Lockbits

Hello guys, Thank you for the help. Customer is updating to latest version of EEA and EEI and moving their computers to ECA in order to have maximum visibility. They also know that need to install updates ASAP.

Hello guys, We've a case where a server is working normally but one shared resource was encrypted by a ransomware. We think it was another computer that was infected because the server doesn't have encrypted local data. In order to detect which computer was the culprit, we deleted all the networks and local users permissions over this shared resource and copied some files. As the data remained intact we starting adding one per one network user in order to see which is the culprit and so far so good. Our surprise was when we added the local administrator user to the shared resource the content was encrypted again. I looked at ESET Log Collector and I can't find anything malicious in this server. Can you help me? Thanks. ESVC_CHL-APP1P_20201109092218.zip efsw_logs.zip

Hi Mirek, I sent you a private message. Thank you.

Hi Peter, In case we need to modify or change the certificate, it's necessary to enroll all devices again? Or the certificate can be changed without affecting connection to current smartphones?

Hello guys, We have a customer with the following issue. There're two Android devices that were updated to EESA version 2.9.4.0 and these two devices are reporting the following alert to ESMC: I realized that version 2.9.4.0 has the following change: Improved: Certificate security - insecure certificate warning during enrollment + certificate hostname verification (a warning displayed during update or enrollment) How can we fix this certificate issue? The MDM was installed using the standard procedure. Thanks.

Hello, In Chile we changed the hour from winter to summer time and that caused EEI to stop cleaning the MySQL DB correctly: 2020-10-23 00:00:00 03b64 Info: Database cleanup starting... 2020-10-23 00:00:00 03b64 Error: Database cleanup failed on the following SQL error: Sql error 1292. 22007 Incorrect datetime value: '2020-09-06 00:00:00' for column 'l_purge_events_until_upper_border' at row 1. Failing statement: 'CALL procOnRotateEvent( UTC_TIMESTAMP(), ?, ?, ?, ?, ?)' As DB is full no computer is able to connect to EEI anymore: 2020-10-23 14:17:23 00b00 Error: The disk usage or memory limit reached. Can't accept more data. We're using EEI 1.4 and MySQL 5.7. Do you know which command, query or whatever can we use in order to fix this issue? Thank you.

Hello guys, Our customer that is using the MDM with ESMC is having the following issue. In the graphic of the dashboard where you can see the devices that are updated and not, in Endpoint bar the ESMC is considering not only endpoints but also mobile phones. Is this by design or it's a bug? Because there's a graphic bar for mobile phones. Regarding this same graphic, is there any way to limit the information for a certain range of devices and not all devices? In this case it's because the customer wants to know the devices that are outdated but that are being used (home office) and not computers that will not be updated nor connected until we can return to office (systems from meetings room for example). Thanks.

Hello guys, We've a customer that is using the MDM and when we send the task to update to a newer version of ESET Endpoint Security for Android the task fails hours later. How can we update this program remotely? Thanks.

Hello guys, We've a customer where we installed the MDM with public IP address. The device is enrolled correctly and reporting to console however some hours later the Android device stops reporting back to console. If we open ESET for Android in the mobile then immediately it report back again but some hours later the same problem occurs again. It's like something in Android is restricting the connection to console when ESET is idle in the background. Re enrolling the device doesn't work because it said it's already connected. How can we avoid this behavior? Thank you.

Hi MartinK, Apparently the problem is because old agent configuration was password protected. We are trying to make a custom bat for deployment but for the moment it's not working. I password protected my agent with the same password so I can test the bat without going to the customer but not luck. I tried to put the password with and without " and it's not working. If I look at the .ini created by the bat I can saw that password is within the file but agent is not reinstalled with new configuration. ESMCAgentInstaller2.1.rar

Hi Martin, I double checked and indeed it's the problematic computer. We didn't found the ra-agent-install.log. We searched all the disk with an administrator account. As you suggested, we created a live installer (the .bat) and ran it in the problematic computer. The result was the same, PC doesn't connect and old settings and certificates are preserved. I deployed the agent using the server task to computers were no agent was installed before and those computers connected right away. Unfortunately this problem persist in 7.1 as configuration and certificates are not overwritten with the new ones. What others options do we have other than uninstall and install the agent manually per computer? Thank you.

