cmit
-
Posts
92 -
Joined
-
Last visited
Posts posted by cmit
-
-
We already using the EndPoint Antivirus (for workstations) and the File Security (for servers).
Currently trying the ESET Dynamic Threat Defense (trial) and read as much info about EDTD as possible.
https://www.eset.com/ca/business/dynamic-threat-defense/
https://support.eset.com/kb6569/#oper_1My understanding is the EDTD has (not limited to) these additional layer of protection features
- Behavior-based detection
- Machine learning
- Zero-day threats detection
- Cloud sandboxWe all understand that nothing can always 100% prevent any latest threats right away but my question is why or why not we really need to add the EDTD.
i.e.
If there are new not-yet recognized threats (not yet in the Detection Engine and other ESET update database modules),
without the ESET Dynamic Threat Defense, does this mean the EndPoint AntiVirus or the File Security simply won't always detect this new threat right away until the next release of modules update (usually 1 or 2+ hours later)?
But with the ESET Dynamic Threat Defense installed, at least the EDTD will treat these threats as suspicious and move them to the cloud-sandbox scanning asap?Another related question is for the Microsoft Outlook integration (not ESET Mail Security, not using MS Exchange Server).
Without the EDTD (only with EndPoint AntiVirus), does it really increase significant risks of Outlook not detecting threat emails asap? -
5 hours ago, Matus said:
Hi Guys,
this thing was identified as malicious, however, it's False Positive. We've added that to whitelist not to trigger, however, we're investigating what has happened, which system and why it was identified that as malicious. The issue will be fixed properly after that investigation.
Anyway, for imagination if that would not be FP, then to your questions:
Was it really a threat file that got deleted thanks to EDTD? - YES
Would the ESET EndPoint Antivirus (without EDTD) still catch it? - No, it would not. Into EDTD are sent only files which Endpoint identified as clean, but "interesting" to further investigation- Could you explain what this deleted 'false positive' file really is and what does it do? (not sure if it's even related to the blue screen of death or related to Windows Updates)
- Why it re-appeared 3 times after got deleted the first time?
- What negative affects might happen to this computer since now this 'false positive' already got deleted (or will it reappear again)?noticed this same 'false positive' happened on two computers so far.
-
15 minutes ago, itman said:
The only files I have in that directory on Win 10 are .xml and .cdf-ms files.
Which means....?
(this computer runs Win7 x64)
-
Could ESET experts help explain what these messages mean?
Same computer name, same infected file/message.
Infection identified changed from 'suspicious object' to 'blocked EDTD'.Was it really a threat file that got deleted thanks to EDTD?
Would the ESET EndPoint Antivirus (without EDTD) still catch it?My understanding is the ntoskernl.exe could be related to BSOD but need confirmation.
-
12 minutes ago, MichalJ said:
Yes, this mean that clients starting with latest version of 7.0 will be automatically updated to 7.1 once the micro PCU is enabled on our servers and in the Endpoint settings. Previously the functionality was ready, but was not enabled due to it´s behavior, where the "reported version" was not changed in ESMC, even when the client was updated over micro PCU. This is now changed and we will be enabling it soon.
Is there still an option to set not to automatically restart the computer after the auto-update?
-
5 hours ago, MichalJ said:
With regards to the updates, I would keep it in the "default settings", meaning the endpoint client tries to download module updates every hour. That should be sufficient, as updates are actually released approx. 6 times a day.
May I know the default settings means the endpoint client tries to download module updates every hour from where?
Could you show me the default settings again?
-
1 hour ago, Marcos said:
I would say that running a full disk scan on a daily basis is too much if all protection features are enabled. Files are scanned:
- during download- on acces nd execution
- saving to a disk
- by the startup scan run after users log on and after each module update (memory + autorun locations + UEFI + WMI).Then there is also the Idle-state scan.
It should be enough to run a full disk scan once a month or once a week at maximum.
What about scheduled nightly Smart Scan (i.e. 1am) when workstations not in-use?
May I have recommendation about my 2nd question on scheduling auto-update?Thanks.
