Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by pronto

  1. I attached a Zip-File with some sample emails. There is now only one email with an invitation but a few others that somehow have to do with it, because the name of the sender is the same everywhere. The password for the zip file is infected. I'm still sending the files following the instructions you posted above. Thanks for your attention SPAM.zip
  2. Servus Community, we currently receive very frequent e-mails with calendar invitations, which are not recognized as spam. Since the sender address is different, it is difficult for me to create a filter for it myself. Can I send a few of these emails to samples[at]eset.com with a request to review them for inclusion in a spam pattern or is this email address only for malware? Is there another way to send an email to Eset for review? Thx & Bye Tom
  3. Okay, thanks for the effort. The setting is not a matter of life or death but as a nice to have it would be great... Thx & Bye Tom
  4. I am not sure if this is the right place. It reads that way but as soon as I edit this notification it ends up asking me if I want an email, use a syslog server or send an SNMP trap. Actually, none of them. I was only referring to the colored background in the 'Last Connected' column in the Protect console and that doesn't seem to be what I'm looking for. But it would be close.... Thx & Bye Tom
  5. Servus Community, is it possible to change the time period for triggering a warning of the last connection date? We have it set to around three to four days, which causes quite a number of warning messages, especially after the weekend. Since we have quite a few part-time employees, the majority of the computers are constantly displayed with a warning. To me, one week as a warning and four weeks as an error would be more suitable. I have not found a corresponding setting in the policy. Can someone tell me where to set this? Thx & Bye Tom
  6. Hi Community, is there a possibility to determine which file in which email produces the following alert? Thx & Bye Tom
  7. Servus Marcos, I already don't have half of the paths on my system that were excluded in the other thread. I could only add the /System/Application path. But I noticed something else, I wrote the path to the Time Machine volume with a wildcard character but I didn't define any files with it ( -> /Volumes/Time* ) I have now rewritten the path as shown in the screenshot. Probably that alone was the reason. If this works will take a while to find out, the detections came very irregularly. i'll watch this now for a few days and then give feedback at the end of the week. Thx &
  8. Servus Community, I created a path exclusion for the volume belonging to the local Time Machine backup but I get many of detections on this volume on my personal Mac (10.15). ESET is apparently unable to delete the files it finds, which is why it repeatedly issues a plenty of Popus warnings at irregular intervals. I created the exclusion with a wildcard character (/Volumes/Time*) but according to the manual this should work. Can anyone see an error in the configuration? Thx in advance & Bye Tom
  9. Hi Marcos, the audit log says that the task was modified on 26.03 in the afternoon. On this day we have reinstalled our two Exchange servers with a service provider. Afterwards, we could not activate the two mail security instances, but this was simply due to the fact that the mail security license was not checked in the activation task. Probably the task was modified by mistake while searching for the problem. When installing system updates, the server was restarted and the problem took its course... Thx & Bye Tom
  10. I have now contacted the ESET hotline about this issue. The reason for the disappearance of the clients was an unplanned execution of the Static Group Synchronization server task. This task moved all AD clients into the AD Organisation Unit folder structure. Why this task was executed is unclear. I then had to manually move the clients back into the groups created for them, now hopefully everything is back in the place where it is supposed to be. Summary: In principle no software error, so also magically no fix available. Thx & Bye Tom
  11. Hi Community, today all the static groups we created are suddenly empty. Except for two groups, the Apple macOS devices are apparently still there and two Windows devices are still there but all others are not displayed in the ESET Protect console. I still see all computers in the dynamic group where all machines are and when I look at the properties of my workstation for example, none of our policies are applied. What happened? Thx & Bye Tom
  12. In my opinion, they tried to attach importance to their cloud products, but probably underestimated the dynamics of the situation. It seems like they have lost control in the meantime. With the implementation of Windows 10 and their Windows as a Service update strategy, one update after another is blowing up. Either they came too early or too late. The customer has not been the king anymore, rather they are being forced towards in the direction where Microsoft wants them to go. The other global players like Apple and Google are no exception. If Google decides that any standard is no longer us
