[How does EEI identify the source of origin for executables?]

Hello,

Can I know the logic behind EEI capability in identifying the source of origin for executables? I tried downloading this executable antivirus.exe from websites, but i do not see it reflected here.

[What may override the blocking of hashes by EEI?]

19 hours ago, MichalJ said:

Hello, as stated by Marcos, exclusions super-cede any blocking rule, regardless whether it is by hash, or the detection is triggered by Live Grid, our updated detection database. The same would apply for the case, where it would be present in the excluded folder. 

thank you michal for the precise clarification. I understand the logic better now .

[What may override the blocking of hashes by EEI?]

no news?  

[What may override the blocking of hashes by EEI?]

16 hours ago, Marcos said:

It's the purpose of exclusions to supercede any detection.

i don't think so, are you sure? If i crafted a detection say ("Filecoder.Wannacryptod.C"), and  configured hash blocking of a known executable matching to this detection, it will not be blocked?

It is one thing to be excluded, but another to be blocked from execution, ain't it?

[What may override the blocking of hashes by EEI?]

only Detections exclusions were created. I was able to block other executables, like teamviewer quick support, remote desktop, just interestingly not this ransomware. Does detection exclusions supercede over hash blocking?

[What may override the blocking of hashes by EEI?]

attaching screenshots for clarity (see orange rectangles), as u can see the executable was blocked but it still occur. Why? The hash matches exactly.  

[What may override the blocking of hashes by EEI?]

Hello,

As the title of this thread sounds, what configurations may result in bypass of the blocking of hashes set in EEI?

I was able to successfully execute a ransomware without trigger from the antivirus through configuration of detection name exclusions. I could see the alarms coming into the EEI.

I then configured blocking of that ransomware hash , and tried to execute in another machine. The execution was not blocked.

And best part is that the "Blocked Hashes" entries under "Admin" still shows that it was blocked based on the timestamp displayed at "Blocked on" column.

This is confusing because administrator will think it is blocked, but at the user side it was not. Could there be functions in ESMC/EEI that supercedes blocking of hashes? How can i verify if the blocking of hashes was indeed sent to the endpoints?

[Combining process and registry detection]

2 hours ago, MilanBA said:

Hello,

try to remove the colon (:) character from HKCU path.

Regards.

ah ha! that worked, thank you very much

[Combining process and registry detection]

Hello, 

i was trying to create a rule which detects registry changes made by powershell that was generated from excel. Below is my rule sets. it passed the syntax check. The activity was re-produced by creating the registry HKCU:\Software\myEEIEx on endpoints with EEI agent installed.

Detecting of registry key change worked, but when adding the logic of detecting process changes, it doesnt seem to trigger...

    <definition>
        <Process>
            <operator type="OR">
                <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="powershell" />
                <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cscript" />
                <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="wscript" />
                <Condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="cmd" />
            </operator>
        </Process>
        <operations>
            <operation type="RegSetValue">
                <operator type="OR">
                    <condition component="RegistryItem" condition="starts" property="Key" value="HKCU:\Software\myEEIEx" />
                </operator>
            </operation>
        </operations>
    </definition>

[Understanding EEI Dashboard]

On 12/18/2019 at 9:29 AM, ILoveESET said:

Thank you Marcos, but in this case, why does the 2 computer bubble show the value 512 for unresolved alarms, and 1 for resolved alarms? 

Does this mean, we just ignore the value behind the ","? Or there is a meaning to those values ?

Any update on this please?

[Relationship between EEI and LiveGrid]

On 12/20/2019 at 3:28 PM, MichalJ said:

Hello, EEI sends just the hashes, for verification. However ESET applications (in case Live Grid Feedback System is enabled) do send files for in-depth analysis / replication. However your assumption is incorrect - popularity is determined by how often the file is seen in LiveGrid, reputation is the result of the replication / file behavior. 

thank you Michal, you are awesome as always!

[Relationship between EEI and LiveGrid]

Hello my fellow comrades in ESET,

May i know which component of LiveGrid is used in EEI to obtain reputation and popularity ratings for executables found in EEI console?