-
On 2/28/2019 at 10:31 PM, Marcos said:
Please supply the logs I asked for.
sent to you via ESET Mail. kindly check.
-
1. What's the best scheduler setting for daily nightly auto-scan for ESET File Security for:
i.e.
- domain controller
- file server
- IIS server
- SQL server
- server that has the ERA(v6) or ESMC(v7) running?
Which kind of servers should run In-Depth scan and which should run Smart Scan?2. What the best scheduler setting for auto-update?
Would this example be a good fit?
i.e.
1st profile: update directly from ESET's servers every 15min
2nd profile: update via proxy pointing to internal ERA/ESMC every 15min
Recently everyday randomly on 10+ our of 150+ of our workstations (and servers) ESET sends email notification message below:
"3/2/2019 13:55:59 PM - During execution of Update on the computer xxx, the following event occurred: File not found on server."
I don't think the cause of issue is related to my auto-update too frequent because this issue is happening to many other ESET customers. -
Could this 'File not found on server' issue be related to if the scheduler's auto-update too frequent (i.e. every 15min or 30min)?
-
1 minute ago, itman said:
I am located in the U.S. - Midwest and having no problems with updates on EIS v12.0.31.0. Last update was at 11:26 AM to sig. ver. 18951.
The issue to me is it happened multiple times (not always) on some (not all) computers.
Right now all our workstations are updated fine (v18951).I need to know why it happened? Was there disconnection on the ESET server(s) itself or was it because of the detection engine in the middle of newer update while our workstations' ESET was running the auto-update scheduler?
-
16 hours ago, MarcFL said:
Several different computers in different states with Eset NOD32 v12.0.31.0 are randomly reporting this error:
During execution of Update on the computer xxx the following event occurred: File not found on server.
Same issue happening since yesterday on 20+ out of our 150+ workstations as well (EndPoint Antivirus 7.0.2100.4).
Quote27/02/2019 20: 45:55 PM - During execution of Update on the computer , the following warning occurred: File not found on server.
2/27/2019 20:45:56 PM - During execution of Update on the computer , the following warning occurred: File not found on server.
2/27/2019 20:45:55 PM - During execution of Update on the computer , the following warning occurred: File not found on server.
27/02/2019 20:45:56 PM - During execution of Update on the computer , the following warning occurred: File not found on server.
2/27/2019 20:46:00 PM - During execution of Update on the computer , the following warning occurred: File not found on server.
2/27/2019 20:45:58 PM - During execution of Update on the computer , the following warning occurred: File not found on server.
2/27/2019 20:46:00 PM - During execution of Update on the computer , the following warning occurred: File not found on server.2/28/2019 4:44:58 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
2/28/2019 4:44:59 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
28/02/2019 4:44:59 AM - During execution of Update on the computer , the following event occurred: File not found on server.
2/28/2019 4:44:58 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
2/28/2019 4:45:00 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
28/02/2019 4:45:00 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
2/28/2019 4:45:05 AM - During execution of Update on the computer , the following event occurred: File not found on server.
28/02/2019 4:45:08 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
2/28/2019 4:45:09 AM - During execution of Update on the computer , the following event occurred: File not found on server.
28/02/2019 4:45:09 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
28/02/2019 4:45:11 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
28/02/2019 4:45:10 AM - During execution of Update on the computer , the following warning occurred: File not found on server.2/28/2019 4:48:01 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
2/28/2019 4:48:11 AM - During execution of Update on the computer , the following warning occurred: File not found on server.2/28/2019 4:50:56 AM - During execution of Update on the computer , the following event occurred: File not found on server.
2/28/2019 7:58:08 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
28/02/2019 7:58:15 AM - During execution of Update on the computer , the following event occurred: File not found on server.28/02/2019 8:04:56 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
28/02/2019 8:05:09 AM - During execution of Update on the computer , the following warning occurred: File not found on server.
28/02/2019 8:05:09 AM - During execution of Update on the computer , the following warning occurred: File not found on server.It's not easy to reproduce the same error.