  13. This is a pretty good tool, easy to use and each warning is commented with a link to an explanation. Really very good. I'm thinking about adding something like this to our general monitoring. Only the attacked server had anomalies, but those were the things we already knew. One issue with a compromised web.conf.bak is still open but there I remember darkly that I once created a backup of the file before I made changes to it. The file extension bak is typical for me. After that the exchange server will not have been interested in this file anymore and after a few updates the content does
  14. Hm, I thought I followed the link but the site looks quite different from the ones I remember. Somewhere I took apparently a wrong turn. Thanks for bringing this up again, I'll take a closer look tomorrow. Thx & Bye Tom
  15. ESET Mail Security is installed on our Exchange servers and we found evidence of two backdoors. On 10.03, we ran Microsoft's detection tool with a service provider and found evidence of an infection. The service provider had already opened the directory where the backdoor was installed and we could see the file. We then scanned the system with Windows Defender and exact at that point, ESET's real-time protection jumped in and detected and removed the file. Not a good sign, the file had a timestamp of 05.03. There was a second incident on 06.03 according to ESET, though here the file was detect
  16. Thanks for the list of patched files and the further information. My learning curve has increased rapidly over the last few days. I could have come up with the idea of looking at the file properties in the GUI earlier. Sorry for that but having the list is more valuable. The files have a valid signature and e.g. the owaauth.dll is also shown in the list with the exact size in bytes and version number, only the timestamp is exactly 8 hours before ours, which is probably due to the time zones. Tommorow I compare the other files but that helps to fall asleep. @schuetzdentalCB Have
  17. Servus Community, I am investigating the post exploit activity of the Hafnium attack and have come across several DDLs that have a creation date a few hours after the installation of the backdoor (05/06.03.21). I uploaded some of these DDLs to Virustotal and they were found to be unsuspicious. However, the temporal context makes me wonder. The creation date is (a few days) before the time when ESET detected and removed the backdoor. However, a manual scan of the files with ESET Mail Security, is also unsuspicious. Can anyone compare these files on their system? C:\Windows\sy
  18. Hi Community, is ESET File Security in Mail Security included or do I need to install File Security additionally to protect the Exchange server operting systems? Thx & Bye Tom
  19. Hi Guys, well, the upgrade process was really straight forward. The web console took a little longer, I could still log in to the old one, which generated some error messages, but after a few minutes that was done also. Upgrading the agents also went through without a problem on about 25 clients in an evaluation group (Windows 10 and Mac OSX). The Anti Virus application on Windows (EEA) was also updated to version 8 without any problems in this group. That the EEA application on Mac is still on version 6.x is intended? Summary: As far as I can see, everything seems to work
  20. Servus Marcos, okay, thanks. Is the upgrade process straight forward or is there major work for reconfiguration to expect? Looks the Webgui almost the same or is it like Microsoft and everything is renamed and puzzeld to anywhere...? 😉 Thx & Bye Tom
  21. Servus Marcos, is ESET PROTECT a regular update for ESMC or is this an upgrade to another product? Possibly subject to a charge? Thx & Bye Tom
  22. Servus Community, I'm lost in the jungle of the thousands of different modules which ESET offers. I'm doing some updates of the ESET infrastructure, including the server components and thought that I've running the latest version of ESMC. I took the version from the the help menu in the about section. There is a version 7.2.1278.0 shown. But when I compare this with the website of ESET where the current releases are listet, the current version of ESMC there is I'm confused. My question is, if I'm lokking on the wrong place to determine the current running version or is the
  23. Servus Community, I created a new client task today to update the ESET product and it ran correctly on 12 test machines, but not on two. The task terminated there with the error: Repository package checksum verification failed While searching for the cause I came across several post that specified a different update source in the task. I tried that as well and the task terminated successfully on the other two machines as well. In the process I noticed that a latest version is specified in the URL[1]. My question would be, is this URL permanent? So I wouldn't have to create a n
  24. Servus Community, I am trying to determine the mail flow in our Exchange 2016 infrastructure. I have found a flowchart from both Microsoft and ESET, but I can't get the two together. The transport agents are resolved on the Exchange Server as follows: [PS] C:\Windows\system32>Get-TransportAgent Identity Enabled Priority -------- ------- -------- ESET Filtering Agent True 1 ESET Filtering AV Agent True 2 T
  • Create New...