Hi guys, The problem is within the certificate and that agent installation using server task is not overwriting the agent and configuration. For example, in task I specified the host name and not the IP and if I see the log I realized that even that parameter wasn't changed. I'm going to try with GPO. Logs.rar

Hello guys, We've a customer that was using and instance of ESMC 7.1 along with 7.1 agents. The server got damaged so we've installed a new instance of ESMC 7.1. The server has the same hostname and IP address but computers are not connecting as the certificate is different (we don't have a backup of original certificate). We tried to deploy agent using a server task and although the task finished successfully, the computers are not connecting to new instance. Which parameter can we use so agent is reconfigured with the new certificate? If we deploy agent using GPO, will installed agent got updated with the new certificate? Thank you.

Hello guys, Is there any plan to add SSO feature for EFDE like EEE has? In our experience most companies wants to use the same credentials of AD for pre boot so users doesn’t need to use more than one credentials. Thanks.

Hello guys, We've a customer with ECA and some computers can't connect to console. The customer tried to create a new all in one but the issue persist even installing latest versions of agents and EES. In agent agent you can read this: ERROR: InitializeConnection: Initiating replication connection to 'host: "XXXXXX.a.ecaserver.eset.com" port: 443' failed with: Response for request of type DeviceSessionTokenRequest (request id: 169) was not received in time. What does this mean?

Hello, We've a customer whose VP had experienced this error: Later the problem resolved and product is updating again however he wants to know why this message can appear. It's difficult to get an ESET Log Collector and we tried from ESMC and it give us error when trying to get the log from ESMC server. Thank you.

Hello guys, Another customer want to build a new template based on some hardware parameters they need. The problem is similar to the reported in this thread: They want to combine: computer name, serial number, processor, RAM, OS and HDD in the same report however if you create a new template it's not possible to add those combinations as some limit the others. Thank you.

Hello guys, Thank you for the input. The last question I've is the possibility to create a new template for a Dynamic Group and assign there the computers that have some type of activity that triggered certain rules and to assign a policy to block all traffic from ESET's firewall. Is this a viable approach? I only found the possibility to sort and group computers that have some type of functionality error or issue in EEI's agent. Thank you.

Hello guys, We're in the final stage with this customer and EEI. They like the software but have the following questions: 1) They want to know if it's possible to automatically block certain malicious actions like Filecoder behavior or any behavior that EEI consider critical (the rules that are marked as critical in red color). The others not because they can generate a lot of FPs. They ask this because if an attack occurs at night and nobody is looking at the alerts in the console or via email no action will be taken in the right time. They prefer to have some FPs than an attack that was not stopped because at that time nobody realized it happened. 2) We know that we can kill and also add MD5 to a black list in order to avoid the spread of the attack. It's possible to make this automatically? For example, if a critical rule is triggered the process is killed automatically and the MD5 blacklisted without user interaction. If these features are not available, will those functions implemented in next versions? When? We appreciate all the arguments you can give us in order to close the deal with the customer. Thank you.

Hello guys, We're trying to create a new template for a report (only table without graphic). We need to include the following information: user name, IP address, serial number, RAM capacity and HDD capacity in the same report. The problem is that when you select user name, all others items disappear so you can't add serial number, RAM and so on. We can replicate this issue in three different installations including on premise and cloud. This also happens if you select others items. Is this a bug or it's by design? Please see this screenshot. If we select user name, then no HW inventory items are available:

Hi Lubomir, Thanks for your reply. We’ll follow your indications. Best regards.

Hi Marcos, Unfortunately in this case there are not link involved in the alert.

Hi Marcos, That text was inserted by ESET and not by image editor. That text was added using this policy: I realized that it's the problem, not an ESET's bug. Thanks.

Hi Marcos, Yes it's not technically an FP. But I'm asking here if the alert I show is legit or malicious. I think it's legit. Do you know if Office creates .com files or it's a malicious symptom? Thank you.

Hello guys, We've seen that sometimes EES show a message (for example when DB is updated) or an alert (when PUA is detected) and EES mix the alert/message with the message that the productr should show when a pendrive or USB is inserted. We've seen this in our internal computers and also in a customer systems. Please see this as an example: In the screenshot above you can see that EES is showing an alert regarding a PUA but it's also including a customized text that our customer added when a pendrive is inserted. Is this a known cosmetic bug that will be fixed? Thank you.