Jump to content

Sander de Cocq

Members
  • Content Count

    16
  • Joined

  • Last visited

Posts posted by Sander de Cocq

  1. 11 hours ago, MartinK said:

    Could you please access database via SQL Server Management Studio and provide us basic sizing statistics (number of entries, overall size of table) for problematic DB tables (there are standard reports available for this). In case table taking most of the space is tblf_firewallagregated_event, could you also verify that oldest entry as stored in column "Occurred" is not older than ~1 month? Asking, because in case there is huge amount of entries in mentioned table, it might have resulted in daily cleanups to fail and thus not cleaning older entries.

    Also in case there are many such event reported in a minute, are they all from different devices? Or clients are sending multiple identical events in a minute? If so, we might have to check whether event aggregation works correctly.

    Hello,

    I got the server operational again, and cleanup jobs that were indeed failing are now working again and I have 58% free space in the database. The  tblf_firewallagregated_event table was definitely the culprit. I'm going to keep an eye on the specifics you mention to see if we still have an issue.

     

  2. 17 hours ago, itman said:

    You should be able to add or modify an IDS exception to continue to block but not log or alert?

     

    This is indeed the answer I was looking for, it works great, thank you!

    I agree with, and appreciate the other responses as well, those indicate more of an architectural issue however and will be addressed separately. My question was purely from an operational POV for the short term to keep our ESMC server operational.

     

  3. Thank you for your response. Yes it is mainly botnet RDP attacks. This causes an endless stream of detections, 10's per minute, since we are talking about 250+ internet facing servers with RDP enabled. This is by design and all have loooong complex passwords. The blocked detection logging really has no benefit for us, it actually turns into a liability when the growth of the era_db is limited and can take down the ESMC services. 

    eset_rdp_blocked.jpg

  4. Hello,

     

    ESET Security Management Center (Server), Version 7.1 (7.1.717.0)
    ESET Security Management Center (Web Console), Version 7.1 (7.1.393.0)

    Yesterday our ESMC crashed because the SQL database had grown beyond 10GB (SQL Express limit). 

    We are protecting a lot of Windows Web Servers with File Security, which are obviously constantly under attack from many bot nets, therefore millions of (firewall) detections are logged that are actually blocked and that we are not particularly interested in. 

    Is it possible to lower the logging level so only firewall detections that are not blocked are logged? Or any other suggestions to keep the database size under control?

    I was also looking at the log retention settings, but these are already all set to 1 month or less.

     

     

     

  5. Hello,

    We are provisioning a new web server, but it seems we inherited the blacklisting from the previous owner of the IP address:  66.85.74.178

    The new server is running ESET File Security and our client PC's cannot reach it because they use ESET Endpoint Security.

    Can you please remove  66.85.74.178 from the blacklist?

    Regards,

    Sander

  6. 20 hours ago, MartinK said:

    For more precise answer we will need AGENT trace logs. Without those we can just guess: similar error might be caused by fact that Administrator intervention in console is required: could you verify whether there are no open "Questions" for devices in ESMC? It could happen in case duplicate HW or cloning is detected.

    Thanks for the great response. Yes, I found the computer under Questions and resolved the apparently changed hardware (it is a cloud VPS, so I guess the provider changed something in the VM configuration. We were not aware of any such change.)

  7. Hello,

    I had a W10 client that I could not upgrade through the SMC from 6.3 to 7 Endpoint Security. Manual installation of the package failed because the processes could not be stopped. I disabled the services, and the installation proceeded, and the client reported correct version in SMC. However, all modules are disabled, and cannot be enabled from the gui on the client (not blocked by policy, it enabling/disabling is possible on all other clients). Can you help me sort this out?

    ESET Management Agent 7.0.577.0 Up-to-date version
    ESET Endpoint Security 7.1.2053.0 Up-to-date version

    Regards,

    Sander

  8.  

    ESET Security Management Center (Server), Version 7.0 (7.0.577.0)
    ESET Security Management Center (Web Console), Version 7.0 (7.0.429.0)
    Microsoft Windows Server 2012 R2 Standard (64-bit), Version 6.3.9600 

    Hello, our company policy requires that an email notification is sent when an end-user disables or pauses real time file protection, HIPS, Memory scanner, exploit blocker or ransomware shield. I've looked at the included alerts, could not find a match, and disabling the scanner is not shown as a Threat. Is it possible to create such an alert?  (ESET Endpoint Security 7.1.2045.5 and newer)

×
×
  • Create New...