[Confusion about mapped accounts]

Nobody knows? 🤔

[Disable filtered website and firewall detection alerts?]

Hello,

I just wanted to check if someone knows whether it is possible to stop the 'filtered website' and 'Firewall' alerts from displaying in ESET INSPECT? We tend to get a lot of these on daily basis and we already monitor them from ESET Protect. Is there a way to disable them for ESET INSPECT? I searched for them in the 'rules' section hoping that I will be able to disable them from there to no avail. 

Thank you in advance!

[Confusion about mapped accounts]

Hello,

Recently we started an initiative to implement a more restricted access to the console and I am struggling with the interface. I created the users in EBA and enabled them to have a custom permission set instead of the built-in Read/Write one. That's all good, however on the ESET Protect side it becomes a little confusing. When I map an account to the new permission set it becomes listed as a group along with the Read access and Write access which have other users inside: 

 

I know it says mapped accounts, but are these actually accounts or groups? I imagined a new group with the custom permission set will be created here and we will be able to add users to it.

Additionally, this works great for new users, however if I have an account which already has the Read/Write access, the option to change its permission set is greyed out. Does this mean that I have to delete the account from ESET Protect and re-add it again with the new permission set?

Thank you in advance!

[ESET INSPECT - Unable to compute hash]

Hi Marcos,

Do you mean to right-click and scan it? As this is the only option I see.

[ESET INSPECT - Unable to compute hash]

Hello,

Recently I am coming across an issue which is really making our lives difficult. I am aware that I can raise a support ticket, however I just wanted to check whether this is not a known issue, or if it has some simple explanation. 

Occasionally the product is not able to collect any information about processes/executables that are involved in events. Apart from security perspective, this creates additional overhead as we use file signer in our exclusions, therefore since this field is not populated the exclusions are not working. Please see some example screenshots below: 

 

This is just an example we see this with different trusted files on different machines. I just wanted to check if someone else came across this issue?

Thank you in advance!

[ESET Inspect exclude targets]

Thank you! Such information is very valuable. It would have been great if there were some similar how-to's in the official documentation.

Best Regards,

[ESET Inspect exclude targets]

Hello,

I am working with ESET Inspect for a while now and I am often struggling with exclusions as I can't find a way to exclude targets so I decided to ask you guys if I am missing something. For example, we are getting a lot of events related to the following rule:

Being the source process, all exclusion options are related to Outlook.exe, however excluding it will defeat the purpose of the rule. Instead I want to exclude detections from the 'inetcache' folder, and this seems to be impossible to do. The only viable workaround I found was to exclude '.com' files from the rule as I believe very few attacks will involve this file type. 

I know that there is advanced editor in the exclusions interface, however I am not very familiar with its capabilities. Are you aware whether excluding a target file is possible through it?

Thank you in advance!

[ESET Cloud services availability]

Hi Marcos,

Thank you for your prompt response. I am glad to hear that there will be a way to check the availability soon. If there is some sort of notification service we can subscribe too, that would be even better.

I just tried to access the instance again and it is now working! Thank you again!

[ESET Cloud services availability]

Hello,

Today when I tried to access our ESET INSPECT instance I was greeted with the following error: 

This raised the question in our organization whether there is a page which provides real-time data for availability of ESET's cloud services, and if there is a way to subscribe for warnings about planned maintenance or incidents which may affect availability?

Thank you in advance!

[ESET Inspect Cloud API?]

Hello,

I was able to find some documentation how to use the API of the on-premise Inspect server, however I can't find anything for ESET INSPECT Cloud. Is there API at all that can be used for integration with solution such as Power BI, or is there is a way to feed incident information into SIEM so we can use it both for retention and reporting purposes? 

Thank you in advance!

[Feature request! Allow URI to be added to Notification emails]

28 minutes ago, igi008 said:

Hello,
many thanks for your post. It is a bit tricky because URI can also be a phishing link (in the case of web protection). ESET may be put on the list of phishers when we will send such notifications. However, we will try to open this topic internally again, and we will try to find an appropriate solution.

Hi Igi,

Thank you for your response. Yes, indeed that's a valid point. I had my malware summary reports stripped several times because they contained malicious links accessed by endpoints. Maybe it will be worth adding an extra rule as a temporary measure which allows the notifications to send URI information only if it is a file path rather than URL. This should be easy to achieve using regex until you come up with a proper solution such as to separate network-related URI into a separate property which is not available for reporting.

[ESET Inspect Cloud reports?]

Thank you! I am looking forward to the improved reporting. 

I don't see the option to mark your reply as a solution, but please consider the thread as closed.

Regards,

[ESET Inspect Cloud reports?]

Hi Marcos,

Thank you for the prompt response. Since the INSPECT alarms (notifications) are configured from the ESET Protect console, I thought that at least they can be also reported on. 

Since creating the report is not possible from ESET Protect at the moment, is there a way to export incidents/investigations from the ESET INSPECT console as we need some way to report these incidents to higher management on weekly/monthly basis and without a way to export incident information we will have to do a lot of manual work. 

[ESET Inspect Cloud reports?]

Hello,

Recently we started using ESET Inspect Cloud and I am still playing around with it. However there is something I can't seem to get working. Although automatic notifications through ESET Protect Cloud work flawlessly, I am unable to create a report for the ESET Inspect incidents. In the report builder I am using the 'ESET Inspect alerts' properties as Data, however when I check the preview, or save and run the report there is no data, although I had about 10 alerts triggered by ESET Inspect rules just few hours ago.

