another rule in a child group this ist added later (of course).

    is there any way to default-block (or default-warn) everything not explictily allowed? One idea would be, to throw all usb-rules in one policy, but that would get quite long.

    Thanks in advance!

    christian

  16. Hi qwerty,

    i tested it by setting up an "warn" rule for any usb-storage-device. When plugged in EEA shows the device info. On most PCs i saw the correct serial, on at least one i got a too short serial.

    The problem occured at a customer site and i will go there for further testing on wednesday. Before that i wanted to ask here for any known-problems. I will also have a look a the "populate" button, maybe it just shows different infos. Thanks for your help!

     

  17. Hi all,

    i'm testing DeviceControl for the first time at a bigger site and we tried to whitelist a bunch of usb-sticks.

    The Problem was: The same stick gets different Serial-Numbers on two similar computers. On one of them sees about half the length than on the other. We had Sandisk-Sticks that work well on my Laptop.

    Any ideas?

    Thanks in Advance!

×
×
  • Create New...