Sander de Cocq
-
Posts
16 -
Joined
-
Last visited
Posts posted by Sander de Cocq
-
-
17 hours ago, itman said:
You should be able to add or modify an IDS exception to continue to block but not log or alert?
This is indeed the answer I was looking for, it works great, thank you!
I agree with, and appreciate the other responses as well, those indicate more of an architectural issue however and will be addressed separately. My question was purely from an operational POV for the short term to keep our ESMC server operational.
-
Hello,
I certainly don't want to disable Network Protection! I just don't want our database to explode with logging of the blocked attempts.
Is there perhaps a way to clean up the logging in the database through ESMC or SQL queries?
-
Thank you for your response. Yes it is mainly botnet RDP attacks. This causes an endless stream of detections, 10's per minute, since we are talking about 250+ internet facing servers with RDP enabled. This is by design and all have loooong complex passwords. The blocked detection logging really has no benefit for us, it actually turns into a liability when the growth of the era_db is limited and can take down the ESMC services.
-
Hello,
ESET Security Management Center (Server), Version 7.1 (7.1.717.0)
ESET Security Management Center (Web Console), Version 7.1 (7.1.393.0)Yesterday our ESMC crashed because the SQL database had grown beyond 10GB (SQL Express limit).
We are protecting a lot of Windows Web Servers with File Security, which are obviously constantly under attack from many bot nets, therefore millions of (firewall) detections are logged that are actually blocked and that we are not particularly interested in.
Is it possible to lower the logging level so only firewall detections that are not blocked are logged? Or any other suggestions to keep the database size under control?
I was also looking at the log retention settings, but these are already all set to 1 month or less.
-
Thank you very much. I'll follow the correct channel next time.
-
Hello,
We are provisioning a new web server, but it seems we inherited the blacklisting from the previous owner of the IP address: 66.85.74.178
The new server is running ESET File Security and our client PC's cannot reach it because they use ESET Endpoint Security.
Can you please remove 66.85.74.178 from the blacklist?
Regards,
Sander
-
20 hours ago, MartinK said:
For more precise answer we will need AGENT trace logs. Without those we can just guess: similar error might be caused by fact that Administrator intervention in console is required: could you verify whether there are no open "Questions" for devices in ESMC? It could happen in case duplicate HW or cloning is detected.
Thanks for the great response. Yes, I found the computer under Questions and resolved the apparently changed hardware (it is a cloud VPS, so I guess the provider changed something in the VM configuration. We were not aware of any such change.)
-
Hello,
We have an agent that has not been reporting for a long time. I've reinstalled the agent, and it installed without errors, but it's still not replicating with our SMC. In ela.eset,com, it is reporting.
The server in question can connect to era.ourdomain.com:2222
Collected log files attached.
-
Deleting the service from registry in safe mode did the trick, case closed. Thank you for your assistance.
-
Yeah, the service is not deleted, we can't do it with the command line or directly in the registry (HKLM/system/currentcontrolset/services). We're going to try booting in Safe Mode and deleting from registry next, unless you have other suggestions.
-
Thank you. After the reboot, the scanner is running, however the firewall, anti-phishing and email scanning modules are not running and cannot be enabled in the GUI.
Attached are new log files.
-
Log files collected
-
Hello,
I had a W10 client that I could not upgrade through the SMC from 6.3 to 7 Endpoint Security. Manual installation of the package failed because the processes could not be stopped. I disabled the services, and the installation proceeded, and the client reported correct version in SMC. However, all modules are disabled, and cannot be enabled from the gui on the client (not blocked by policy, it enabling/disabling is possible on all other clients). Can you help me sort this out?
ESET Management Agent 7.0.577.0 Up-to-date version ESET Endpoint Security 7.1.2053.0 Up-to-date version Regards,
Sander
-
Thank you for your prompt reply, this looks like a good solution. I will try it out.
-
ESET Security Management Center (Server), Version 7.0 (7.0.577.0)
ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0)
Microsoft Windows Server 2012 R2 Standard (64-bit), Version 6.3.9600Hello, our company policy requires that an email notification is sent when an end-user disables or pauses real time file protection, HIPS, Memory scanner, exploit blocker or ransomware shield. I've looked at the included alerts, could not find a match, and disabling the scanner is not shown as a Threat. Is it possible to create such an alert? (ESET Endpoint Security 7.1.2045.5 and newer)
Excluding logging of blocked detections
in ESET PROTECT On-prem (Remote Management)
Posted
Hello,
I got the server operational again, and cleanup jobs that were indeed failing are now working again and I have 58% free space in the database. The tblf_firewallagregated_event table was definitely the culprit. I'm going to keep an eye on the specifics you mention to see if we still have an issue.