tmuster2k

getting this detection on all endpoints >> Rule/worm name;Application;SHA1;User 10/15/2020 4:36:11 PM;ARP Cache Poisoning attack;Blocked;10.4.2.1 [00:09:0f:97:54:78];10.4.2.1 [00:16:6c:9a:0d:25];ARP;;;0000000000000000000000000000000000000000; Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;SHA1;User 10/12/2020 11:58:26 AM;Duplicate IP addresses on network;Blocked;10.4.2.1 [00:09:0f:97:54:78];10.4.2.1 [00:16:6c:9a:0d:25];ARP;;;0000000000000000000000000000000000000000; NOTE: the 10.4.2.1 is the IP Address of the router. Is this likely a false detection coming from the ESET IDS? Router has latest firmware. Is it possible the routers firmware has been compromised?

I did not see specific category for ESET Secure Authentication so I am posting here. Using ESA management server and RDP on a Windows Terminal server. Customer connects multiple RDP sessions to this server using Microsoft (CAL) Client access license that allows to connect 25 machines to server. https://support.hostway.com/hc/en-us/articles/360002191484-Microsoft-RDS-Client-Access-Licenses-CALs-#:~:text=A client access license (CAL,an RDS CAL is needed. With ESA installed, only 2 machines max can connect to this server using the ESA 2fa. If the ESA core service is stopped then more machines can connect to server. Is there any limitation on using 2fa with terminal server?

Thank you very much for the info.

I was wondering if ESET is planning on changing the way upgrades are handles for ENDPOINT AND FILE Security products for Windows. Is it possible to make an upgrade over the top without the restart? I have many customers who bypass the REBOOT option via upgrade tasks in ESMC. Some of them forget about the restart and then have many machines in the pending reboot status with modules in NON-Functional status. Question. In this pending reboot status are the machines vulnerable to malware? I tested one of the machines in this non-functional status after upgrade and it was not picking up Eicar test file. Is there any technical explanation as to why reboots are needed to finalize upgrade of ESET products from older version to new?

When using Web Control and implementing GROUP 1 has the category "NOT Categorized" checked by default. One of my customers who used this recently was then blocked out of just accessing his internal VSPHERE console. When you hit the drop down on this it just says "Not categorized" where as other categories give you details and items you can trim down. Question is what does this very generic category block and why is there no details on it when you hit the drop down for it? What purpose does this category offer?

I have noticed that with ESMC the Show Details >> Users section is hit or miss when showing users. Even when I have confirmed user is logged in (tried domain admin login and standard user) and rebooted machine multiple times but same. Did multiple wake up calls and still does not show. Not sure why some computers will show and some do not.

The ESET alert is coming up on any web site that is visited by end users not just this one which is not even a web site. Seems to be some kind of test of PROXY server maybe. When I am testing the ESET Proxy when troubleshooting one of the tests is for example >> hxxp://esmcserver:3128/index.html and it comes up with "IT WORKS' when PROXY is enabled and working.

Customer of our is getting "Untrusted Certificate" for ssp.meba.kr. I looked up on digicert and output was found below. if you go to that server it reports back "IT WORKS". IS this possibly coming from an ADD-ON in Internet Explorer? This just started happening today. TLS Certificate has not been revoked OCSP Staple: Not Enabled OCSP Origin: Good CRL Status: Good TLS Certificate expiration The certificate expires September 19, 2021 (417 days from today)

Thank you. We will use the client install tasks for now.

When doing an upgrade to a newer version of existing ENDPOINT AV machines in the dashboard it is choosing all the machines regardless of the uncheck of machines. I have reproduced the issue on multiple environments using multiple web browsers. 1. From ESMC go to Dashboard >> ESET APPLICATIONS >> Outdated Applications. 2. In my environment I had 25 machines that had 7.0 of EEA so i went to that group and "update installed Eset products" 3. I typically like to test an upgrade on a few machines first so I did the "click here to see list" and unchecked all of them but 2 machines. 4. If you click on "click here to see the list" again it has all of them selected where before it would only show you the ones you left checked. 5. I went ahead and unchecked all again and selected my two machines and then checked the box to finalize upgrade. 6. It pushed out to all 25 machines with reboots. To summarize, the upgrade option via dashboard only works now to all machines even though you have deselected them.

Figured out it had to do with the user being in a "HelpDesk" role so after modification it was working.