For the reputation ratings, i deduce it should rightfully rely on LiveGrid Reputation system, which sends hashes of the executables for matching to database of hashes.

But popularity ratings? Does it rely on LiveGrid Feedback system, where the actual executables are uploaded for further analysis ?

Does EEI ever send the actual executables to LiveGrid , or just the hashes only?

[Understanding EEI Dashboard]

On 12/16/2019 at 3:42 PM, Marcos said:

I hope it will be clearer from a description of your screen shot that shows:
- 2 computers with 256 unresolved and 0 resolved alarms
- 1 computer with 64 resolved and 0 with unresolved alarm
- probably 2 computers (judging just from the size of the bubble) with 512 unresolved and 2 resolved alarms

 

Thank you Marcos, but in this case, why does the 2 computer bubble show the value 512 for unresolved alarms, and 1 for resolved alarms? 

Does this mean, we just ignore the value behind the ","? Or there is a meaning to those values ?

[Understanding EEI Dashboard]

On 12/13/2019 at 6:07 PM, Marcos said:

The higher a circle is on the Y axis, the more machines in your LAN have particular files. The further a circle is on the X axis, the more ESET users have the file (ie. the more popular it is worldwide).  The bigger a circle is, the more such files you have.

To illustrate it on a concrete example:
The red-marked circle means that you have quite many files that exist only on 1 computer in your LAN but are quite popular among ESET users since the LG popularity is 7 (1-10 mil. of users):

Thank you Marcos, your explaination is very clear! How about the other graph about resolved and unresolved alarms?

[Understanding EEI Dashboard]

Hello friends,

I was fiddling around with EEI, and i came across 2 graphs which i cant really comprehend, and seek a better explaination here:

Reference to the above image, what network popularity? Documentation from https://help.eset.com/eei/1.3/en-US/dashboard_executables.html?zoom_highlightsub=network+popularity states as "Hhe number of computers which have the module in the enterprise". What exactly does that mean ? How do i install network popularity modules at the endpoints?

 

Reference to the above image, how can i actually understand the bubbles?https://help.eset.com/eei/1.3/en-US/dashboard_executables.html?dashboard_computers.html explaination doesn't help in understanding at all , or is it just me?

 

[Eset Run Command in ESMC]

On 5/21/2019 at 6:17 AM, noorigin said:

You can also create a new "Software Uninstall" task in client tasks->all tasks->operating system tasks->software uninstall. Works well, I use it frequently

this method allows you to uninstall ESET softwares or third party AV. I think he wanted to uninstall Google Chrome, hence the use of run parameters.

[ESMC Agent not Installing]

did your customer execute the installer using an administrator account ? If the computer is part of a domain, you will likely need domain administrator privilege to run the installer.

[Can I install manually ESET Management Agent]

Hi Mauricio,

You can generate a Agent Live installer from your ECA Web Console, and have them installed at your endpoints.

When executed at the endpoints, it will download the agent (configured to your ECA Console) from ESET.

Regards,

ILE

[Tasks scheduled but not running in ECA]

Its ok, i manage to workaround it. I think my network connection is unstable, resulting on connection failure.

[Eset Run Command in ESMC]

Hello jojonguyen,

You should be able to place those commands in the "Settings" sub-tab within a Client Task. I have attached a reference picture below for you:

 

Regards,

ILE 

[Tasks scheduled but not running in ECA]

Hi MichalJ,

Thanks for replying. I did "Send Wake Up Call" and it still doesnt trigger the task at all.

It remains at Task Scheduled.

[Tasks scheduled but not running in ECA]

Ahoj folks!

 

I created a Software Install tasks on my ECA to install EES on my endpoint. The endpoint is running Win 7, and has internet connection.

I pointed the task to download from (Chinese version i know) :

https://download.eset.com/com/eset/apps/business/ees/windows/latest/ees_nt64_chs.msi

But the task shown in ECA remains "Scheduled" after over 30 minutes ( see below screenshot). Is there a manual override I can do to trigger the task immediately?

I verified that my Win 7 endpoint has ERAAgent.exe running.