Before this issue started happening, our scheduler always runs auto updates every 30min (instead of the default every 1hr).Questions:
1. Is there more than one ESET update servers you guys have?
2. From your end, are there any logs that shows the disconnection of your servers since yesterday(2/27)? -
37 minutes ago, MichalJ said:
Hi @cmit
If the server has been scan thoroughly after deploying EFSW, all protection layers are active, daily scans would be an overkill. If you do not need to do them for compliance reasons, I would not recomment do do them.
Also, what is the purpose of the server? I believe @Marcos will be able to provide more targeted advice.
Thanks MichalJ.
i.e. File Server that has shared network folder for domain users to save new files daily. Or maybe I should just schedule scan to that specific shared folder(s).It's like for domain Desktop computers (always powered on) that gets scheduled Smart scan (or In-Depth scan) every night.
Thought servers should also have scheduled routine scan (weekly if not daily). -
What's the recommended daily scheduled scan setting for Windows Servers (with ESET File Security installed)?
What things need to be aware? (i.e. for Spiceworks, MS SQL Server, ERA, etc...)
-
On 9/8/2018 at 3:46 PM, itman said:
According to this: https://superuser.com/questions/1309249/is-firefox-really-that-insecure-for-not-having-sandbox-like-chrome , FireFox also has a sandbox.
Since you're using Eset Endpoint, I believe it supports wildcards in file names for the HIPS. Create a HIPS ask or block rule that will monitor anything written to %LocalAppUser%\Temp\*\*.js. Note that I believe you will have to specify the full user path name. Don't know if Eset supports the %% notation in a HIPS rule. Also if you create a block rule, make sure you specify that logging is enabled and set it to "warning." This will ensure its written to the event log. This will at least point you to the source process that is creating the *.js script in the Temp directory.
Sorry a bit confused. Everytime this MindSpark issue happened, it created a sub-folder within this Win7 domain user's AppData\Local\Temp\ folder. ESET handled it by deleting that subfolder (scoped_dir..........).
Could you specify what I should put in the rule?
I know ESET handled it every time it happens but I need to know why only this user keeps getting this alert (on same computer) and how to stop it happening again?
Example logs:
Quote9/20/2018 2:37:07 AM - Module Real-time file system protection - Threat Alert triggered on computer 701D08: C:\Users\701user4\AppData\Local\Temp\scoped_dir1784_9512\CRX_INSTALL\js\PartnerId.js contains JS/Mindspark.G potentially unwanted application.
9/19/2018 21:31:33 PM - Module Real-time file system protection - Threat Alert triggered on computer 701D08: C:\Users\701user4\AppData\Local\Temp\scoped_dir1784_29990\CRX_INSTALL\js\PartnerId.js contains JS/Mindspark.G potentially unwanted application.
9/19/2018 16:07:56 PM - Module Real-time file system protection - Threat Alert triggered on computer 701D08: C:\Users\701user4\AppData\Local\Temp\scoped_dir1784_29116\CRX_INSTALL\js\PartnerId.js contains JS/Mindspark.G potentially unwanted application.
-
On 9/11/2018 at 9:48 PM, Marcos said:
1, The email would be likely scanned by Web access protection. Make sure that SSL/TLS filtering is on so that https communication is scanned.
2, Without knowing what product / version and settings you use and checking the email you received, it's impossible to tell what happened. Please provide me with the email that was not detected as well as with logs gathered by ESET Log Collector from the machine.
To increase detection efficiency, you might want to use ESET Dynamic Threat Defense (provided as an extra service). If you use Microsoft Exchange or Lotus Domino mail server, with new v7 mail server products you can take advantage of EDTD and have attachments run in the EDTD sandbox and have them evaluated by Augur, the ESET machine learning system. Based on the result of analysis, the ESET Mail Server product can take the appropriate action. This greatly minimizes the gap between a new malware begins to spread and the time a detection is added.
3, Any infected attachment should be cleaned / removed.Marcos, Kindly reply via Messages sent to you this morning.
