Ufoto

Nobody knows? 🤔

Hello, I just wanted to check if someone knows whether it is possible to stop the 'filtered website' and 'Firewall' alerts from displaying in ESET INSPECT? We tend to get a lot of these on daily basis and we already monitor them from ESET Protect. Is there a way to disable them for ESET INSPECT? I searched for them in the 'rules' section hoping that I will be able to disable them from there to no avail. Thank you in advance!

Hello, Recently we started an initiative to implement a more restricted access to the console and I am struggling with the interface. I created the users in EBA and enabled them to have a custom permission set instead of the built-in Read/Write one. That's all good, however on the ESET Protect side it becomes a little confusing. When I map an account to the new permission set it becomes listed as a group along with the Read access and Write access which have other users inside: I know it says mapped accounts, but are these actually accounts or groups? I imagined a new group with the custom permission set will be created here and we will be able to add users to it. Additionally, this works great for new users, however if I have an account which already has the Read/Write access, the option to change its permission set is greyed out. Does this mean that I have to delete the account from ESET Protect and re-add it again with the new permission set? Thank you in advance!

Hi Marcos, Do you mean to right-click and scan it? As this is the only option I see.

Hello, Recently I am coming across an issue which is really making our lives difficult. I am aware that I can raise a support ticket, however I just wanted to check whether this is not a known issue, or if it has some simple explanation. Occasionally the product is not able to collect any information about processes/executables that are involved in events. Apart from security perspective, this creates additional overhead as we use file signer in our exclusions, therefore since this field is not populated the exclusions are not working. Please see some example screenshots below: This is just an example we see this with different trusted files on different machines. I just wanted to check if someone else came across this issue? Thank you in advance!

Thank you! Such information is very valuable. It would have been great if there were some similar how-to's in the official documentation. Best Regards,

Hello, I am working with ESET Inspect for a while now and I am often struggling with exclusions as I can't find a way to exclude targets so I decided to ask you guys if I am missing something. For example, we are getting a lot of events related to the following rule: Being the source process, all exclusion options are related to Outlook.exe, however excluding it will defeat the purpose of the rule. Instead I want to exclude detections from the 'inetcache' folder, and this seems to be impossible to do. The only viable workaround I found was to exclude '.com' files from the rule as I believe very few attacks will involve this file type. I know that there is advanced editor in the exclusions interface, however I am not very familiar with its capabilities. Are you aware whether excluding a target file is possible through it? Thank you in advance!

Hi Marcos, Thank you for your prompt response. I am glad to hear that there will be a way to check the availability soon. If there is some sort of notification service we can subscribe too, that would be even better. I just tried to access the instance again and it is now working! Thank you again!

Hello, Today when I tried to access our ESET INSPECT instance I was greeted with the following error: This raised the question in our organization whether there is a page which provides real-time data for availability of ESET's cloud services, and if there is a way to subscribe for warnings about planned maintenance or incidents which may affect availability? Thank you in advance!

Hello, I was able to find some documentation how to use the API of the on-premise Inspect server, however I can't find anything for ESET INSPECT Cloud. Is there API at all that can be used for integration with solution such as Power BI, or is there is a way to feed incident information into SIEM so we can use it both for retention and reporting purposes? Thank you in advance!

Hi Igi, Thank you for your response. Yes, indeed that's a valid point. I had my malware summary reports stripped several times because they contained malicious links accessed by endpoints. Maybe it will be worth adding an extra rule as a temporary measure which allows the notifications to send URI information only if it is a file path rather than URL. This should be easy to achieve using regex until you come up with a proper solution such as to separate network-related URI into a separate property which is not available for reporting.

Thank you! I am looking forward to the improved reporting. I don't see the option to mark your reply as a solution, but please consider the thread as closed. Regards,

Hi Marcos, Thank you for the prompt response. Since the INSPECT alarms (notifications) are configured from the ESET Protect console, I thought that at least they can be also reported on. Since creating the report is not possible from ESET Protect at the moment, is there a way to export incidents/investigations from the ESET INSPECT console as we need some way to report these incidents to higher management on weekly/monthly basis and without a way to export incident information we will have to do a lot of manual work.