Once I am logged into ESET ENDPOINT Encryption Server and double clicking on a computer to get more details I get a "JavaScript Error. URL hxxp://wp1mgmt01/dlpes/js/en-US/dlpes_core.js?3.1.0 . Message >> Uncaught TypeError: cannot read property "add" of undefined. This only happens on one computer using IE and Firefox. Console works fine on other computers but this Junior Admin's laptop. Does Java need to be reinstalled or is there some other issue?

I notice on all installs of ESMC that the message in Status Overview always comes up in RED! "Notifications containing in accessible objects. " and has number. This is referencing the Notifications which do not have email address added to notification. Why is this the default especially if the customer is not using SMTP server settings to send out notifications? It throws off reporting. Is there any way to resolve this outside of adding an email address to ever single notification which I usually highly recommend not doing as it creates to much noise for the customer getting the notifications.

What about the DNS Poisoning attack detection? is there a specific reason this is not turned on by default for the IDS?

I noticed the default setting for ENDPOINT FOR WINDOWS POLICY in ESMC, in the IDS section the item called "Display notifications also for incoming attacks against security holes"and "DNS Poisoning attack detection" items are unchecked. I have customer who is wanting details on why these two items are turned off and by turning them on would cause possible false detections? I have seen notices in ESMC about security exploits when it comes to things like SMB exploits and thought that referenced "Display notifications also for incoming attacks against security holes" . Can anyone provided information on why these two items are not selected be default in the policy?

MichalJ. it does not have to do with adjusting columns. The option to resolve threats is not available unless the group is set to "ALL" for the specific permission set/

Yes. When creating the Permission set there is nothing related to malware cleaning. Can we add this as feature request? I was also able to reproduce issue in my own environment and you can do the same by doing the following>> Create Test static group, Create Test permission set (Grant all functionality), create test USER and assigned to permission set. Run as a test https://www.amtso.org/feature-settings-check-potentially-unwanted-applications/. Go to "Detections" when logged into this new user account and "RESOLVE" is not available when checking box(s). Log out of test user account and log back in with Administrator native account. Edit Test permission group and set to GROUP "ALL" instead of TEST GROUP and then log out and back in with TEST user account. Resolve is now available.

I created a permission set and assigned to a login to ESMC to only certain Static Groups. After logging into this new account the option to mark threats as resolved is greyed out. If I set this permission set to the group "ALL" then I am able to mark threats as resolved. Is it like this be design and can threats only be marked as resolved when permission set is set to GROUP "ALL"?

Thanks for the information guys. I will pass this along to customer. @Michalj - Customer said he was doing compliance form and one of the questions was asking if the security solution they used was EDR Compliant or not. So I assume from Marcos response that based on that fact they are not using EEI that they are not EDR compliant. Would that be correct?

I have customer who is doing compliance and they need to see if they are EDR compliance using our ESET products. They have ENDPOINT AV + File Security. I googled EDR and ESET and it comes up mentioning ESET Enterprise Inspector. To be fully EDR compliant do you have to have this specific product called ENTERPRISE Inspector or does the ENDPOINT AV provide this protection?

Trying to figure out correct process on how to migrate MSP from his Windows 10 box to the ESET ESMC Virtual appliance. The machines that are currently connecting in are connecting to a static WAN IP address. MSP wants to migrate them over to his fully registered domain name. I imported the CA and Server cert into the OVA and restarted the box. Created a migration policy and tested one workstation to move to the new hostanme (FQDN) but machine would still connect to old ESMC on widows 10 machine. I assumed that ports would need to be changed so on the OVA I went into server settings and changed to 3333 and 3334 for agent and web console and restarted appliance. After restart of appliance I am not able to log back into web console and getting "State not connected". IS there any config file we need to modify to change to 3333 and 3334?

I have customer who installed ESET products using CLOUD installer file. He did not specify the static group so he has many random machines showing under lost and found. Based on computer name he is not sure what company they belong to. Is there any report / RUN Task that can be sent out to machine to get the WAN IP address to better identity these machines?

Thank you for the update. I will pass this along to customer.

Instead of manually adding a URL into "List of Know Certificates" on my EMSC policy I had to put system into override mode and then request config and turn into child policy. How come ESMC policy only has option to add a file for this section?

Thank you for confirming this information for me.