Jump to content

Ufoto

Members
  • Posts

    118
  • Joined

  • Last visited

Kudos

  1. Upvote
    Ufoto gave kudos to Marcos in Issue with nofications email   
    It should be fixed now, please confirm.
  2. Upvote
    Ufoto gave kudos to j91321 in Advanced exclusion - please help   
    I think you are a bit confused by the Event being ProcessCreated %WINDIR\ltsvc\ltsvc.exe%. If I understand it right the B1004 is connected to the bcedit.exe process. The process tree should look something like this:
    wininit.exe |-------> services.exe |-------> %WINDIR%\ltsvc\ltsvc.exe |-------> %SYSTEM%\bcdedit.exe +-------> Setting a dangerous boot configuration [B1004] What your exclusion is trying to do is exclude behavior when bcedit.exe would spawn ltsvc.exe, but it's the other way around, ltsvc.exe spawns bcedit.exe. You need to use parentprocess like this:
    <definition> <parentprocess> <operator type="AND"> <condition component="Module" condition="is" property="OriginalFileName" value="LTSVC.exe"/> <condition component="Module" condition="is" property="SignerName" value="Connectwise, LLC"/> <condition component="FileItem" condition="starts" property="FullPath" value="%WINDIR%\ltsvc\"/> </operator> </parentprocess> </definition>  
  3. Upvote
    Ufoto gave kudos to j91321 in ESET INSPECT Best practice guide?   
    I'd recommend to enable rules with tag Essential. Next it's worth reviewing rules that have automatic actions assigned. You can filter these by using the "Rule Actions" filter in the Rules list.  You can also use other tags to better filter categories you're interested in and enabled rules based on that.
  4. Upvote
    Ufoto received kudos from Peter Randziak in ESET Support not responding - how can I check the status of a ticket?   
    Thank you. I managed to get a hold of the support people. 
  5. Upvote
    Ufoto gave kudos to jonathan.deane_UK in ESET Support not responding - how can I check the status of a ticket?   
    Regardless of the size of the license you can call ESET UK Support on 01202 405 405 option 3 for support, please have your Public License ID (XXX-XXX-XXX) to hand when you call so we can locate your license and any existing tickets for you.
    The phone lines were closed for an internal event as per our web contact page and are now available again from 1pm,please try to call again.

     
  6. Upvote
    Ufoto gave kudos to thae in Next Level Security   
    ESET Inspect cannot detect anomalies in log files. For that, a SIEM is more appropriate. For the rest, Inspect works well.
  7. Upvote
    Ufoto gave kudos to karlisi in CRON expression not working?   
    You have 2 spaces between symbols, that's not allowed in CRON expressions
  8. Upvote
    Ufoto received kudos from Zen11t in How can I know which category a web page belongs to according to ESET's categories?   
    Hi Marcos,
    Yes, this is one way of doing it, however it would be great if there is a place on ESET's website where we can enter a specific URL and check how it is categorized by your engine. It makes it much easier than playing with policies on a test device. 
  9. Upvote
    Ufoto gave kudos to karsayor in Bitlocker report status of ESET Protect 10   
    Yes, it seems to be working for the report !
  10. Upvote
    Ufoto gave kudos to Marcos in Is it possible to collate all selected reports into a single pdf under Generate Report option?   
    While this is not currently possible, we have this improvement in the backlog for implementation in the future.
  11. Upvote
    Ufoto gave kudos to JamesR in Ancestor process exclusions not working   
    Your "Advanced" exclusion looks good to me.  The ltsvc.exe process has a distance of 2 from the triggering process of find.exe  There is a chance that the task to resolve matching detections is not working, and that the exclusion is working fine.  I would suggest saving the advanced exclusion you posted above, and then manually resolve the current detections and wait to see if more of the same detections come in.  And also check the "Hit Count" for the exclusion after letting it sit for a day or 2.
    "Hit Count" - For exclusions, this is how many detections the exclusion has prevented since it was last edited.  Editing the exclusion will zero out the hit count.
     
