Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by pronto

  1. If you haven't changed anything on the network layout, I don't think that's the reason. We haven't changed anything and it was working fine until a week ago. I'm on vacation right now but I'll pass this on to my colleague to check. Thx & Bye Tom
  2. Servus Community, For a week now we have been flooded by a spam tsunami and we don't know why. The spam filter on our Exchange servers filters out spam, as we can see from the logs, but there is still a lot of spam arriving in the users' mailboxes. We have already sent over a hundred samples to ESET, but the storm continues. There are mails that should be clearly identified as spam, but the filter lets them through. At first we thought that this would fix by itself in a few days, when ESET reacts with new patterns, but now it takes so long that we have to assume that the problem is in our setup. What actions can we take to get the problem under control? The matter is getting more and more serious, we have users who get over a hundred spam mails per day and there might be serious threats among them. Thank you in advance for your attention Bye Tom
  3. I have now uninstalled ESET Endpoint Antivirus and reinstalled it with user defined settings. In the user defined settings I disabled web- and email-protection, then the proxy adapter is not installed. The actual issue has been escalated to the next instance by first level support. Thx & Bye Tom
  4. Now I have the same issue with the next Mac Mini. It works after installing ESET until I reboot the system, then the proxy adapter won't connect to whatever or whoever and the network connection is down. Not basically everything, because a ping still works or the definition update from ESET but nothing else anymore. The only Mac Mini with Big Sur that doesn't have this issue is a brand new M1 Mini, the other two, where it doesn't work, are Intel Minis with a hardware revision from 2014. The systems are compatible with Big Sur according to the compatibility matrix. I opened a support ticket the day before yesterday and got a message today that I would have to wait until next week for an answer, which wouldn't be an issue if the second Mini didn't have these issue as well. So if anyone can say anything about it, now would be a really good time to do so... 😉 Thx & Bye Tom
  5. If I follow these instructions [1], I lose the network connection. All other macOS systems do not have this problem. Another Big Sur installation has not connected this proxy adapter, but also does not have the warning that the web and email protection does not work. So either I get rid of this warning on unconnected proxy or the proxy adapter is kind enough to stop blocking my network connection. [1] https://support.eset.com/en/kb7698-web-and-email-protection-did-not-start-in-eset-products-for-mac-on-macos-big-sur Thx & Bye Tom
  6. Servus Community, with a disabled ESET proxy network adapter I don't get the warning that some features don't work away and with an enabled proxy network adapter the internet doesn't work anymore. The localhost is entered as proxy address. What am I doing wrong? Thx & Bye Tom
  7. Servus Marcos, the protection status is red but it only indicates that a restart is required. No further indication that the protection status is impaired or out of function. Anyway, since the matter is unclear, I have now restarted the system. However, your development department should take a look at this. With a regular update, this request to restart always comes and even the users do not necessarily register this alert from ESET, or simply ignore it and postpone the restart until the end of work. They are then only advised that a restart is required. In the meantime, it must be clear that the virus protection is still working, - or if not, all alarm lights should go on. A message that a restart is required is than not enough. With Windows updates, postponing the restart is also common practice. Thx & Bye Tom
  8. Servus Community, I accidentally updated the ESET engine on an Exchange server, it was already up to date. Now the server wants to have a restart and for this I would like to wait until office hours are over. Is the protection still granted until then? Thx & Bye Tom
  9. Servus Community, somehow during the installation of ESET Antivirus on macOS 11.5 I got a network interface for a proxy server installed, which probably happened accidentally. I then had no network connection on the Mac and first had to disable this interface in the network settings. How do I get rid of this proxy interface...? Thx & Bye Tom
