[ESET Protect Web Console port changes within apache intermittently and breaks]

Hi Martin, thanks for the response.

I think your first suggestion may be right, the era.war does still sit in the apache webapps directory and a few weeks ago I deleted file this but that seemed delete the webapp as well. I'll do some investigation down that route, must be some way in apache to turn auto deploy or similar.

[ESET Protect Web Console port changes within apache intermittently and breaks]

Hi,

We have a bit of a weird one with our ESET Protect windows server and Apache. We use a custom port 8879 for the web console rather than the default 2223.

Our web console intermittently breaks and will not load, when I check the windows server the Apache Tomcat service is stopped - but when started it loads but can't login with error "not connected". I've discovered the web console port within erawebserverconfig.properties appears to revert to the default port 2223. Once I change this to 8879 > restart apache > it works fine as normal.

I've not yet found a pattern, sometimes it's 2-3 days between breaking and on todays occasion it was 2 weeks. We also had this issue on ESMC and recently upgraded to ESET Protect hoping this would fix. We have also installed the latest version of Apache manually but still same problem.

Has anyone seen this before or any ideas why this would happen? 

Thanks

[Screenconnect False Positive?]

13 hours ago, PMIadmin said:

I am here cause we are having exact same thing, ours just stared appearing lately too. Never used too.

We've excluded the detection, bit of a pain having it alert 1000's of times a day over all our clients!

[Screenconnect False Positive?]

Ah OK, that explains why we are seeing that now.

If we do exclude it and the software is comromised then that could be a problem, as we won't get any alerts via ESMC possibly. Will need to look into that.

[Screenconnect False Positive?]

Thanks Marcos, any reason why this would have started detecting now? It was the idle state-scanning we have enabled on this particular client which has been running this afternoon and detecting. The file has been in place for weeks and months so bit strange for it start now.

[Screenconnect False Positive?]

Hi,

 

We've just had a spate of alerts via ESMC on the below file being detected as PUA which is our installer for ScreenConnect (Remote Control).

Name

Win32/RemoteAdmin.ConnectWiseControl.A

Uniform Resource Identifier (URI)

file:///C:/Windows/Temp/ScreenConnect/20.11.1622.7619/ScreenConnect.ClientSetup.exe

Detection engine version

22982 (20210317)

Current engine version

22982 (20210317)

 

This is legit software and no evidence to suggest malicious so not sure if a bad module update? I do have that exact module and software on my own machine but ESET doesn't detect it. This was detected by idle state scanning our client and so far flagged up on about 20 machines in the past 1-2 hours.

 

Anyone aware of known issue here?

 

 

[ESET File Security Showing "Product Outdated" - 7.0 and 7.1]

Hi,

We've around 100 servers using versions 7.0 and 7.1, these are all now displaying the below warning:

According to the End of Life page, there's nothing to suggest 7.0 or 7.1 on Server 2012+ will no longer function after 15th April? https://support.eset.com/en/kb3592-is-my-eset-product-supported-eset-end-of-life-policy-business-products

7.0 + 7.1 in limited support until v8.

 

Struggling to find real detail for this but is this due to cross-certificate expiration? Closest thing I can fine is this page which says mitigated?

https://support-eol.eset.com/en/trending_cross_certificate.html

100 server upgrades in 5-6 weeks is going to be a real struggle.

[Automatic Startup File Check on RDS Server]

Hi,

We currently have an overused RDS server which we're working with the client split into 2 servers/increase CPU/MEM but becoming difficult. The server resources are struggling and we've found everytime a user disconnects and reconnects, the automatic schedule task within ESET File Security runs for startup file check - https://help.eset.com/efsw/7.1/en-US/idh_startup_app.html

This appears to spike the CPU and Memory temprarily high causing performance issues.

We're going to disbale these 2 tasks until the client increases resources with an new server but is there any additional security risks caused by this? 

My thought is anything running at startup or user logon should be caught by Real Time protection so maybe duplication and something we can avoid for performance reasons.