Am I missing something? Is there a setting or some sort of synchronization I have to run between the the cloud consoles in order to make reports work? Is anyone able to share a report that is working? 

Thank you in advance!

[Feature request! Allow URI to be added to Notification emails]

Is there any information whether ESET is considering to add this variable to the Notifications email body at some point? 

[ESET Inspect Cloud network requirements?]

3 hours ago, Peter Randziak said:

Hello @Ufoto,

the domains and ports used by ESET Inspect Cloud are listed at https://help.eset.com/ei_cloud/en-US/?prerequisites.html 

Peter

Hi Peter,

Thank you, it turned out to be related to blocked connection to eu01.agent.edr.eset.systems:8093 due to the unusual port. 

For anyone else experiencing similar issues, there is a log file which helped me to identify which connection is failing. The log file is named 'EIConnector-yyyy-mm-dd' and you can find it here: C:\ProgramData\ESET\Inspect Connector\Logs.

Best Regards,

[ESET Inspect Cloud network requirements?]

Hello,

We are evaluating ESET Inspect Cloud and our test devices seem to be failing to connect to the cloud console as per the error message 'Unable to connect to ESET Inspect Server'. Although the systems have the Inspect Connector installed and licensed, they appear unmanaged in the ESET Inspect console. 

I suspect that there could be something in our network blocking the connection, so I tried to find the network requirements for the Cloud Inspect server (e.g. ports, URLs, IP addresses), however there is no mention of the product here: https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall#services and all other information I was able to find is related to the on-premise version of the solution. Are you able to point me in the right direction? If there is no article, is there a log file I can check where I can see which connection is failing so I can rectify it? 

Thank you in advance!

[Run task at first connection?]

Hello All,

Me and my team have a very specific use-case we need to accomplish, and after the initial progress we've made we ran out of ideas and I wanted to check whether we are missing something obvious, or if this is not possible at all.

We have a third party application that we are deploying via ESET Protect. We need to deploy this application to systems that become managed, but not to run it against systems which already have it (newly managed systems won't have it for sure). So we managed to create a dynamic group which filters devices that don't have the application installed and then we assigned the task using the 'Joined dynamic group' trigger and this works like a charm. The problem we have is with our Linux devices. Since you don't have software inventory for Linux systems this whole automation is not working. We know that we can't achieve it this way, but is there a way to configure some sort of task based on system's first connection? It is possible to create an automatic notification and report for newly connected systems, however the filter is not there for dynamic group templates, therefore we cannot translate it to automation. Can you think of a way this can be achieved?

Apologies for the long post, and thank you.

[ESET_PROTECT On-prem]

1 hour ago, BRK_Hyper said:

I have a question about the remote deployment tool. Am i rigt here?

 

You should create a new topic as your question doesn't seem to be related to this thread.

Regards,

[Endpoint Encryption and mobile devices]

1 hour ago, Kstainton said:

Hi @Ufoto,

The EEE Server / EEE Client, cannot do this directly at the moment, we may look into this for a future addition to our software.

The reason why it cannot do it at the moment is because RME uses a File System Filter Driver so it works with devices that expose a file system. Mobile Devices do not provide a file system, they use Windows Portable Devices which I can see from your previous messages you have a complete understanding of.

I am afraid at this time you will need to setup Read/Write permissions using your GPO for WPD devices. I do apologize if this causes any inconvenience. 

Thank you.

Kieran

Hi Kstainton,

 

Thank you for the comprehensive answer. I understand now.

 

Have a great day ahead!

[Endpoint Encryption and mobile devices]

Apologies for the unrelated question, but is it possible to make the Mobile Devices read-only using the Endpoint Encryption solution? This would be a workaround in our scenario.

Thank you again!

[Endpoint Encryption and mobile devices]

Thank you for the confirmation. I was aware about encrypting the whole storage area, however I was unsure about 'File' encryption. 

[Endpoint Encryption and mobile devices]

Hello,

We have a pretty basic Endpoint Encryption setup where users are asked to encrypt their USB removable storage devices. Recently we noticed that when a phone is plugged in and its file system shown in Windows, nothing happens. Is this expected behavior? I know that mobile phones are detected as Windows Portable Devices rather than Removable Storage Devices, and encrypting the entire drive might not be recommended, but at least 'File' encryption where only a part of the drive is encrypted should be possible. 

My question is, are mobile devices eligible for encryption and our configuration is simply not properly set up. Or is the product supposed to target only removable storage devices such as memory sticks and portable hard drives?

Thank you in advance!

[ESET_PROTECT On-prem]

I would not recommend you to expose your ESET Protect server to the Internet. You can use HTTP proxy placed in your DMZ instead. It is much more secure and you will have the same result:

[ESET PROTECT Missing Features!]

2 hours ago, Hello There said:

Thank you all!

I know that but how can I verify on a target computer that a policy is actually applied? Is there any way to push a policy? Because I change some settings and added a policy and these changes didn't applied so I need to verify on a target computer if correct policies are applied or aren't.

Thank you, it might be used in some cases but we will follow Marcos's suggestion and use URL Address Management

That works! Thanks.

 

Nice, this is exactly what we needed. Thanks!

Thank you.

The easiest way is to go to the same location - click on the system and go to Configuration -> Applied policies. If the policy Status is 'Actual' this means that the endpoint reported back that this policy was successfully applied. You will notice that if you change a policy this status will become 'Not Actual' until the system communicates with the server. 

Also, if you go to policy details for a policy in your catalog you will see that it has two sections - Assigned to, and Applied on. The former refers to where you assigned the policy, and the latter which systems actually report back that the policy is applied locally.

I hope this helps.