Nono

Hi MArcos, I'm aware that we can't use "*" but "nothing" works on the majority of our endpoint ! Only some aren't working anymore (they use to work before agent/security upgrade).

Hi there, I'm using ESMC / Eset endpoint security version: ESET Security Management Center (Server), Version 7.0 (7.0.451.0) ESET Security Management Center (Web Console), Version 7.0 (7.0.413.0) ESET Management Agent 7.0.577.0 ESET Endpoint Security 7.1.2045.5 When I configure some HIPS rules, I've a strange behavior depending of the endpoint (on same version of either ESET and Windows 10) : Some "generic" rules like C:\Users\\AppData\app.exe works on majority of computer (note the empty folder to replace any users) But some doesn't and need to enter the specific user account (eg. C:\Users\dummyUser\AppData\app.exe) Is there a way to debug/understand why such behavior ?

I'm just adding a conclusion to that particular issue. So indeed, the original issue was caused by the agent version and the new version solve the issue (tasks are executed ASAP). Concerning my 2nd issue, in order to upgrade my client + agent I have to : 1) Use the ESET Uninstaller tool (and remove everything) 2) Install the new agent 3) Install the new client

It turns out that I still had the "prerelease" link as repository server (due to early access ESMC) Change it to "AUTOSELECT" on Server settings + Agent Policy settings, show me that I should be able to update my version which should solve the issue. I've currently an issue to update both client + agent remotely (aka from ESMC), but I guess I'll have to contact my ESET Representative for that. Current behavior : Updating remotely remove the AGENT, and leave (only) the client out-dated.

@MartinK I usually use the "ESMCAgentInstaller.bat" to install the agent on my endpoint. By editing the script, I've notice this part : set url=hxxp://repository.eset.com/xxx/v7/7.0.553.0/agent_x64.msi set checksum=yyyyyy if defined IsArch_x86 ( set url=hxxp://repository.eset.com/xxx/v7/7.0.553.0/agent_x86.msi set checksum=yyyyy ) if you could provide me the url + checksum for the version 7.0.577.0 I could probably reuse the script with the credentials/cert/IP I already have, isn't it ?

I tried to install it (this one : https://download.eset.com/com/eset/apps/business/era/agent/latest/agent_x64.msi ) but got : I can send you the install log (via private message only), but it doesn't contain the IP of my ESMC server (even though I ticked 'keep the current info' during the installation).

Oh, my bad. It's then : 7.0.553.0 for everyone

It's actually a mix of two : 7.0.2073.0 & 7.0.2073.1 is 7.0.2073 > 7.0.72 ?

I've currently an issue with a Client task which aren't execute on computer not restarted for few days. What I want to achieve: Execute a Batch script every week day at 10AM on our endpoints and execute ASAP the script if the endpoint wasn't reachable/on at 10AM. My issue: Endpoint which aren't restart doesn't get the batch script executed. How I setup (probably wrongly?) the task : This seems to NOT work when the computer goes in hibernation/sleep mode. (no matter if the computer is on at 10 AM, or later). Would this be a bug or an configuration issue ? Many thanks for your help !

Is there any way to upvote this feature on the wish list ?

Dear community, Unless I'm missing something, it was until few months back, possible to white list ranges of IP from Microsoft server, in order to allow the activation of our Office product (Excel for example) My rule was looking like this : as the rule was activated only during an activation, it was somehow okay. Nowaday, Microsoft doesn't provide a list of IP/Range anymore but only URL under the following KB : hxxp://support.microsoft.com/kb/921471 My question is the following : Is there a way to allow a specific software (ideally, a group of Microsoft Office Applications) to access these url which are blocked by our firewall rule (and not web protection rules) ?

A restart of the appliance resolve my issue ... Probably a network issue.

