tmuster2k

Basically, what I would like to do is lock down the system as much as possible so that if an attack does occur, I have layers of security for the attacker to break through. In other words, I would like to whitelist individual applications to use system resources instead of blacklisting, which seems to be ESET's default approach. The firewall is the easiest to work with in that regard. If I were using iptables, my rules might look like: :INPUT DROP [2:80] :FORWARD DROP [0:0] :OUTPUT DROP [8:903] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A OUTPUT -m owner --uid-owner 0 -j ACCEPT The difference between those iptables chains and what I would want to implement is the OUTPUT whitelist being application specific, rather than user specific. This would require an attacker migrate to (or exploit) a network allowed process before being able to gain a shell into my system. Therefore, the next step is to lock down process migration. I would like to apply a similar whitelist policy to HIPS rules, allowing only programs that need access to specific resources to have them. If that can be done, even if someone runs a backdoor executable on my system, they won't be able to migrate to a process necessary to carry out the rest of the attack. That covers most defenses. What would be left would be vulnerabilities in ESET, physical attacks, vulnerabilities in allowed applications, phishing, etc. There is a problem with this approach in that all OS processes would need to be manually whitelisted so as to avoid breaking the OS. However, this does allow restricting things like Cortana from working, which might be desirable. How would I implement a system like this in ESET's policies for Windows and Linux? Windows Firewall settings make sense enough. However, the HIPS rules are missing the same up and down arrows that are present on the firewall UI. The same applies to the Linux Firewall Profile Rules as well. Below are screenshots showing the missing buttons. Also if there is any online documentation that anyone can suggest would be most helpful as well.

You can use your policy for your windows desktops as your Global Policy and in your static group test this will be your child policy. As long as your global policy ICMP rule is not set to "force" or "apply" then on your child policy you can "force" or "apply" and this will override global for this ICMP setting. hxxp://help.eset.com/era_admin/65/en-US/admin_pol_how_policies_are_applied.htm

This is not possible to do within ESET policy?

Need to figure out how to block Remote Desktop Connection to everyone except one computer. Meaning the tech's computer should be the only one that can remote desktop into any computer on the network. No other computers on network should not be able to remote desktop into any computer. We want to retain the network address in the Trusted Zone on the global policy for endpoints using EES. I created a a firewall rule on the global policy to deny PORT 3389 and application c:\windows\system32\mstsc.exe and similar rule to allow on the one tech computer. After confirming policy took I can still connect to every computer via RDP. The only way I can prevent remote desktop is to take out the network address in Trusted Zone. Is there any other recommended way to configure this policy for remote desktop?

Thank you very much for quick response.

Customer has master EFS policy set to disable "protocol filtering", and "web access protection". They have had this implemented for sometime. With EFS 6.5 , after these 2 items were disabled in policy there would be no RED alerts in ERA/ESMC and nothing locally on server. Since upgrade to EFS 7.x there are always alerts on ERA/ESMC and locally. In the policy under User interface >> Statuses there is no category for these 2 items. (only anti-phishing). Is this be design? I informed customer its very important to leave this enabled but they do not want it and have never used it on servers. Also when you go locally on server to programs and features for EFS and Modify there is no longer option to take out Web access protection. Is this also by design now with new version?

We have good amount of customers who buy ESET ENDPOINT SECURITY but some may not want to use the firewall so they can still take advantage of Bot Net, IDS, Web Control. So the firewall is disabled in ESMC company base policy. Confirmed that policy was created before EES was even pushed out to client and these are all fresh installs of latest EES 7. confirmed policy was applied correctly in global fashion. Confirmed that locally on endpoint as well. On EES 7 deployments now the windows defender action center is reporting "Actions needed in ESET Firewall- Open ESET Firewall" Opening just goes to GUI which reports "you are protected". Windows 7 machines with this same policy implementation do not report anything wrong with firewall. Confirmed that windows firewall is enabled on the Windows 10 1803 systems. I was also able to reproduce this on VM as well.

it does not specify anything with authentication. just that the test failed. We mirrored the same settings on this phone so we know the authentication part is correct.

so my question is still, does ERA 6.5 SMTP Server settings fully support email configurations for Office 365 or Go Daddy? I had customer mirror the settings on his phone which was set for Office 365 and it still won't work in ERA 6.5. Test email always fails. Confirmed settings are correct. Do you have to be hosting your own mail server for this to work?

can't do GPO because the domain has a mix of ESET and Sophos and customer does not want agent on those non ESET AV computers. Tried using the deployment tool but after it says "success" like the ERA 6.5 deployment status nothing happens on the endpoint. Even when I bring up the task manager there is no ERA_x64 process like I see when a successful deployment of all in one or agent when using deployment tool.

just got ERA 6.5 installed. When pushing agent it will say it completed successfully but the agent never gets installed. was RDP'd into test machine after push and you do see the ESET REMOTE ADMIN PUSH background process for a brief second and then disappears. after it disappears ESET AGENT SERVER Task shows "task completed successfully" but no agent is installed. happened on 2 different machines running windows 10. Tried a local install using agent live installer and after doing the windows 10 >> more info >> continue anyways there is no DOS screen or subsequent windows installer icon below. Customer does not want to do local installs of agent using MSI.