    Where to find hit count:

  12. Upvote
    Ufoto gave kudos to JamesR in ESET Inspect exclude targets   
    What you are trying to accomplish, will require an Advanced Exclusion that makes use of an <operations> section.  The <operations> section, can be a bit tricky to become used to.  Its formatting is as follows:
    <operations> <!-- This "operations" tag is plural --> <operation type="WriteFile"> <!-- This "operation" tag is singular, and defines the type of operation you want to exclude --> <operator type="and"> <!-- Define any needed operator of and/or/not --> <condition component="FileItem" property="FullPath" condition="is" value="%Path%\Of\Interest\to\fileName.xyz"/> <!-- Define any/all conditions of ineterest to describe the actions being taken by a process. --> </operator> </operation> </operations>  
    Your detection is being caused by a "FileTruncated" event.  This is part of the "WriteFile" operation.
    Here is my recommended style of exclusion is to specify the specific Process, and the specific "WriteFile" operation for a specific location and file extension (modify any file paths needed):
    <definition> <!-- First we define the process we want to not trigger the detection. This will restrict the exclusion to specific executables causing the incorrect detections --> <process> <operator type="AND"> <!-- SignatureType of 90 = Trusted --> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <!-- Following will allow for both possible locations of outlook.exe --> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="%PROGRAMFILES(X86)%\microsoft office\root\office16\outlook.exe"/> <condition component="FileItem" property="FullPath" condition="is" value="%PROGRAMFILES%\microsoft office\root\office16\outlook.exe"/> </operator> <!-- Signer Name must be "Microsoft Coroporation --> <condition component="Module" property="SignerName" condition="is" value="Microsoft Corporation"/> </operator> </process> <!-- Next we define which type of operation or target we want to allow the above process to do, without triggering a detection --> <!-- Logic here will state that we do not want detections on .com files created inside of the "...\inetcach\content.mso\" directory --> <operations> <operation type="WriteFile"> <operator type="and"> <!-- Full File Path must start with expected location --> <condition component="FileItem" property="FullPath" condition="starts" value="%LOCALAPPDATA%\microsoft\windows\inetcache\content.mso\"/> <!-- Full File Path must end with .com to ensure we are only excluding the .com files. --> <condition component="FileItem" property="FullPath" condition="ends" value=".com"/> </operator> </operation> </operations> </definition>  
    Please note that I am using the property "FullPath" for my "<condition..." statements.  FullPath is a combination of "FileName" and "Path" properties.  I like to use this so that I can easily use "Starts" or "Ends" condition properties as needed.
    FileName = File name with extension like, "HowdyThere.exe" Path = file path ending with a "\" like, "C:\some\path\of\interest\" FullPath = both Path and FileName in one complete string like, "C:\some\path\of\interest\HowdyThere.exe"
  13. Upvote
    Ufoto gave kudos to Marcos in ESET Cloud services availability   
    We are not aware of any issues with ESET INSPECT Cloud. Please provide your EIC instance ID that is found in EBA (eba.eset.com) -> Help -> About.
    As for the service monitoring page providing the current status, it's being prepared and should be available soon.
  14. Upvote
    Ufoto gave kudos to BrianMorris in Feature request! Allow URI to be added to Notification emails   
    Valid point. You could address this by changing the HTTP to HXXP for the purposes of these notification emails.
  15. Upvote
    Ufoto gave kudos to Marcos in ESET Inspect Cloud reports?   
    Currently you could create desired filters and then export the table as CSV which you could subsequently process in Excel for instance. We plan to improve reporting from EIC later this year.