The issue seems the same as this topic : However, even by uninstalling the agent (which most of time failed) or reinstalling a new one on top of the "all in one" setup exe doesn't solve the issue. The Trace.log show (as error/warning) : 2018-10-31 13:51:25 Information: Kernel [Thread 608]: Initializing module ERAG1ClientConnector 2018-10-31 13:51:25 Information: ERAG1ClientConnector [Thread 608]: <CONNECTOR_MODULE> exception class Era::Connectors::G1ClientConnector::no_installed_product occurred at ProductOfflineConfiguration\WindowsProducts.cpp:56. Product not installed. 2018-10-31 13:51:25 Error: ERAG1ClientConnector [Thread 608]: <CONNECTOR_MODULE> No module is subscribed for message StatusLog_APPLIEDPOLICYPRODUCTS_STATUS (10405) 2018-10-31 13:51:26 Error: ERAG1ClientConnector [Thread 608]: <CONNECTOR_MODULE> Publish msg of type StatusLog_APPLIEDPOLICYPRODUCTS_STATUS failed 2018-10-31 13:51:26 Information: ERAG1ClientConnector [Thread 608]: Connector was deactivated. No tasks will be processed and no logs will be produced. 2018-10-31 13:51:26 Information: Kernel [Thread 608]: Initialized module ERAG1ClientConnector (used 0 KB) [...] 2018-10-31 13:51:43 Information: Kernel [Thread 608]: Stopping module: AuthenticationModule 2018-10-31 13:51:43 Information: Kernel [Thread 608]: Stop was not possible: AuthenticationModule 2018-10-31 13:51:43 Information: Kernel [Thread 608]: Checking system bus content. 2018-10-31 13:51:43 Information: Kernel [Thread 608]: Bus is not empty. Unprocessed messages from each subscriber: [AuthenticationModule:DeviceFingerprintResponse,DeviceFingerprintResponse] 2018-10-31 13:51:43 Information: Service [Thread 608]: Waiting for modules to finish work 2018-10-31 13:51:44 Information: Kernel [Thread 608]: Stopping module: AuthenticationModule 2018-10-31 13:51:44 Information: Kernel [Thread 608]: Stop was not possible: AuthenticationModule 2018-10-31 13:51:44 Information: Kernel [Thread 608]: Checking system bus content. 2018-10-31 13:51:44 Information: Kernel [Thread 608]: Bus is not empty. Unprocessed messages from each subscriber: [AuthenticationModule:DeviceFingerprintResponse,DeviceFingerprintResponse] 2018-10-31 13:51:44 Information: Service [Thread 608]: Waiting for modules to finish work [...] 2018-10-31 13:51:48 Information: Kernel [Thread 608]: Forcefully stopping module: AuthenticationModule 2018-10-31 13:51:55 Error: AuthenticationModule [Thread b80]: DeviceEnrollmentCommand execution failed with: Request: Era.Common.Services.Authentication.RPCEnrollmentRequest on connection: host: "x.x.x.x" port: 2222 with proxy set as: Proxy: Connection: :3128, Credentials: Name: , Password: ******, Enabled:0, EnabledFallback:1, failed with error code: 14, error message: Endpoint read failed, and error details: 2018-10-31 13:51:55 Information: AuthenticationModule [Thread b80]: DeviceEnrollmentCommand: execution end... execution result state=[FAILED] 2018-10-31 13:51:55 Error: AuthenticationModule [Thread b80]: There were 2 messages left unprocessed in a queue 2018-10-31 13:51:55 Warning: CReplicationModule [Thread 3c4]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) [...] 2018-10-31 13:53:25 Error: CReplicationModule [Thread e58]: InitializeConnection: Initiating replication connection to 'host: "x.x.x.x" port: 2222' failed with: Response for request of type DeviceSessionTokenRequest (request id: 17) was not received in time 2018-10-31 13:53:25 Warning: CReplicationModule [Thread e58]: InitializeConnection: Not possible to establish any connection (Attempts: 1) 2018-10-31 13:53:25 Error: CReplicationModule [Thread e58]: InitializeFailOverScenario: Skipping fail-over scenario (missing last success replication link data) 2018-10-31 13:53:25 Error: CReplicationModule [Thread e58]: CAgentReplicationManager: Replication finished unsuccessfully with message: InitializeConnection: Initiating replication connection to 'host: "x.x.x.x" port: 2222' failed with: Response for request of type DeviceSessionTokenRequest (request id: 17) was not received in timeReplication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (OUT_OF_ORDER), Connection: x.x.x.x:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 00000000-0000-0000-0000-000000000000, Sent logs: 0, Cached static objects: 0, Cached static object groups: 0, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0] 2018-10-31 13:54:31 Error: CReplicationModule [Thread e58]: InitializeConnection: Initiating replication connection to 'host: "x.x.x.x" port: 2222' failed with: Response for request of type DeviceSessionTokenRequest (request id: 21) was not received in time 2018-10-31 13:54:31 Warning: CReplicationModule [Thread e58]: InitializeConnection: Not possible to establish any connection (Attempts: 1) The status.html show : Last authentication 2018-Oct-31 14:52:21 Enrollment failed with error: Request: Era.Common.Services.Authentication.RPCEnrollmentRequest on connection: host: "x.x.x.x" port: 2222 with proxy set as: Proxy: Connection: :3128, Credentials: Name: , Password: ******, Enabled:0, EnabledFallback:1, failed with error code: 4, error message: Deadline Exceeded, and error details: Last replication 2018-Oct-31 15:10:12 ERROR: InitializeConnection: Initiating replication connection to 'host: "x.x.x.x" port: 2222' failed with: Response for request of type DeviceSessionTokenRequest (request id: 171) was not received in time Replication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: x.x.x.x:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 00000000-0000-0000-0000-000000000000, Sent logs: 0, Cached static objects: 0, Cached static object groups: 0, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0] All replication attempts: 71