Hello, Recently we started using ESET Inspect Cloud and I am still playing around with it. However there is something I can't seem to get working. Although automatic notifications through ESET Protect Cloud work flawlessly, I am unable to create a report for the ESET Inspect incidents. In the report builder I am using the 'ESET Inspect alerts' properties as Data, however when I check the preview, or save and run the report there is no data, although I had about 10 alerts triggered by ESET Inspect rules just few hours ago. Am I missing something? Is there a setting or some sort of synchronization I have to run between the the cloud consoles in order to make reports work? Is anyone able to share a report that is working? Thank you in advance!

Is there any information whether ESET is considering to add this variable to the Notifications email body at some point?

Hi Peter, Thank you, it turned out to be related to blocked connection to eu01.agent.edr.eset.systems:8093 due to the unusual port. For anyone else experiencing similar issues, there is a log file which helped me to identify which connection is failing. The log file is named 'EIConnector-yyyy-mm-dd' and you can find it here: C:\ProgramData\ESET\Inspect Connector\Logs. Best Regards,

Hello, We are evaluating ESET Inspect Cloud and our test devices seem to be failing to connect to the cloud console as per the error message 'Unable to connect to ESET Inspect Server'. Although the systems have the Inspect Connector installed and licensed, they appear unmanaged in the ESET Inspect console. I suspect that there could be something in our network blocking the connection, so I tried to find the network requirements for the Cloud Inspect server (e.g. ports, URLs, IP addresses), however there is no mention of the product here: https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall#services and all other information I was able to find is related to the on-premise version of the solution. Are you able to point me in the right direction? If there is no article, is there a log file I can check where I can see which connection is failing so I can rectify it? Thank you in advance!

Hello All, Me and my team have a very specific use-case we need to accomplish, and after the initial progress we've made we ran out of ideas and I wanted to check whether we are missing something obvious, or if this is not possible at all. We have a third party application that we are deploying via ESET Protect. We need to deploy this application to systems that become managed, but not to run it against systems which already have it (newly managed systems won't have it for sure). So we managed to create a dynamic group which filters devices that don't have the application installed and then we assigned the task using the 'Joined dynamic group' trigger and this works like a charm. The problem we have is with our Linux devices. Since you don't have software inventory for Linux systems this whole automation is not working. We know that we can't achieve it this way, but is there a way to configure some sort of task based on system's first connection? It is possible to create an automatic notification and report for newly connected systems, however the filter is not there for dynamic group templates, therefore we cannot translate it to automation. Can you think of a way this can be achieved? Apologies for the long post, and thank you.

You should create a new topic as your question doesn't seem to be related to this thread. Regards,

Hi Kstainton, Thank you for the comprehensive answer. I understand now. Have a great day ahead!

Apologies for the unrelated question, but is it possible to make the Mobile Devices read-only using the Endpoint Encryption solution? This would be a workaround in our scenario. Thank you again!

Thank you for the confirmation. I was aware about encrypting the whole storage area, however I was unsure about 'File' encryption.

Hello, We have a pretty basic Endpoint Encryption setup where users are asked to encrypt their USB removable storage devices. Recently we noticed that when a phone is plugged in and its file system shown in Windows, nothing happens. Is this expected behavior? I know that mobile phones are detected as Windows Portable Devices rather than Removable Storage Devices, and encrypting the entire drive might not be recommended, but at least 'File' encryption where only a part of the drive is encrypted should be possible. My question is, are mobile devices eligible for encryption and our configuration is simply not properly set up. Or is the product supposed to target only removable storage devices such as memory sticks and portable hard drives? Thank you in advance!

I would not recommend you to expose your ESET Protect server to the Internet. You can use HTTP proxy placed in your DMZ instead. It is much more secure and you will have the same result:

The easiest way is to go to the same location - click on the system and go to Configuration -> Applied policies. If the policy Status is 'Actual' this means that the endpoint reported back that this policy was successfully applied. You will notice that if you change a policy this status will become 'Not Actual' until the system communicates with the server. Also, if you go to policy details for a policy in your catalog you will see that it has two sections - Assigned to, and Applied on. The former refers to where you assigned the policy, and the latter which systems actually report back that the policy is applied locally. I hope this helps.