carmik

I have a Win 10 system on which for some reason Windows Defender is still fully active, even though endpoint security 8.1 (centrally managed by eset protect) is installed and running correctly. Is this a known issue? This is the 2nd time I'm noticing something like that. The first time I uninstalled and re-installed ES and that took care of disabling defender. This time though I'd appreciate if there is something on powershell or script I could push to a system to take the least time needed to do that. Plus, target all my systems at the same time.

I'm sorry, I can't really suggest something here. I've not looked into dedicated/paid solutions in the past 3-4 years (my experience with fortiguard is before that time, using a small UTM for the purpose). Shalla is available at at hxxp://www.shallalist.de/faq.html although obviously one should look for the terms and conditions. It has a quite grained categorization and includes not only domains but URL regexps as well. It does the job much, much better that the current ESET filtering. Like I said, I'm certain that this job can be performed better. It's not only me that is interested in eset being a better product; it's mainly the eset company by itself!

Thank you for tackling this faster than a bullet. I was under the impression that this sort of categorization is community-driven in a way. That is, users might upload specific sites to specific categories, or tag them in multiple categories. Which can be subjective. Now, as for the test cases discussed, I might agree with you about boro.gr. But I do disagree about daniilidisbio.gr. This is a site that offers plants for biological farming. Food refers to something you can eat, and this is not what this site is about. The farm owner basically ridiculed us today because his site was not accessible to our government agency. The fact that the site contains a small number of references to fruits does not imply that this is about selling food. You did not mention the iatronet.gr site, which contains medical related information. It does contain some news, but it is not the site's core function. Therefore if your AI thinks it is, then perhaps you should try to do something here. I have three "solutions": either block only pornographic sites, downloads/warez and basically red-flagging sites, avoiding blocking categories that will effectively carpet bomb sites not belonging there or do a whitelisting of everything ending in *.gr (allowing bad material from *.gr to creep in), followed by blocking whatever we are blocking right now... get rid of ESET web control which does not work as it should and tender for something that can accomplish the task better (see my notes below) I can not really offer a huge technical help on how you should go about reducing the site false positives. You might believe that your product works well and does its job properly. My own experience with our users on classification as performed by other products (Fortigate comes to mind, as well as the community-as-a-service driven Shall squidguard URL lists) makes me feel that eset web control is unusable for broad business application here. Will most likely go with (2) above for the time being, that is if ESET allows a top level domain (.gr) to be whitelisted.

Sure, I've just communicated to ESET Greece the following links: https://boro.gr/31192/sxizofreneia-ta-prwta-symptwmata-kai-oi-kindynoi/ https://www.iatronet.gr/ygeia/psyxiki-ygeia/article/27098/sxizofreneia-poia-symptwmata-prepei-na-mas-anisyxoyn.html The latter site contains medical information, the former get-well/fitness related information. Both links were categorized as "news". ESET Greece changed these to "health"/"magazine". An example logged just some minutes ago:https://www.daniilidisbio.gr/ This is the site about farming: plants and varieties. This was logged under "food and restaurants". The case open with the local ESET distributor is 64499, hope that helps.

Hello, we are using endpoint security 8.x to control our users' access to the net. Specifically, one of the major categories blocked is news. We are running into a major problem though here: the number of false positives in this category is so large (we are talking about Greek sites) that we are considering enabling this category, just to mitigate the more serious issue of no access to non-news-related sites flagged as news-ones. Is this a problem with international links in general? I am trying to figure out whether eset has knowledge of the issue or not. As it is, eset filtering of news sites (possibly other categories as well) is not only useless, but damaging to our daily operation so we will have to consider an alternative product for url filtering... Just for the record, we've been running a squid proxy with squidguard utilizing the Shalla public domain url blocklist for more than 10 years and we definitely did not run into the same issues. I feel extremely disappointed with the web filtering performance of this product...

Seems this has changed at some point. Details to include the category: https://help.eset.com/ees/8/en-US/idh_config_parental_message_customize.html

(bump) Anyone from ESET care to comment? I have been having users query why "normal" sites are blocked and I am clueless on how to debug this. I definitely need to know the ESET category that a blocked URL belongs to, in order to take corrective action!

I'm using ESET Protect to manage our 8.x ES clients. I'm also utilizing the embedded URL category filtering. A couple of years ago, when our fleet was still at version 6.5, when a URL was blocked it was possible to view the specific category the URL belonged in. If the URL should not have been blocked, then the URL could obviously be white-listed. In more than one case I had to white-list the entire ES URL category. Knowing the URL block category was pretty useful, I could just modify my policies accordingly. I am not able to find this functionality in 8.x clients. The ESET block message that appears does not include the category. Therefore, I can not white-list the category this URL belongs to. How can one find which category a blocked URL belongs to?

I've PMed you.