Hi There, I do not want to hijack this thread but my case sounds similar : I'll also be interesting to know where are the settings for this features. In my case, I more interested about the "weak wifi protection" popup and especially the trigger.

Hi, Not sure to have to right amount of comments yet, but I would also like to participate in ESMC testing phase.

Yeah, that's right. Actually, on endpoint, on the log files "Event" section, I was able to see that's the error are coming from the HIPS rules (I wasn't even sure, as the popup didn't specify it).

Description : Having more detail about the "invalid data" Detail: Currently, when we apply some "invalid" rules, despite working partially (I guess to "good rules" are working, but not the "invalid" one), we get the notification popup "User rules file contains invalid data". It's not really helpful to locate which entry may be faulty and which one are not. Would that be possible to get a log files stating which rules (name?) is faulty and even better : why ? It would also help to locate which "data" it's referring to. For instance, "User rules" could lead to several subsection into the rules admin panel (Antivirus, Update, Firewall, etc ...)

Thanks Marcos, I manage to make it works ... somehow ... and without having the issue, but it's not really nice, especially for a multi-language computer park. (for instance, C:\Users\ can become C:\Utilisateurs\ or C:\Benutzer\ depending of the system language.) I used this format : C:\Users\\AppData\Local\Apps.exe => Notice the \\ after Users\ (I basically just removed the *) But as "%LOCALAPPDATA%" is indeed a system variable do you know why it doesn't work at all ? (the rules isn't triggered AND there is no error). Same question, why the 1st rule doesn't work as it included both variable avail. on https://help.eset.com/ees/6.6/en-US/index.html?idh_exclude_format.htm ? As you may understand, wildcard is very common for files as well as registry. Do you know when it would works or how to check if a system variable will work on eset or not (the %localappdata% would be very much appreciate).

Dear Community, I can't find anywhere a clear explanation about the Environment Variables we may use for HIPS rules to specify the path of an application. According to https://help.eset.com/ees/6.6/en-US/index.html?idh_exclude_format.htm it seems that this list of var. should work: %ALLUSERSPROFILE% %COMMONPROGRAMFILES% %COMMONPROGRAMFILES(X86)% %COMSPEC% %HOMEDRIVE% %HOMEPATH% %PROGRAMFILES% %PROGRAMFILES(X86)% %SystemDrive% %SystemRoot% %WINDIR% %PUBLIC% Then, according to https://help.eset.com/ees/6.6/en-US/index.html?idh_hips_editor_single_rule.htm it seems that we should be able to use the wildcard like this: For example HKEY_USERS\*\software can mean HKEY_USER\.default\software <= I guess the missing "S" in KHEY_USERS is a typo ? but not HKEY_USERS\S-1-2-21-2928335913-73762274-491795397-7895\.default\software. What I want to achieve is to specify this application path (knowing that the username may change among my devices) : C:\Users\user22\AppData\Local\Apps.exe Here are the generic path I tried to use (but doesn't work, and give me the warning "User rules file contains invalid data" without any deeper explanation ) : %HOMEDRIVE%%HOMEPATH%\AppData\Local\Apps.exe C:%HOMEPATH%\AppData\Local\Apps.exe C:\Users\*\AppData\Local\Apps.exe Ideally, I would like to be able to use (any) environment (user OR system) variables like : %LOCALAPPDATA% but it also failed. Any suggestion would be very much appreciated ! Thanks in advance for your time.