Ufoto
-
Posts
118 -
Joined
-
Last visited
Posts posted by Ufoto
-
-
Hello,
Apologies for jumping in, but we are experiencing the same problem. Should we all raise support tickets?
-
Hello,
Oh I see, so this is actually the parent process. Yes, indeed in this case the exclusion can even be create using the exclusion builder UI.
It still blows mu mind how the 'Event' section is not an option in the exclusion builder UI. Sometimes it is the only way to create viable exclusion such as IP or URLs listed there which are not found anywhere else in the event. Thus making us work with the advanced exclusion builder syntax which is not very well documented.
Best Regards,
-
Hello,
I've been struggling with this one for quite a while now and I would really appreciate if someone can point me in the right direction.
We are getting a lot of false-positives by this rule and Connectwise:
Since all other items are too generic, I want to configure an exclusion based on the process creation since this is the ConnectWise software which is supposed to be involved in such activities. I configured the following exception hoping that it will cover this exact behavior, however today I logged in and I still see a ton of the same alerts and the exclusion sits at 0 hit count:
<definition>
<operations>
<operation type="CreateProcess">
<operator type="and">
<condition component="FileItem" property="FullPath" condition="starts" value="%WINDIR%\ltsvc\ltsvc.exe" />
</operator>
</operation>
</operations>
</definition>Any idea why this exclusion is not working? Thank you in advance!
-
Hello,
Thank you for the tips, they are really useful, I was barely paying attention to tags.
-
Hello All,
Looking at the ESET INSPECT rules that are enabled by default, I can see that these are basically all "Threat" severity rules, while all of the rest are disabled. Is this the generally recommended best practice by ESET? I feel that customers miss out a lot by having all other rules disabled, however I do realize that some of them could be very noisy. Is there a guide, or a blog post advising on some sort of best practice configuration that has some additional rules enabled, rules that are proven to produce false-positives rarely (e.g. Dharma ransomware toolkit item file name was written [C0637]). I could go and read all 1000 rules one by one and use my subjective opinion to enable some, but this doesn't seem to be optimal.
Let me give you an example - I work with other solutions, and some of them have profiles like "Balanced", "Secure", etc. and depending on the profile different set of rules is enabled. I know that there is no such feature here, however I am looking for some sort of guidance at least, I can enable them manually afterwards.
Thank you in advance!
-
Thank you. I managed to get a hold of the support people.
-
Further to my previous reply, in the email containing the licensing information there is the following section:
I tried calling the technical support number but is says ESET UK are currently closed (it is 12:54PM UK time). Judging by the phone code, this is a US line, but why is it promoted as UK support, and the times listed do not have time zone information.
Is anyone able to provide some insight? What if we have a P1 case that requires immediate assistance? How are we supposed to get a hold of anyone if support is not replying to emails, and not picking up the phone?
-
Hello,
It was purchased in the UK. I probably have to mention that it is a business license with about 600 seats.
-
Hello,
I have raised a ticket with ESET Business support on June 21 They usually respond quickly, however other than the automatic reply, I haven't heard from them at all. I chased them up on 22nd, and still no response. It has been six days now, is there any way to call support and ask them for the status of the ticket? I tried to search the web, however all ESET phone numbers seem to be for other departments - not support. Preferably I would like an UK number, however I am willing to take anything at this point.
I hope someone can help.
Best Regards,
-
Hi Mohamed,
If SCCM/GPO deployment is not an option, you can use the ESET Remote Deployment tool to push the agent at mass: https://help.eset.com/protect_admin/81/en-US/deployment_tool.html
Alternatively, you can push an agent directly from your ESET Protect server (applicable only on-prem): https://help.eset.com/protect_admin/81/en-US/server_tasks_agent_deployment1.html
-
2 hours ago, karlisi said:
You have 2 spaces between symbols, that's not allowed in CRON expressions
Oh my god... I used the help of an online generator and replaced some of the symbols, but never thought about checking the white spaces. Thanks a lot! It is being accepted now. Hopefully it will follow the schedule I wanted too
-
Hello,
I have a report that needs to be run on the last day of every month. Since I cannot use fixed date as months vary in length I went out to try the CRON expressions. Although I don't have a lot of experience with such expressions I read through this article: https://help.eset.com/protect_admin/81/en-US/cron_expression.html and it seems pretty straight forward. According to the article the expression I need to fulfill my requirement is * * * L * ? *. However when I try to schedule the report using this syntax I get the following error:
--------
Error
Failed to modify task: Input not valid: CRON syntax is invalid
--------
I tried few other examples which according to my understanding should work, however they don't. Are you able to point me in the right direction? What is wrong with my expression?
Thank you in advance!
