pronto

Servus Marcos, so I found the task scheduler now but only in the GUI of the client itself, not in the policy in the Protect console. They are also all activated and really only took a blink of an eye. Another thing I noticed is that the long Smart Scan only becomes active when I open the Smart Scan dialog in the client GUI. Maybe it only starts when I open the dialog. At least only then the circling radar bar in the ESET icon becomes visible. By the way, you can start this scan several times, which actually makes no sense (See screenshot). At this point I suspect a bug and if it is possible that it runs in the background but if it does not, it is probably not the cause of our issue. Anyway, I have now uninstalled the virus scanner on the acutely affected client and asked the colleague to work without the virus scanner for a day to find out whether the system can then be used normally again. This will at least tell me whether it was the virus scanner at all, or whether another issue is responsible for the poor performance. Basically, all users with Big Sur on the Minis with hardware revision 2014 have issues with performance, but not to the level discussed here. This Mac was no longer usable. Thx & Bye Tom

Servus Community, I am experiencing annoying performance issues when switching our Mac Minis to Big Sur and I believe the virus scanner is responsible. On the last machine the issues were so significant that I uninstalled the virus scanner and since then the system has been running quite stable and fast. Users report that this slowly disappears after a while and the system can be used halfway normally. But until then they are quite frustrated. I looked at the whole issue for a while and noticed that the virus scanner runs a system smart check after every startup, which can take up to two hours. In the policy I have not found the place where we can disable it and I do not know this from older versions, at least not with Windows. The question now would be on the one hand, where I can turn off this daily check of the system files and on the other hand, whether there are other tweaks to increase the system performance? I can't really leave it like this and completely without a virus scanner is not recommendable either. Thx & Bye Tom

I've taken a closer look at the this issue with my colleague now and we have some answers but also a few questions. We have two Exchange servers (MTA-1 and MTA-2) and only one (MTA-1) accepts mails from external. While analyzing the ESET logfiles we noticed that the second server (MTA-2) has had an empty logfile for over a week. Obviously, nothing was filtered here, which didn't worry us at first, because everything has to pass through the filter of the first server (MTA-1). Furthermore, we took a closer look at the spam mails that were passed through and noticed that there are no ESET X-tags in the headers of these e-mails. This worried us, because it is obvious that some mails did not pass the filter at all. Days ago we restarted the ESET services on both servers and today we restarted both servers. Now the filters on both servers are working again and since then no spam mail has arrived at least in my mailbox. However, since this time, five to ten unrecognized spam mails would be expected. This is a good sign. This would also answer the question why some spam mails were filtered and others not because the filter on only one server was working. But the question that arises now is, why is the filter on the second server necessary at all, if everything should go through the filter of the other server first? Is there any documentation on how the ESET filters work in an Exchange DAG, or a short explanation that does not go beyond the scope of this post? After all, this final question is on the edge of beeing off topic but the answer would help us at least to understand the issue... Thx & Bye Tom

If you haven't changed anything on the network layout, I don't think that's the reason. We haven't changed anything and it was working fine until a week ago. I'm on vacation right now but I'll pass this on to my colleague to check. Thx & Bye Tom

Servus Community, For a week now we have been flooded by a spam tsunami and we don't know why. The spam filter on our Exchange servers filters out spam, as we can see from the logs, but there is still a lot of spam arriving in the users' mailboxes. We have already sent over a hundred samples to ESET, but the storm continues. There are mails that should be clearly identified as spam, but the filter lets them through. At first we thought that this would fix by itself in a few days, when ESET reacts with new patterns, but now it takes so long that we have to assume that the problem is in our setup. What actions can we take to get the problem under control? The matter is getting more and more serious, we have users who get over a hundred spam mails per day and there might be serious threats among them. Thank you in advance for your attention Bye Tom

I have now uninstalled ESET Endpoint Antivirus and reinstalled it with user defined settings. In the user defined settings I disabled web- and email-protection, then the proxy adapter is not installed. The actual issue has been escalated to the next instance by first level support. Thx & Bye Tom

Now I have the same issue with the next Mac Mini. It works after installing ESET until I reboot the system, then the proxy adapter won't connect to whatever or whoever and the network connection is down. Not basically everything, because a ping still works or the definition update from ESET but nothing else anymore. The only Mac Mini with Big Sur that doesn't have this issue is a brand new M1 Mini, the other two, where it doesn't work, are Intel Minis with a hardware revision from 2014. The systems are compatible with Big Sur according to the compatibility matrix. I opened a support ticket the day before yesterday and got a message today that I would have to wait until next week for an answer, which wouldn't be an issue if the second Mini didn't have these issue as well. So if anyone can say anything about it, now would be a really good time to do so... 😉 Thx & Bye Tom