Working with customer on getting notifications to be sent out from ERA 6.5 and when putting in his settings for OFFICE 365 the test fails in RED and nothing gets sent. We also tried a GO Daddy email and same. Do they have to be hosting their own email server like exchange for this to work?

Most of my testing shows that in place upgrades are good from 6.4 and up to latest version. If you do install over the top from these older versions to 6.6 there is likely hood as you described that security modules will likely by in non-functional state. I would recommend just pushing out a uninstall task + Reboot and then pushing out Latest build to that same system(s). This process will ensure that "your are protected" should display on Protection Status. going further you can just do install over the top + Reboot as long as you do not fall behind too many versions behind.

After you get ESET REMOTE Admin version 6.x installed and agent pushed out to a Version 5.x endpoint you can "request configuration" and "convert to policy" to bring over policies for Version 5.x. If you were just using the defaults in ERA 5.x you can just use the default Version 6.x Endpoint for Windows policy. In ERA 6.5 console you will create a client uninstall task to remove V5 Endpoints and 4.5 File Security. I highly recommend unhooking self defense on 4.5 EFS before uninstall as some uninstalls have been known to hang and self defense was causing it. After you have push uninstall and rebooted (client install task of V6 product will fail if you don't reboot first) then do client install task and push 6.6 out to endpoints. I have not heard of any issue with current build causing slow file access. If all endpoints are protected you may want to turn off network scanning for real time file system protection.

I have customer using DES on Amazon AWS and we cannot start the DESlockHTTP. With his not started we cannot get into DES. I have tried rebooting server and setting log on to domain admin but still fails. any suggested troubleshooting because we have 1 system that is totally locked out and need to reset the FDE password.

Thanks, itman. That makes a lot of sense based on the detection in logs.

Herm01. I currently cannot test with my customer but have you tried installing another build of EFS to see if it also fails. I will PM you a link for EFS 6.3 which is the only build I have available right now. see if that one installs so maybe we can confirm it has to do with current build. I will test as well when I get access back to server.

working with customer who notices ESET detection of the IBM BIG FIX agent called "BESClient.exe". According to screenshot of the logs which you can view here >> https://eset.sharefile.com/d-s891c2ae71ee47c89 it appears that this agent is trying to do something with ESET or do some kind of reporting on ESET and send back to their console. ESET is just reporting that SELF Defense blocked this type of communication which is what SELF defense should do. Customer understands this but wants to know if there is a way to not have ESET not log anything to do with BESclient.exe regarding HIPS? Real time exclusions were set per >> https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli+Endpoint+Manager/page/Real+Time+AV+Exclusions but I do not see anything here regarding HIPS and eset HIPS is not interfering with IBM big fix program and its working fine. any suggestions? TY.

After installing EFS 6.5.12014.1 I get "c:Program\files\eset\eset file security\egui >> windows cannot access the specified device, path or file. you may not have approptiate permissions to access the item"- activation window never comes up after install and EGUI does not show alongside ekrn in task manager. I get this error when trying to manually launch EGUI by going into that path. This is a windows 2008 Server 64 bit with plenty of resources. Customer previously had a working EFS 4.5 running. EFS 4.5 was removed and computer rebooted before install of EFS 6.5. I did another uninstall of the broken 6.5 and manually confirmed no remnants in system32/drivers or in registry after reboot. Installed again and same issue. Currently having customer run sfc/ scannow. any suggestions going further?

not sure I have run across this. Did you temporarily disable protection and see if issue is reproduced or not? real time and web access if running EEA

EES is firewall and av protection which does not include encryption. There is ESET ENDPOINT ENCRYPTION but not 100% sure if you can force auto encryption once device is inserted into machine.

Override mode only has a 4 hour maximum plus you have to set a user defined password or know the domain admin password.

IS your date and time accurate? if so then uncheck SSL scanning in advanced options for ESET and then reboot machine. Go back into ESET advanced options and re-enable SSL scaning.

You can always remove ESET using removal tool in safemode >> https://support.eset.com/kb2289/

if its'a a 1 off with this only one computer then uninstall ESET to see if issue is reproduced. If not then install latest build back on system.