-
Posts
22 -
Joined
-
Last visited
Everything posted by ILoveESET
-
Hello, As the title of this thread sounds, what configurations may result in bypass of the blocking of hashes set in EEI? I was able to successfully execute a ransomware without trigger from the antivirus through configuration of detection name exclusions. I could see the alarms coming into the EEI. I then configured blocking of that ransomware hash , and tried to execute in another machine. The execution was not blocked. And best part is that the "Blocked Hashes" entries under "Admin" still shows that it was blocked based on the timestamp displayed at "Blocked on" column. This is confusing because administrator will think it is blocked, but at the user side it was not. Could there be functions in ESMC/EEI that supercedes blocking of hashes? How can i verify if the blocking of hashes was indeed sent to the endpoints?
-
Hello, i was trying to create a rule which detects registry changes made by powershell that was generated from excel. Below is my rule sets. it passed the syntax check. The activity was re-produced by creating the registry HKCU:\Software\myEEIEx on endpoints with EEI agent installed. Detecting of registry key change worked, but when adding the logic of detecting process changes, it doesnt seem to trigger... <definition> <Process> <operator type="OR"> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="powershell" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cscript" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="wscript" /> <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cmd" /> </operator> </Process> <operations> <operation type="RegSetValue"> <operator type="OR"> <condition component="RegistryItem" condition="starts" property="Key" value="HKCU:\Software\myEEIEx" /> </operator> </operation> </operations> </definition>
-
Understanding EEI Dashboard
ILoveESET replied to ILoveESET's topic in ESET Inspect On-prem (Detection and Response)
Any update on this please? -
Relationship between EEI and LiveGrid
ILoveESET replied to ILoveESET's topic in ESET Inspect On-prem (Detection and Response)
thank you Michal, you are awesome as always! -
Hello my fellow comrades in ESET, May i know which component of LiveGrid is used in EEI to obtain reputation and popularity ratings for executables found in EEI console? For the reputation ratings, i deduce it should rightfully rely on LiveGrid Reputation system, which sends hashes of the executables for matching to database of hashes. But popularity ratings? Does it rely on LiveGrid Feedback system, where the actual executables are uploaded for further analysis ? Does EEI ever send the actual executables to LiveGrid , or just the hashes only?
-
Understanding EEI Dashboard
ILoveESET replied to ILoveESET's topic in ESET Inspect On-prem (Detection and Response)
Thank you Marcos, but in this case, why does the 2 computer bubble show the value 512 for unresolved alarms, and 1 for resolved alarms? Does this mean, we just ignore the value behind the ","? Or there is a meaning to those values ? -
Understanding EEI Dashboard
ILoveESET replied to ILoveESET's topic in ESET Inspect On-prem (Detection and Response)
Thank you Marcos, your explaination is very clear! How about the other graph about resolved and unresolved alarms? -
Hello friends, I was fiddling around with EEI, and i came across 2 graphs which i cant really comprehend, and seek a better explaination here: Reference to the above image, what network popularity? Documentation from https://help.eset.com/eei/1.3/en-US/dashboard_executables.html?zoom_highlightsub=network+popularity states as "Hhe number of computers which have the module in the enterprise". What exactly does that mean ? How do i install network popularity modules at the endpoints? Reference to the above image, how can i actually understand the bubbles?https://help.eset.com/eei/1.3/en-US/dashboard_executables.html?dashboard_computers.html explaination doesn't help in understanding at all , or is it just me?
-
Eset Run Command in ESMC
ILoveESET replied to jojonguyen's topic in ESET PROTECT On-prem (Remote Management)
this method allows you to uninstall ESET softwares or third party AV. I think he wanted to uninstall Google Chrome, hence the use of run parameters. -
ESMC Agent not Installing
ILoveESET replied to mayowa's topic in ESET PROTECT On-prem (Remote Management)
did your customer execute the installer using an administrator account ? If the computer is part of a domain, you will likely need domain administrator privilege to run the installer. -
Tasks scheduled but not running in ECA
ILoveESET replied to ILoveESET's topic in ESET PROTECT On-prem (Remote Management)
Its ok, i manage to workaround it. I think my network connection is unstable, resulting on connection failure. -
Eset Run Command in ESMC
ILoveESET replied to jojonguyen's topic in ESET PROTECT On-prem (Remote Management)
Hello jojonguyen, You should be able to place those commands in the "Settings" sub-tab within a Client Task. I have attached a reference picture below for you: Regards, ILE -
Tasks scheduled but not running in ECA
ILoveESET replied to ILoveESET's topic in ESET PROTECT On-prem (Remote Management)
Hi MichalJ, Thanks for replying. I did "Send Wake Up Call" and it still doesnt trigger the task at all. It remains at Task Scheduled. -
Ahoj folks! I created a Software Install tasks on my ECA to install EES on my endpoint. The endpoint is running Win 7, and has internet connection. I pointed the task to download from (Chinese version i know) : https://download.eset.com/com/eset/apps/business/ees/windows/latest/ees_nt64_chs.msi But the task shown in ECA remains "Scheduled" after over 30 minutes ( see below screenshot). Is there a manual override I can do to trigger the task immediately? I verified that my Win 7 endpoint has ERAAgent.exe running.