  10. I think it's time to seriously consider a reverse proxy server. We used to have one when Microsoft had a TMG server in their portfolio, but after that was discontinued, our Exchange servers are connected directly to the Internet. Not having one was already not an advantage with the hafnium exploit issue a few month ago. We had to reinstall all the Exchange servers at this time. Btw: Our Exchangers are not fully patched. We have installed the CU20, but there were three security updates that are still missing. At least Microsoft states that CU20 is sufficient, there was no mention of security patches. A technician from our service provider also said that CU20 should be sufficient and Thor may have only registered the HTTP request. Tomorrow I will install the last security patch and in two weeks the current CU21. In the meantime I'll get busy looking for signs of a successful exploit but to do that I need to know what to be looking for first. Until then, I hope ESET keeps its eyes open and I still don't get any negative feedback. If anyone has any concrete leads on what to be looking for already, that information would be helpful. Thx & Bye Tom
  11. This happens all the time, day in and day out. What should I do with this information? But if it should be brute force attempts, then it probably does not concern the security vulnerability mentioned here. The question is also whether ESET detects this at all or only becomes active when dangerous files are installed on the system. The backdoor of the Hafnium exploit was found by ESET but only a few hours later. Whether ESET would have detected the exploit at a later time, even before the backdoor was installed, I don't know. Unfortunately, I know too less about the impact of this vulnerability. Thx & Bye Tom
  12. It doesn't really say anything useful. The really important information, e.g. which security vulnerability is being tried to be exploited, is unfortunately missing. Translated it says: Thx & Bye Tom
  13. Servus Community, a Thor scan has detected anomalies on one of our Exchange servers tonight (see screenshot). Apparently it is a vulnerability in the Autodicover protocol of the Exchange server. Heise (a major IT magazine in Germany) notes several attack vectors regarding Autodiscover (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) [1/de], which Microsoft should have fixed with the patches KB5001779 [1] and KB5003435 [2] According to Microsoft, both patches should already be included in CU20. This is installed on our servers. Why Thor recognizes this attack as successful, I can not yet estimate. ESET actually continuously logs the blocking of an attempt to exploit a vulnerability on the server, but does not go into further detail about which vulnerability it is. Is there any way to find out which vulnerabilities these are specifically, and can we find out if ESET has a matching pattern for the above vulnerabilities, and especially since when? Is anything known in this context in your offices? [1] https://www.heise.de/news/Exchange-Server-jetzt-patchen-Angreifer-suchen-aktiv-nach-neuer-Luecke-6158190.html [2] https://support.microsoft.com/en-us/topic/description-of-...-kb5001779 [3] https://support.microsoft.com/en-us/topic/description-of-...-kb5003435 Thx & Bye Tom
  14. Servus Martin, sorry for my late reply. It works as you describe above without uninstalling the ESET products from the client. Only removing and deaktivating in the Protect console was necessary... Thank you very much & Bye Tom
  15. Servus Martin, there is a misunderstanding, I primarily plan to reinstall the systems. The new operating system no longer supports 32 bit applications, so after an upgrade I will be left with some legacy applications, which I would like to avoid. So keeping the agent is not an option. However, I could get comfortable with not necessarily uninstalling the ESET applications on the clients, because the system will be reinstalled anyway, but I definitely need to get them out of the database in a clean and supported way, with releasing the license afterwards. Since I have a lot of work to do with the migration anyway, I'm primarily interested in the cleanest solution, not necessarily the fastest. There is no need for a quick and dirty solution... Thanks for your attention & Bye Tom
  16. Servus Community, I need to upgrade all Mac OSX clients to a newer operating system version and prefer a clean reinstallation in most cases. In order to remove the ESET clients from the server console and release the license, I wanted to create an uninstall task according to this guide [1]. But now this task only allows either a security product or an agent version as the product to be removed. This means that with this strategy I need two tasks per client and then one task for each version used. I am not primarily concerned with a clean uninstall on the clients, but rather a clean removal in the server database and the release of the license. Can this be made easier? Note: On the newly installed systems, ESET should be installed again, but with the latest versions. The name of the workstation will also change, only the IP address will remain mostly the same. So I have not much hope that the newly installed client will reconnect with the old license and database record afterwards. [1] https://support.eset.com/en/kb7724-push-uninstall-to-client-workstations-using-eset-protect-8x ESET PROTECT (Server), Version 8.0 (8.0.1258.0) ESET PROTECT (Web Console), Version 8.0 ( Thx & Bye Tom