-
Hello,
We are looking into integrating a syslog server with ESET Protect Cloud. Since it is a cloud solution we would have to configure the Syslog server in order to push the logs to our firewall public IP address and then do some port forwarding. Therefore, our SIEM guys asked if there is another way of getting the logs, for example via API? Does anyone know if there are alternatives to the built-in Syslog interface? Thank you in advance!
-
Hi,
I am also trying to figure it out. I don't have a way of checking whether the devices I manage have BitLocker enabled, however the following report returns different status for machine local disks so I suppose that it is actually the BitLocker state:
Could you test it and confirm?
-
Does --silent --accepteula work for you guys? I tried several different installers with or without security product, I also tried
--silentbut none of them seem to work even if I try to run it locally from admin command prompt. There are no error messages, just nothing happens. Are these command line switches supposed to work with live installer exported from ESET Protect Cloud?--accepteula -
-
Hello,
We started to slowly rollout the latest Inspect Connector version 1.8 and we've noticed an odd behavior. The upgrade triggers the critical severity alert "File is written into ESET folder [C0330]" because of a specific log file:
Although we discovered this during the pilot phase, I would like to give you a heads-up as mass upgrade could trigger as many alerts as there are systems in the environment.
-
Hi Marcos,
Thank you for the prompt response. We just tested that using few different SD cards and nothing appeared. Then we tested with a removable media and it was populated immediately.
Is this expected behavior for SD cards inserted into a built-in card reader, or are we facing some sort of issue? Thank you.
-
Hello All,
During our Device Control tests we noticed that Device Control does not block memory cards inserted in a laptop's built-in SD card reader even if the rule is set to block 'All device types'. Looking at the description of the feature in the official documentation I am wondering whether this is not expected behavior: "Disk storage – Applies to any disk storage connected via USB, including external CD/DVD drives and conventional memory card readers". As per the description it refers to memory card readers connected via USB only. Looking at the Device Control log, nothing is logged when a card is inserted and its contents are freely accessible.
Could anyone confirm whether this is the case? Is there a way to block memory cards if they are inserted into a built-in SD card reader? Thank you in advance!
-
Hi Guys,
I fed this to ESET few years ago, I really hope it goes live soon, it will make our lives much better.
-
Hi James,
Thank you for the prompt response, I followed your advice and closed them manually. Hopefully the exclusion will pick them up if new incidents occur.
I never realized what the purpose of this hit count is, Looking at it now, I have exclusions with over 36,000 hits!
One last thing, have you used ancestor exclusions that actually closed the targeted alarms once configured? I just need someone to give me confidence that they work properly at the moment
-
Hello,
I am trying to configure ancestor process exclusions for a while now and they never seem to work so I decided to raise a topic here and ask whether I am doing something wrong or the feature is not working properly. The example below is just one of many times when ancestor exclusions were not working for me. In this case I want to exclude ltsvc.exe:
First I tried to use the user interface as per the screenshot below which did not work:
I realized that I will have to create an advanced exclusion so I tried with the following syntax:
<definition>
<process>
<operator type="AND">
<condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" />
<condition component="FileItem" property="FileName" condition="is" value="find.exe" />
<condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" />
<condition component="Enterprise" property="ComputerGroupHierarchy" condition="contains" value="Servers" />
</operator>
</process>
<ancestor distance="2">
<operator type="AND">
<condition component="FileItem" property="FileName" condition="is" value="ltsvc.exe" />
<condition component="Module" property="SignerName" condition="is" value=""CONNECTWISE, LLC"" />
</operator>
</ancestor>
</definition>This did not work too, so I tried to remove the distance, to increase it by 1, to remove some of the properties, but nothing seems to be working as the alerts are not clearing when I save the exclusion (the checkbox to close related alerts is enabled). I am really lost at this point, do you see any mistakes in my exclusions? Am I missing something?
Thank you in advance!
-
On 7/28/2022 at 7:21 PM, Marcos said:
This will be subject to further internal discussion since it's an LTS version.
Could you confirm whether the latest ESET Protect can function properly with JAVA 11? We are getting the Outdated Components message too, and I wanted to be sure that this is recommended, not mandatory upgrade.
-
Hi Marcos,
Sure, I just did. Thank you.
Is it possible to invalidate installers?
in ESET PROTECT
Posted
Hello,
We have a case where an unauthorized party got a copy of an installer exported from a customer's console. Now this party is able to add systems and use up licenses for the customer until systems are manually removed. We tried to delete all existing installers and re-create them, however this did not fix the issue and we still see systems being onboarded so I suppose the installers are still active, although not present in the console. Is there any other way to invalidate all active installers for an ESET PROTECT Cloud tenant?
Thank you in advance!