-
4 minutes ago, Marcos said:
If you are continually getting the error, please contact your local customer care so that the case is properly diagnosed and tracked. To my best knowledge, registration to WSC should occur only once during installation or after program upgrade.
my question is: if not continually getting this error, does it prove the re-registration is a success? If yes, where in ERA can see the proof?
-
On 8/3/2018 at 7:41 AM, Marcos said:
Windows Security Center was first introduced with Windows XP SP3 if I remember correctly. Module updates should not cause re-registration to WSC. If you are not continually getting an error related to WSC, I would ignore it.
Why should not cause re-registration to WSC?
How to prove the re-registration is then a success if not continually getting this error?
-
We currently have ERA v6 (planning to upgrade to v7). Most of our client computers already has EndPoint Antivirus v7 (upgraded from v6 via ERA v6).
We use emails in two options: MS Outlook and SmarterMail(website-based https://www.smartertools.com/smartermail/business-email-server).
Question 1: Does ESET detect threat email (with attachment) if user receives it via SmarterMail (website based email system via i.e. Firefox or Chrome)?
If yes, how does it work? (No records shown about detection of threat email on our ESET EndPoint antivirus (client side) nor the ERA (server console side).
If no, does ESET the protection actually triggers only when user actually opens up that dangerous attachment? Or is there a ESET plugin for Firefox/Chrome? Or this is entirely web-email client's responsibility (like Gmail)?
Question 2: We had two (out of many) domain computers' MS Outlook got the threat email (from same sender) but our ESET client/server has no record (no log) about this threat on these two computers. What could be all the possible reasons? (this is VERY SERIOUS)
Question 3: When a threat email is detected in MS Outlook, how exactly (process steps) does ESET EndPoint AntiVirus handle it?
(i.e. Does ESET delete the threat attachment upon receive?)
If the threat email was not automatically handled by ESET and the user forwarded that threat email, does the 2nd receiver also receive that attachment (like chain reaction)?
Thanks a lot for looking into this and kindly let us know if something we missing. -
4 minutes ago, itman said:
I don't know what version of Chrome you are using. But the current versions with sandboxing configured, I thought were supposed to prevent something like a .js script being dropped into %LocalAppData%\Temp folder.
Latest version (updated automatically).
What about Firefox?
-
13 hours ago, galaxy said:
It happened on multiple domain computers (Win7 x64). Not always on the same PC. Sometimes same PC has same issue multiple times on and off, sometimes happened on different computer(s).
So far the applications (Process Name) that cause this behavior are Google Chrome and Firefox. -
1 hour ago, Marcos said:
If running a full disk scan with strict cleaning doesn't remove the PUA, please gather logs with ESET Log Collector and upload the generated archive here.
attached screenshot and checked the directory, ESET does remove it (from real-time), but same issue re-occurred again on and off multiple times.
what am I missing?
-
7 minutes ago, Marcos said:
Please refer to https://support.eset.com/kb6551/. It is important to disable syncing of extensions to stop PUA extensions from being synced and detected again.
Checked manually and found out one of our domain computers (Win 7 x64) does not have Google Chrome installed nor Firefox. Only Internet Explorer as the web browser.
This 'disable syncing' "solution" does not apply if no Chrome installed, right? -
Still has this issue even with ESET v7 on multiple domain computers. Can't waste time one-by-one checking Chrome on affected domain computers.
Already checked this thread (https://forum.eset.com/topic/13073-jsmindsparke/) but could ESET experts kindly help ESET customers to talk to Google how to properly resolve this?
Also, is it always only from Google Chrome or could also be from somewhere else?
ESET Dynamic Threat Defense really necessary?
in ESET Endpoint Products
Posted
So, with EndPoint AntiVirus (not Mail Security for Exchange) installed and the ESET Dynamic Threat Defense enabled, even EDTD does not have the capability to prevent the this type of spam emails (screenshot examples) arrive into the Microsoft Outlook Inbox.
I guess ESET cannot do anything in this case cause this is purely related to the sender who pretends to be someone legit and as long as there's no attachment in the spam/suspicious email, ESET product(s) won't be useful in this situation?