  16. Upvote
    Ufoto received kudos from Peter Randziak in ESET Inspect Cloud network requirements?   
    Hi Peter,
    Thank you, it turned out to be related to blocked connection to eu01.agent.edr.eset.systems:8093 due to the unusual port. 
    For anyone else experiencing similar issues, there is a log file which helped me to identify which connection is failing. The log file is named 'EIConnector-yyyy-mm-dd' and you can find it here: C:\ProgramData\ESET\Inspect Connector\Logs.
    Best Regards,
  17. Upvote
    Ufoto gave kudos to Peter Randziak in ESET Inspect Cloud network requirements?   
    Hello @Ufoto,
    the domains and ports used by ESET Inspect Cloud are listed at https://help.eset.com/ei_cloud/en-US/?prerequisites.html 
    Peter
  18. Upvote
    Ufoto received kudos from BRK_Hyper in ESET_PROTECT On-prem   
    You should create a new topic as your question doesn't seem to be related to this thread.
    Regards,
  19. Upvote
    Ufoto gave kudos to Kstainton in Endpoint Encryption and mobile devices   
    Hi @Ufoto,
    The EEE Server / EEE Client, cannot do this directly at the moment, we may look into this for a future addition to our software.
    The reason why it cannot do it at the moment is because RME uses a File System Filter Driver so it works with devices that expose a file system. Mobile Devices do not provide a file system, they use Windows Portable Devices which I can see from your previous messages you have a complete understanding of.
    I am afraid at this time you will need to setup Read/Write permissions using your GPO for WPD devices. I do apologize if this causes any inconvenience. 
    Thank you.
    Kieran
  20. Upvote
    Ufoto gave kudos to Kstainton in Endpoint Encryption and mobile devices   
    Hi @Ufoto
    File Encryption is also not possible, the way I should have put it is that Removable Media Encryption, whether it be FDE or File is not possible on a Mobile Device.
    Thank you.
  21. Upvote
    Ufoto received kudos from Michael Erni in Endpoint doesn't auto-update to 9.0.2046   
    Hi Marcos,
    I understand that this is the first time you are pushing updates this way, however I wanted to ask whether there will be a more official channel where we can track when a new version will be rolled out. Additionally, having the option to change that time frame would be ideal as in my opinion using an outdated version for nearly two months is too much. A month should be more than sufficient for any critical issues to surface. 
  22. Upvote
    Ufoto received kudos from karlisi in Endpoint doesn't auto-update to 9.0.2046   
    Hi Marcos,
    I understand that this is the first time you are pushing updates this way, however I wanted to ask whether there will be a more official channel where we can track when a new version will be rolled out. Additionally, having the option to change that time frame would be ideal as in my opinion using an outdated version for nearly two months is too much. A month should be more than sufficient for any critical issues to surface. 
  23. Upvote
    Ufoto received kudos from Trooper in Endpoint doesn't auto-update to 9.0.2046   
    Hi Marcos,
    I understand that this is the first time you are pushing updates this way, however I wanted to ask whether there will be a more official channel where we can track when a new version will be rolled out. Additionally, having the option to change that time frame would be ideal as in my opinion using an outdated version for nearly two months is too much. A month should be more than sufficient for any critical issues to surface. 
  24. Upvote
    Ufoto received kudos from Hello There in ESET PROTECT Missing Features!   
    The easiest way is to go to the same location - click on the system and go to Configuration -> Applied policies. If the policy Status is 'Actual' this means that the endpoint reported back that this policy was successfully applied. You will notice that if you change a policy this status will become 'Not Actual' until the system communicates with the server. 
    Also, if you go to policy details for a policy in your catalog you will see that it has two sections - Assigned to, and Applied on. The former refers to where you assigned the policy, and the latter which systems actually report back that the policy is applied locally.
    I hope this helps.
  25. Upvote
    Ufoto received kudos from Hello There in ESET PROTECT Missing Features!   
    10. How can I see on a target computer which policy is applied? When I often switch policies in a management console, how long does it take to propagate to clients? How can I verify that a policy is actually applied?
    You can check this by going into a system's details and then -> Configuration -> Applied Policies. Alternatively if you go to the policy catalog you can select a policy and go to its details. There you can see where it is assigned and which systems it is applied on.
    11. How to use Web Control to block all internet access except a few specific websites?
    If you are referring to web pages, you can create a Web Control rule to block all let's say .com, .org, etc sites by using wildcards (https://help.eset.com/ees/7/en-US/idh_dialog_epfw_add_url_addr_mask.html) and then you can create exceptions. Not sure if this is the best approach, hopefully someone from ESET can provide a better idea. If you are referring to network access instead of web pages, you can use the firewall component and create the rule you desire.
    12. Since some users are local admins, how to prevent local administrators on target devices from changing ESET settings? We need that only domain admin or ESET management console users can change setting. 
    There are two places where you should set up a password:
    In the Endpoint Security product (different for endpoints and servers - set it up in both policies) under User Interface -> Access Setup. In the Agent policy (this will protect the ESET product from uninstallation) - Under Settings -> Advanced Settings -> Setup -> Password protected setup.
×
×
  • Create New...