tmuster2k

For testing purposes I need to unhook the current Master policy that is assigned to the GROUP called ALL. This is for the ENDPOINT SECURITY program. I want to unhook this one computer from the policy so its in a stand alone environment and I can make changes locally to EES. When I go to details >> Client Configuration >> I see the policy but cannot un-assign this one machine. If I have a policy where just individual computers are assigned as opposed to the GROUP then I can un-assign for testing. Do I have to uninstall the agent for now to accomplish this?

I have seen this on ENDPOINT AV which is rather confusing being that it does not have a firewall. I would suggest first one one machine only, is doing a push install task to install EEA 6.4 over the top of the V5 Endpoint. After the upgrade you need to reboot (Reboot automatically check box). If after the reboot, you go local to that machine and it is still showing the same status then I would suggest using a push uninstall task >> hxxp://help.eset.com/era_admin/62/en-US/?client_tasks_software_uninstall.htm to uninstall the broken V5 version and then reboot. After reboot, use your same push install task for 6.4 and install. This should resolve your issue. BTW. were these windows 10 machines?

Both these options were very helpful. Thank you.

I know there is a dynamic Group called "computers with outdated virus signature database". How can I create a report that shows me the systems from this group?

Scheduled scan is part of that policy you are currently configuring. You cannot have a task in one policy and apply that to a different group. Child policy works though.

Do you give normal users admin rights? In almost every instance of ransomware I have seen that has got past an AV program, almost 99% of them had this one thing in common.

I believe your are referencing Version 5.x. In my test environment I have one SERVER POLICY which is my master policy and I also created a CHILD policy called "Accounting". In my SERVER POLICY I have all the computers in this group that are not part of the ACCOUNTING GROUP. I created a scheduled scan (not a task) policy in the SERVER POLICY for scans to run at 4am (before clients come to work) and in my CHILD policy for the ACCOUNTING group I created another scheduled scan policy to run at 12AM (after they leave for the day). both scans ran at their scheduled time. You need to confirm from the CLIENTS tab that computers pertaining to your other group do have the Chile Policy applied to them. (ACTUAL POLICY) If this is V6 you are running you create a Separate POLICY and then just force the Scheduled SCAN item for this other group so their scan does not start as same time as your MASTER scan.

How would a report for device control be created using ERA 5?

Regarding Internal Web Proxy. Does it have to be set in Admin >> server settings or can it just be applied in the Policy under Update section >> HTTP PROXY >> Custom Proxy Server ? If its set in server settings does that apply it in any policy going forward?

bump

Is there a straight forward way to find out what end user clicked on the Phishing email to let the ransomware in ? I know on a smaller network it might be easy to look through emails but on a much larger scale network this may not work. I know I can look at the properties of a shared drive that was encrypted but this is not totally accurate since a lot of different users can be accessing this share.

install over the top gives you option to keep existing settings. It's checked by default. The push through ERA will also keep existing settings which means your license information. Even if this information was lost the agent should be able to recognize and pull your license back to the endpoint.

the no conflicts switch will bypass the look for Norton remnants. you only run this once you have confirmed that the bigger pieces of Norton have been removed. Ex- services and drivers

I would recommend going locally to that machine and logging in with a domain admin or local admin account. remove all remnants of ESET if it dropped any during install. >> Registry >> hkey_current_user_>>Software and hkey_local_machine>>software and make sure ESET is out of here. Also check program files and confirm ESET is not present. Go into services and confirm that windows installer service is not greyed out when you try to set default startup method or trying to start or stop. If these items are greyed out then you will need to run a sfc /scannow from elevated command prompt. you can also re-register the windows installer service if its not greyed out in services. >> Method 1: Unregister and re-register the Windows Installer Click Start, click Run, type MSIEXEC /UNREGISTER, and then click OK. Even if you do this correctly, it may look like nothing occurs. Click Start, click Run, type MSIEXEC /REGSERVER, and then click OK. Reboot the system. Log back into the domain admin or local user account and try install again from local machine. save the MSI locally to the machine in question and then open a command prompt. CD into the directory you saved the MSI. type the first couple letters of the MSI and then TAB. Us the no conflict switch >> example: ees_nt_64_enu.msi ignore_conflcts=1 Hopefully this works for you.

doesn't matter if you have the home or biz product of ENDPOINT AV or NOD32 there is no client integration for SPAM. This would only be true for ENDPOINT SECURITY AND ESET SMART SECURITY. The integration into EEA or NOD32 is only for scanning of individual EML files. EMAIL Scanning running real time is at the forefront of the email protection however.

Customer just recently installed ESET ENDPOINT AV 6.4 and after install, Internet explorer spikes at around 800-900 mb when just opening 1 page. If we disable HIPS its normal. If we enable Pre Release updates and get to HIPS support module 1241 we are good. Will this update be applied to normal updates soon so customer can go back to normal update? Windows 7 machines affected running IE 11. Does not happen with other browsers.

The proxy does not have anything to do with sites being blocked. Are you blocking via just URL or categories? Are the sites you are trying to block HTTPS? If so then SSL scanning would need to be enabled which unfortunately can lead to other issues.

I don't believe Live Grid traffic can pass through a Mirror. Can Marcos confirm? if so I would highly recommend using the Apache Caching Proxy.

Where would this be applied in a policy. I went to TOOLS>> Scheduler in the policy for ERA6.3 and when creating my on-demand scheduled Smart Scan there is no option to have computers be shutdown after scan.

1. Open ESET RA console and go to ADMIN >> POLICIES and edit your Master policy. 2. Go to Antivirus >> On demand computer scan 3. Expand Threatsense Parameters 4. Scroll down to cleaning and put on "Strict cleaning" 5. Force this policy and finish.

Okay... so the "strict cleaning" won't help probably? Can someone from ESET confirm this please, that this is a know issue, and no resolution found, yet. Thank you. And thank you for your help. Strict cleaning run from ERA will remove the threats showing in the list but not the NUMBER on the left hand side.

Yes. This is a known issue as far as the number showing on the left hand side. I have seen this reported multiple times and there appears to be no resolution. ERA 6.x can act as a Threat Hoarder. Hopefully 6.4 will fix this.

The In-depth scan profile alone will not resolve your issue. Follow below: Strict cleaning has to be applied to ANTIVIRUS >> On DEMAND SCAN POLICY 1. Open ESET RA console and go to ADMIN >> POLICIES and edit your Master policy. 2. Go to Antivirus >> On demand computer scan 3. Expand Threatsense Parameters 4. Scroll down to cleaning and put on "Strict cleaning" 5. Force this policy and finish. NOW - ondemand scans will do strict cleaning from task or Scheduled task

There is no ETA on this product as of now.

is this a domain or workgroup environment ?