If I follow these instructions [1], I lose the network connection. All other macOS systems do not have this problem. Another Big Sur installation has not connected this proxy adapter, but also does not have the warning that the web and email protection does not work. So either I get rid of this warning on unconnected proxy or the proxy adapter is kind enough to stop blocking my network connection. [1] https://support.eset.com/en/kb7698-web-and-email-protection-did-not-start-in-eset-products-for-mac-on-macos-big-sur Thx & Bye Tom

Servus Community, with a disabled ESET proxy network adapter I don't get the warning that some features don't work away and with an enabled proxy network adapter the internet doesn't work anymore. The localhost is entered as proxy address. What am I doing wrong? Thx & Bye Tom

Servus Marcos, the protection status is red but it only indicates that a restart is required. No further indication that the protection status is impaired or out of function. Anyway, since the matter is unclear, I have now restarted the system. However, your development department should take a look at this. With a regular update, this request to restart always comes and even the users do not necessarily register this alert from ESET, or simply ignore it and postpone the restart until the end of work. They are then only advised that a restart is required. In the meantime, it must be clear that the virus protection is still working, - or if not, all alarm lights should go on. A message that a restart is required is than not enough. With Windows updates, postponing the restart is also common practice. Thx & Bye Tom

Servus Community, I accidentally updated the ESET engine on an Exchange server, it was already up to date. Now the server wants to have a restart and for this I would like to wait until office hours are over. Is the protection still granted until then? Thx & Bye Tom

Servus Community, somehow during the installation of ESET Antivirus on macOS 11.5 I got a network interface for a proxy server installed, which probably happened accidentally. I then had no network connection on the Mac and first had to disable this interface in the network settings. How do I get rid of this proxy interface...? Thx & Bye Tom

I think it's time to seriously consider a reverse proxy server. We used to have one when Microsoft had a TMG server in their portfolio, but after that was discontinued, our Exchange servers are connected directly to the Internet. Not having one was already not an advantage with the hafnium exploit issue a few month ago. We had to reinstall all the Exchange servers at this time. Btw: Our Exchangers are not fully patched. We have installed the CU20, but there were three security updates that are still missing. At least Microsoft states that CU20 is sufficient, there was no mention of security patches. A technician from our service provider also said that CU20 should be sufficient and Thor may have only registered the HTTP request. Tomorrow I will install the last security patch and in two weeks the current CU21. In the meantime I'll get busy looking for signs of a successful exploit but to do that I need to know what to be looking for first. Until then, I hope ESET keeps its eyes open and I still don't get any negative feedback. If anyone has any concrete leads on what to be looking for already, that information would be helpful. Thx & Bye Tom

This happens all the time, day in and day out. What should I do with this information? But if it should be brute force attempts, then it probably does not concern the security vulnerability mentioned here. The question is also whether ESET detects this at all or only becomes active when dangerous files are installed on the system. The backdoor of the Hafnium exploit was found by ESET but only a few hours later. Whether ESET would have detected the exploit at a later time, even before the backdoor was installed, I don't know. Unfortunately, I know too less about the impact of this vulnerability. Thx & Bye Tom

It doesn't really say anything useful. The really important information, e.g. which security vulnerability is being tried to be exploited, is unfortunately missing. Translated it says: Thx & Bye Tom

Servus Community, a Thor scan has detected anomalies on one of our Exchange servers tonight (see screenshot). Apparently it is a vulnerability in the Autodicover protocol of the Exchange server. Heise (a major IT magazine in Germany) notes several attack vectors regarding Autodiscover (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) [1/de], which Microsoft should have fixed with the patches KB5001779 [1] and KB5003435 [2] According to Microsoft, both patches should already be included in CU20. This is installed on our servers. Why Thor recognizes this attack as successful, I can not yet estimate. ESET actually continuously logs the blocking of an attempt to exploit a vulnerability on the server, but does not go into further detail about which vulnerability it is. Is there any way to find out which vulnerabilities these are specifically, and can we find out if ESET has a matching pattern for the above vulnerabilities, and especially since when? Is anything known in this context in your offices? [1] https://www.heise.de/news/Exchange-Server-jetzt-patchen-Angreifer-suchen-aktiv-nach-neuer-Luecke-6158190.html [2] https://support.microsoft.com/en-us/topic/description-of-...-kb5001779 [3] https://support.microsoft.com/en-us/topic/description-of-...-kb5003435 Thx & Bye Tom

