Jump to content


  • Posts

  • Joined

  • Last visited

About Ufoto

  • Rank

Profile Information

  • Location

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hello, We have a case where an unauthorized party got a copy of an installer exported from a customer's console. Now this party is able to add systems and use up licenses for the customer until systems are manually removed. We tried to delete all existing installers and re-create them, however this did not fix the issue and we still see systems being onboarded so I suppose the installers are still active, although not present in the console. Is there any other way to invalidate all active installers for an ESET PROTECT Cloud tenant? Thank you in advance!
  2. Hello, Apologies for jumping in, but we are experiencing the same problem. Should we all raise support tickets?
  3. Hello, Oh I see, so this is actually the parent process. Yes, indeed in this case the exclusion can even be create using the exclusion builder UI. It still blows mu mind how the 'Event' section is not an option in the exclusion builder UI. Sometimes it is the only way to create viable exclusion such as IP or URLs listed there which are not found anywhere else in the event. Thus making us work with the advanced exclusion builder syntax which is not very well documented. Best Regards,
  4. Hello, I've been struggling with this one for quite a while now and I would really appreciate if someone can point me in the right direction. We are getting a lot of false-positives by this rule and Connectwise: Since all other items are too generic, I want to configure an exclusion based on the process creation since this is the ConnectWise software which is supposed to be involved in such activities. I configured the following exception hoping that it will cover this exact behavior, however today I logged in and I still see a ton of the same alerts and the exclusion sits at 0 hit count: <definition> <operations> <operation type="CreateProcess"> <operator type="and"> <condition component="FileItem" property="FullPath" condition="starts" value="%WINDIR%\ltsvc\ltsvc.exe" /> </operator> </operation> </operations> </definition> Any idea why this exclusion is not working? Thank you in advance!
  5. Hello, Thank you for the tips, they are really useful, I was barely paying attention to tags.
  6. Hello All, Looking at the ESET INSPECT rules that are enabled by default, I can see that these are basically all "Threat" severity rules, while all of the rest are disabled. Is this the generally recommended best practice by ESET? I feel that customers miss out a lot by having all other rules disabled, however I do realize that some of them could be very noisy. Is there a guide, or a blog post advising on some sort of best practice configuration that has some additional rules enabled, rules that are proven to produce false-positives rarely (e.g. Dharma ransomware toolkit item file name was written [C0637]). I could go and read all 1000 rules one by one and use my subjective opinion to enable some, but this doesn't seem to be optimal. Let me give you an example - I work with other solutions, and some of them have profiles like "Balanced", "Secure", etc. and depending on the profile different set of rules is enabled. I know that there is no such feature here, however I am looking for some sort of guidance at least, I can enable them manually afterwards. Thank you in advance!
  7. Thank you. I managed to get a hold of the support people.
  8. Further to my previous reply, in the email containing the licensing information there is the following section: I tried calling the technical support number but is says ESET UK are currently closed (it is 12:54PM UK time). Judging by the phone code, this is a US line, but why is it promoted as UK support, and the times listed do not have time zone information. Is anyone able to provide some insight? What if we have a P1 case that requires immediate assistance? How are we supposed to get a hold of anyone if support is not replying to emails, and not picking up the phone?
  9. Hello, It was purchased in the UK. I probably have to mention that it is a business license with about 600 seats.
  10. Hello, I have raised a ticket with ESET Business support on June 21 They usually respond quickly, however other than the automatic reply, I haven't heard from them at all. I chased them up on 22nd, and still no response. It has been six days now, is there any way to call support and ask them for the status of the ticket? I tried to search the web, however all ESET phone numbers seem to be for other departments - not support. Preferably I would like an UK number, however I am willing to take anything at this point. I hope someone can help. Best Regards,
  11. Hi Mohamed, If SCCM/GPO deployment is not an option, you can use the ESET Remote Deployment tool to push the agent at mass: https://help.eset.com/protect_admin/81/en-US/deployment_tool.html Alternatively, you can push an agent directly from your ESET Protect server (applicable only on-prem): https://help.eset.com/protect_admin/81/en-US/server_tasks_agent_deployment1.html
  12. Oh my god... I used the help of an online generator and replaced some of the symbols, but never thought about checking the white spaces. Thanks a lot! It is being accepted now. Hopefully it will follow the schedule I wanted too
  13. Hello, I have a report that needs to be run on the last day of every month. Since I cannot use fixed date as months vary in length I went out to try the CRON expressions. Although I don't have a lot of experience with such expressions I read through this article: https://help.eset.com/protect_admin/81/en-US/cron_expression.html and it seems pretty straight forward. According to the article the expression I need to fulfill my requirement is * * * L * ? *. However when I try to schedule the report using this syntax I get the following error: -------- Error Failed to modify task: Input not valid: CRON syntax is invalid -------- I tried few other examples which according to my understanding should work, however they don't. Are you able to point me in the right direction? What is wrong with my expression? Thank you in advance!
  14. Ufoto

    Syslog API?

    Hello, We are looking into integrating a syslog server with ESET Protect Cloud. Since it is a cloud solution we would have to configure the Syslog server in order to push the logs to our firewall public IP address and then do some port forwarding. Therefore, our SIEM guys asked if there is another way of getting the logs, for example via API? Does anyone know if there are alternatives to the built-in Syslog interface? Thank you in advance!
  15. Hi, I am also trying to figure it out. I don't have a way of checking whether the devices I manage have BitLocker enabled, however the following report returns different status for machine local disks so I suppose that it is actually the BitLocker state: Could you test it and confirm?
  • Create New...