Please excuse my ignorance here: is this public license id the same as the license key he needs to activate?

Hello Marcos, I'm afraid he did not use a license mail address. Can he extract the key from the other installations?

Hello, a friend had bought a multi user/1 year subscription for internet security. The product was activated on all systems. Since a new machine was purchased to replace one of the existing ones, eset was uninstalled on the old rig. Upon installation on the new one the friend realized that he had lost the license key to activate eset on the new system. What can be done in this case?

Thanks for (yet another) speedy reply! I've been using this facility to "tell" eset that our own network is a trusted one. The question is whether this policy would work not in the case that a system had a second NIC, but in the case of a single NIC that has two different networks assigned to it. Can you please confirm whether or not this is feasible?

We have a scenario in which we have a number of endpoint security 8.x clients managed by ESET Protect, that should connect to a 2nd network (different gateway/subnet etc), which resides outside our security perimeter in order to run a single Windows application. Network considerations apart, one would go about it with a single network card by a) first configuring the network card in Windows to have an additional ip address/subnet mask b) configuring static routes to connect to the second network appropriately c) and finally connecting the "foreign" router to our LAN. I know, not a great idea but it's for an interim period and the other network is from a "fellow" agency. Now the deal is that our own network is configured in ESET Protect to be a safe network. This is done by setting a policy that setups Settings ->Network Protection->Firewall->Known networks to include our own/safe network. My question is: is this setting applied NIC-wide (ie with a single network card, the connection could be either public, or home/private) or is it IP-wide (in which case we could have a policy that sets our own network as safe -home/private- and another policy that sets the 2nd network as public)? If the former applies (settings are applied NIC-wide) could someone offer perhaps an idea to solve this problem? PS: We've also toyed with the idea of creating a virtualbox WIndows VM and have its vNIC associated with a VLAN to keep traffic fully separated. However, this requires a lot of administrative effort for initial configuration and deployment. Plus there are hussles like configuring Virtualbox on each pc to pass through USB devices like barcode hand scanners to the VM...

Apologies for my late reply. I have tried from home to connect with a browser to one of these systems over https. It failed (I presumed something needed was missing to establish a successful connection) when I tried this at home. I still think that eset should provide a utility to easily identify what is/isn't reachable from the ESET infrastructure. It will help both detection and isolation of the problem, as well as help whoever performs corrective actions to verify that things have worked. I have raised an issue with the WAN admins, but lack of an utility like this means that they will not be able to actually tell whether thinks have been fixed or not (at least on their side). 10.xx.xx.17 is the eset protect server, which hosts the apache module for caching traffic (updates etc): so nothing special there. One other question: why is the client trying to resolve things via Google DNS? Is this a fallback mechanism?

Apologies for my late reply. I will raise an issue with my provider. However: 1) Regarding http fallback to 91.228.166.42, I tried to open https://91.228.166.42 from my home connection as well as from another place and that failed. How can I (or the ISP sysadmins) easily tell that https access to these systems work? Asking here because from the looks of it, it is impossible to connect "normally" regardless of your (network) location (home/business). 2) Why is Google DNS used at all? This is a centralized and controlled environment. As such, your client should not try to connect to any DNS, apart from the provisioned one.

@Marcos I've PMed you.

1) Some tool I can check connectivity to these address over 53535/udp? 2) What should I look for on my local DNS?

Marcos, I've found out that we've run into a similar situation that we had about a month ago: some proxy perhaps in our infrastructure is blocking queries to resolve/categorize links and sites. I've reproduced this issue on another site, not administered by me. Is there some sort of eset tool that checks availability of services provided by the eset infrastructure and presents them in an easily translatable form (for example works/does not work)? Which servers/protocols are used to query URL categories?

ESET Protect 8 (latest) and endpoint security 8 (latest) running on Windows 20H2 boxes happily, till yesterday. At that moment we discovered that social networking was not blocked for example. We have a general URL allow rule (whitelisted domains/URLs) followed by a category block rule that included various categories. Digging further it seems that all domains get characterized as not resolved ones. Indeed, by selecting to block only this category, everything (except our whitelisted domains) gets blocked. Has something changed in the infrastructure, is this a known issue?

@MarcosI've PMed you.

Seems like a bug after all: I've whitelisted miscellaneous (as a category) before the blacklisted categories, but URLs categorized as "no content found" are still blocked. I'll open a support ticket.

Hello, on my server I've got a web access policy for Endpoint security products that (a) first allows certain URLs and then (b) blocks certain categories. What would happen when a user tries to access a site that is not listed in (a) or in the categories of (b)? That is, is it allowed or somehow default-blocked? Specifically we are receiving blocks from the content filter, for pages categorized as "No content found" (included in Miscellaneous), even though the entire Miscellaneous category is not listed under the categories in (b).

NVM, I found it.

How can I do that in ESET protect 8?