  17. Servus Marcos, is this independent of the version displayed in the selection of the Referendare ESET PROTECT Server in the actual task? Here only version 8.1.1223.0 is mentioned. I find it a bit magic when a task that only has Windows to choose also works on Mac and then also a higher version number is processed. This is all so correct and it works as you expect it? 😉 Thx & Bye Tom
  18. Servus Community, I am in the process of rolling out the latest Agent version in our infrastructure and am having some understanding issues regarding version numbers. So far I have created a Component Upgrade Task and selected a server with the highest version number. However, the server that is displayed is listed as a Windows OS. Until now, I thought this meant the Protect Server type. In this case, the highest version was version 8.1.1223.0. I ran this task across all clients, whether Mac or Windows. In an evaluation group of both operating systems, the task completed quickly and unproblematically, on both Windows and Mac. Only now the Mac shows an agent version 8.1.3215.0, which suggests a higher version than I actually specified. Where did that come from suddenly? On Windows it shows the above version, which is what I would have expected. Can anyone explain this? Thx & Bye Tom
  19. Now the task status is set to Running and does not change anymore. However, the initial situation has changed a little. I also had a few clients where the error (update not finished) was actually given. I then created a new task and selected the version to be updated to, directly in the list of available products. By the way, the task I am trying to fix had the URL to the last version selected as the product. For all clients that failed to install the last product version, I ran the task with the product I selected myself and all clients updated correctly. Now I have tested the Rerun on failed option on one of the clients but the task remains in the Running state. I have no idea why the tasks are not fully completed. I always have to use a combination of tasks when updating the whole infrastructure, once with the URL to the last version and once with the self-selected version. Is there something I am doing wrong? Thx & Bye Tom
  20. Servus Community, I've some tasks with failed executions (ESET Software Update) but not all of them are really failed. At least one of them has the newest version installed and should be displayed as finished in the task history. Further another client was updated manually by installing the current version due to the last progress description "Task failed, try to install software manually". This client also stay in a failed state. How can I manually mark failed tasks as finished? Please note that this particular task has a lot of clients for running the update task and most of them are in a finished state... Thx & Bye Tom
  21. I attached a Zip-File with some sample emails. There is now only one email with an invitation but a few others that somehow have to do with it, because the name of the sender is the same everywhere. The password for the zip file is infected. I'm still sending the files following the instructions you posted above. Thanks for your attention SPAM.zip
  22. Servus Community, we currently receive very frequent e-mails with calendar invitations, which are not recognized as spam. Since the sender address is different, it is difficult for me to create a filter for it myself. Can I send a few of these emails to samples[at]eset.com with a request to review them for inclusion in a spam pattern or is this email address only for malware? Is there another way to send an email to Eset for review? Thx & Bye Tom
  23. Okay, thanks for the effort. The setting is not a matter of life or death but as a nice to have it would be great... Thx & Bye Tom
  24. I am not sure if this is the right place. It reads that way but as soon as I edit this notification it ends up asking me if I want an email, use a syslog server or send an SNMP trap. Actually, none of them. I was only referring to the colored background in the 'Last Connected' column in the Protect console and that doesn't seem to be what I'm looking for. But it would be close.... Thx & Bye Tom
  25. Servus Community, is it possible to change the time period for triggering a warning of the last connection date? We have it set to around three to four days, which causes quite a number of warning messages, especially after the weekend. Since we have quite a few part-time employees, the majority of the computers are constantly displayed with a warning. To me, one week as a warning and four weeks as an error would be more suitable. I have not found a corresponding setting in the policy. Can someone tell me where to set this? Thx & Bye Tom
  • Create New...