Thanks

[ESET File Security Version 8 Release?]

Thanks Marcos, noted.

[ESET File Security Version 8 Release?]

Bumping thread as no response, would really appreciate some rough guidance so we know where we stand - can see a few others in the same predicament.

[ESET File Security Version 8 Release?]

Hi,

We're currently reviewing our server protection, we have around 150 on a mix of ESET File Security 7.0 and 7.1 (Windows only) which according to the EOL page is in support (Limited for 7.0, Full for 7.1). 

With ESET Endpoint AV V8 being released for clients is there any rough estimated date/quarter/year on when the next major version for File Security will be released?

I've noticed 7.3 released for ESET File Security last month (EOL page not updated to show that?) but we're reviewing whether we should upgrade all our 7.0/7.1 servers to 7.3 or wait for V8. It be months of work to go to 7.3 only for V8 be released and have to do it all again so be good to know!

Thanks

[Remove Stubborn old Windows XP Agent from ESMC]

Hi,

We're having some trouble removing an old XP agent that was retired but recently checked back into our ESMC console (V7). We have no physical access or remote access to the machine other than what we can do via the ESMC console.

When we use the "Stop Managing" task, this fails (Task failed, try to uninstall software manually.) so the agent contionues checking in. I've tried via the "Software Uninstall" button via installed application but this fails with the same error.

Is there anything we can do to stop this old retired agent from checking into our ESMC console?

Thanks

[URL blocking HTTPS doesn't work]

Sorry that was just a random URL, we've been using various URLS. For example:

https://gallery.technet.microsoft.com/Turn-off-screen-4d173e0a/file/147696/1/Turn off Screen.bat

 

I think I’ve manged to identify the problem however, completely bizarre but on my test PC – the HTTPS URL was only blocked after I cleared cache and cookies in Edge (I done this after testing InPrivate browsing which worked and blocked immediately).

So I think ESET or Edge must have cached my test URL’s (Which I visited before adding the URL blocks) in some form and the act of clearing cache in edge resolved immediately. We confirmed this on another PC which had successfully visited the URL’s before I added the file extension, clearing cache then allowed the block to work immediately.

[URL blocking HTTPS doesn't work]

Yeah have also tried that, I don't think it's relating to the extensions i've added - it doesn't seem to intercept HTTPS traffic at all. Again, fine with HTTP.

[URL blocking HTTPS doesn't work]

Yes that doesn't work i'm afraid. Still works fine if the link starts with HTTP and ends in bat but if it starts with HTTPS and ends in bat it doesn't do anything an allows the downloads. 

[URL blocking HTTPS doesn't work]

Yes the link we're testing ends in bat:

hxxp://www.cyberessentials.guru/guest/testfiles/hello2.bat

 

This is where we see the problem between http which blocks fine and https which only blocks in IE which is strange. On the same browser on the pc if we change the above link to https it doesn't block on chrome or Edge. 

[URL blocking HTTPS doesn't work]

Hi,

We've applied a policy setting to block batch files from being downloaded using URL address management. Policy set as per:

https://help.eset.com/eea/7/en-US/idh_config_epfw_scan_http_address_list.html

I've added "*/*.bat" to list of blocked addresses.

Now this seems to work fine on all browsers when the URL is HTTP but if the URL is HTTPS, it only seems to be blocked/working on IE. Chrome and Edge at least are not blocked and the user is able to browse the link ending .bat.

SSL/TLS protocol filtering is enabled.

Any idea why HTTPS URL blocking doesn't appear to work on Chrome and Edge?

Thanks

[Exclude one or more PC/Agent from Network Vulnerability Alerts?]

These are for ports on the clients firewall (we don't manage) that are open eg 443 & 80 to internal resources that have ESET AV installed. We've spent a year+ advising them they need to close the ports or at least lock down via IP/country but refuse to do so. We've advised we will no longer monitor for network vulneralities on these specific PC's and had sign off from the client despite the risks they've agreed to.