Servus Martin, sorry for my late reply. It works as you describe above without uninstalling the ESET products from the client. Only removing and deaktivating in the Protect console was necessary... Thank you very much & Bye Tom

Servus Martin, there is a misunderstanding, I primarily plan to reinstall the systems. The new operating system no longer supports 32 bit applications, so after an upgrade I will be left with some legacy applications, which I would like to avoid. So keeping the agent is not an option. However, I could get comfortable with not necessarily uninstalling the ESET applications on the clients, because the system will be reinstalled anyway, but I definitely need to get them out of the database in a clean and supported way, with releasing the license afterwards. Since I have a lot of work to do with the migration anyway, I'm primarily interested in the cleanest solution, not necessarily the fastest. There is no need for a quick and dirty solution... Thanks for your attention & Bye Tom

Servus Community, I need to upgrade all Mac OSX clients to a newer operating system version and prefer a clean reinstallation in most cases. In order to remove the ESET clients from the server console and release the license, I wanted to create an uninstall task according to this guide [1]. But now this task only allows either a security product or an agent version as the product to be removed. This means that with this strategy I need two tasks per client and then one task for each version used. I am not primarily concerned with a clean uninstall on the clients, but rather a clean removal in the server database and the release of the license. Can this be made easier? Note: On the newly installed systems, ESET should be installed again, but with the latest versions. The name of the workstation will also change, only the IP address will remain mostly the same. So I have not much hope that the newly installed client will reconnect with the old license and database record afterwards. [1] https://support.eset.com/en/kb7724-push-uninstall-to-client-workstations-using-eset-protect-8x ESET PROTECT (Server), Version 8.0 (8.0.1258.0) ESET PROTECT (Web Console), Version 8.0 (8.0.191.0) Thx & Bye Tom

Servus Marcos, is this independent of the version displayed in the selection of the Referendare ESET PROTECT Server in the actual task? Here only version 8.1.1223.0 is mentioned. I find it a bit magic when a task that only has Windows to choose also works on Mac and then also a higher version number is processed. This is all so correct and it works as you expect it? 😉 Thx & Bye Tom

Servus Community, I am in the process of rolling out the latest Agent version in our infrastructure and am having some understanding issues regarding version numbers. So far I have created a Component Upgrade Task and selected a server with the highest version number. However, the server that is displayed is listed as a Windows OS. Until now, I thought this meant the Protect Server type. In this case, the highest version was version 8.1.1223.0. I ran this task across all clients, whether Mac or Windows. In an evaluation group of both operating systems, the task completed quickly and unproblematically, on both Windows and Mac. Only now the Mac shows an agent version 8.1.3215.0, which suggests a higher version than I actually specified. Where did that come from suddenly? On Windows it shows the above version, which is what I would have expected. Can anyone explain this? Thx & Bye Tom

Now the task status is set to Running and does not change anymore. However, the initial situation has changed a little. I also had a few clients where the error (update not finished) was actually given. I then created a new task and selected the version to be updated to, directly in the list of available products. By the way, the task I am trying to fix had the URL to the last version selected as the product. For all clients that failed to install the last product version, I ran the task with the product I selected myself and all clients updated correctly. Now I have tested the Rerun on failed option on one of the clients but the task remains in the Running state. I have no idea why the tasks are not fully completed. I always have to use a combination of tasks when updating the whole infrastructure, once with the URL to the last version and once with the self-selected version. Is there something I am doing wrong? Thx & Bye Tom

Servus Community, I've some tasks with failed executions (ESET Software Update) but not all of them are really failed. At least one of them has the newest version installed and should be displayed as finished in the task history. Further another client was updated manually by installing the current version due to the last progress description "Task failed, try to install software manually". This client also stay in a failed state. How can I manually mark failed tasks as finished? Please note that this particular task has a lot of clients for running the update task and most of them are in a finished state... Thx & Bye Tom

I attached a Zip-File with some sample emails. There is now only one email with an invitation but a few others that somehow have to do with it, because the name of the sender is the same everywhere. The password for the zip file is infected. I'm still sending the files following the instructions you posted above. Thanks for your attention SPAM.zip

Servus Community, we currently receive very frequent e-mails with calendar invitations, which are not recognized as spam. Since the sender address is different, it is difficult for me to create a filter for it myself. Can I send a few of these emails to samples[at]eset.com with a request to review them for inclusion in a spam pattern or is this email address only for malware? Is there another way to send an email to Eset for review? Thx & Bye Tom