We have the default network vulnerabilty notification setup to email our support team, we would like to have it NOT email for these specific PC's so if PC00001 detects this, we don't want emailed.

The alerts are like below:

Network Vulnerability Alert on COMPUTERNAME

Computer Name: COMPUTERNAME Username:  Timestamp: 10/30/20, 12:27:45 PM UTC Severity: Warning Threat Name: Incoming.Attack.Generic Process Name: System Protocol: TCP Inbound Communication: yes Source Address: 193.27.229.26 Source Port: 43,880 Target Address: internal LAN IP REMOVED Target Port: 80   I think i'll be able to filter based on Target Address but ideally would be able to filter based on computer name? So essentially we just want it to stop emailing us for these specific agents when it comes to network vulnerabilities - the client knows the risk.

[Exclude one or more PC/Agent from Network Vulnerability Alerts?]

Hi

We get hundreds of alerts for one of our clients, who despite us bombarding them advising they need to geo-lock or close the port to a specific PC, they've refused to do so. We now have sign off from the directors of said company to no longer monitor the specific PC's and happy for us to exclude the PC from the "Network Vulnerability Alert" notification.

Looking at this I can't see any easy way other than using the target IP address of the machines in question to exclude, you can't seem to exclude a specific agen using hostnamet?

Are you aware of any way to do this, we could use target IP address I believe but then if another agent with the same IP address at another client has a problem then we won't be notified?

Thanks

[ESET 7.2 Windows 10 Support Message Behaviour?]

Thanks Marcos.

[ESET 7.2 Windows 10 Support Message Behaviour?]

Hi,

Most of our clients are using ESET V7.2 and with the Windows 10 update warning we will now need to push out the 7.3 update ASAP to 1700+ clients.

https://support-eol.eset.com/en/trending_win_10.html

We've started receiving some calls and emails from our clients concerned about this message. Are you able to confirm the default behaviour of this warning? I.e Does it visibily open forcing the user to read and close the message/ESET window or will the user only see this if they manually open the ESET Endpooint AV client?

On my own personal machine, i've not had it visibily prompt - I need to open the client to see any message. We don't have any policy to disable notifications so we're trying to confirm if we'll get another 1000+ calls and tickets if users can see this!

Thanks

 

[How to Upgrade Agent and/or Endpoint AV Versions?]

Hi Marcos,

Will ESET Endpoint Anti-Virus version 8 be out any time soon? 

We are about to update 1000+ 7.2 clients to 7.3 to support the latest changes and stop our users calling us every minute about the warning but if V8 is around the corner should we hold off spending days rolling out 7.3 updates only to do it all again for V8?

Cheers

[Increasing Botnet.CnC.Generic detections]

We are getting lots of these alerts for various NAT rules we have. RD Web (443 internally) and SFTP (22 internally) - we use obscure ports externally but these still get hit.

It's not entirely clear what Botnet.C&C.Generic is? Is this a known list of IP's that ESET blacklists or known list of specific botnets bundled into the "Generic" tag/list? Can we have access to this list for blocking?

It would be good to have more information here so we can make an informed decision on what do at our perimeter firewall? We can't close these ports externally but can secure ports based on thing such as location which we've been doing.

Can anyone at ESET support give us a bit of technical explanation here? Given it's the number 1 top worlwide threat on virus radar I think this would help us all a bit.

 

[ESET pacakge library is empty]

Hi Jim,

We actually just had that on our ESMC console, was able to access CDN via hxxp://repository.eset.com/v1/info.meta all ok so didn't point to a firewall issue.

Rebooted our ESMC server then this worked as normal, the packages where back.

Same versions as you so may be similar and just require a reboot:

 

ESET Security Management Center (Server), Version 7.0 (7.0.577.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0)

Thanks

[Disable built in Administrator account in ESMC (or 2fa?)]

No problem, thats good news for the next update.

 

Thanks.