[Mac Firewall issue after update to 6.8.400.0]

Is there an ETA on the next service release?   We've been waiting for a fix for the "Restart Computer" issues for what feels like 6 months now...

[OSX Approved Eset Kernel Extensions]

I believe it's P8DQRXPVLP

You should be able to run this command to get a list of the values:

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy "SELECT developer_name,team_id,bundle_id,allowed from kext_policy"

 

[Command line way to disable (and then reenable) the Real-Time scanner?]

OK -- we figured out how to do this.   If anybody else is interested:

Two preinstall steps:

sudo killall esets_gui

sudo launchctl unload /Library/LaunchDaemons/com.eset.esets_daemon.plist

 

Install the application (in our case either Office 2016 or 2019)

 

then two post-install steps:

sudo launchctl load /Library/LaunchDaemons/com.eset.esets_daemon.plist

open -a “/Applications/ESET Endpoint Antivirus.app”

 

Not the best solution -- but Office installs are taking *at a minimum* 4 times longer with 6.7.900, so we had to do something...

[Command line way to disable (and then reenable) the Real-Time scanner?]

This is related to my Office vs. 6.7.900 issue.

Is there a command-line way to disable the Real-Time scanner and then another command to re-enable it?

 

That would be a better (and faster) short-term solution we might be able to push out to our 8000+ system fleet to address the problem with 6.7.900

[ESET 6.7.900 vs Microsoft Office installation]

Yeah, I've already started that process, but wanted to know if this a "just us" thing or not.

[ESET 6.7.900 vs Microsoft Office installation]

Hey all...

We just pushed out ESET A/V 6.7.900 to our fleet and Microsoft Office installations are now taking significantly longer (like going from 8 minutes to 30-60 minutes)

Anybody else seeing similar?

[ESET Endpoint Antivirus is not configurable]

5 hours ago, AlexW said:

Yes, I believe this has been the case since version 6.6.

Well, it seems to handle the uninstall properly, but doesn't seem to pick up any of the customized SCEP settings.    So you still need to craft a comparable set of preferences and export/import that for ESET to be useful

[Future changes to ESET Endpoint programs]

Description:   For the Mac version of ESET, the "alert" settings should be global settings and not per-user settings.

 

Details:  We are one of the orgs moving from SCEP to ESET for now and *not* using the ERA (as we would prefer not to have to spin up yet-another-server for this.)    Apparently all the Preferences --> User --> Alerts and Notification settings are stored within a ~/.esets/gui.cfg file.   This is a problem -- especially for the "Protection Statuses" Alerts.    We need to be able to turn those off globally -- especially for computer labs where local student accounts are wiped from computers soon after they log out.   We (as computer administrators) should be able to set these globally for all users without having to massage a file into each user account every time somebody new logs into the computer.

It's nice to see that ESETs has more notifications than SCEP, but end users in a computer lab do not need to get an alert that "operating system is not up to date" (for example) when we control OS patch releases.

[Heuristics on Mac?]

We ended up deploying without advanced heuristics because of one of the issues documented here:

 

https://forum.eset.com/topic/4086-three-bugs-two-serious-with-docx-files-on-mac-os-x-server-eset-60140/

 

FWIW...

[Three bugs (two serious) with .docx files on Mac OS X Server (ESET 6.0.14.0)]

Hello Steve,

 

we have similar issue reported and our Devs are looking into it.

Until we release fixed version, the only workaround is to set proper exclusions.

 

By the way do you have a ticket with your local support open?

 

We are sorry for the inconvenience caused by this issue.

 

P.R.

 

 

We have a ticket open with Microsoft about this behavior with SCEP 4.5.21.0 (since it's their branded version of ESET) -- as it seemingly only affects MS Word (at least the non-duplicate bugs do...)  

 

I did submit the above bugs to ESET support, but basically just got a "thanks.  don't call us, we'll call you" response to these bugs -- which was a bit disheartening.

 

 

ALSO -- FWIW -- I did try setting exclusions to .docx extensions -- but that made no difference (and I thought it would...)

 

I can not exclude the path as that would vary from end-user to end-user.

[Three bugs (two serious) with .docx files on Mac OS X Server (ESET 6.0.14.0)]

Why all these issues are associated with .docx files -- is probably a good question for Microsoft.   I tried a .doc file -- and could not reproduce any of the three problems (same with .xls/.xlsx and .ppt/.pptx files...)

 

Whatever the problem is with Word, ESET is not handling these files correctly and causing deleting/hanging/degradation.

[Three bugs (two serious) with .docx files on Mac OS X Server (ESET 6.0.14.0)]

Full disclosure -- we are attempting to use Microsoft's SCEP 4.5.21.0 -- which is based on the ESET engine and discovered two bugs with it -- so we decided to check the current trial version of ESET to see if the two bugs are there -- and they are....

 

 

Using ESET 6.0.14.0 on Mac OSX 10.9.5 and 10.10.2 clients connecting to Mac OS X Server (both 10.9.5 and 10.10.2 server tested...)

 

SERIOUS BUG 1 -- Default install of ESET will delete saved Word 2011 .docx files on server when connected to server via SMB

 

To reproduce:

 

1)  Default installation of ESET on Mac 10.9.5/10.10.2 client.

2)  Client opens a .docx file (<filename.docx>) with Word 2011 (current version) on an OS X  server share (problem seems limited to .docx files -- not .doc files or .xlsx/.pptx files...)

3)  User attempts to save the file.   A dialog box pops up that says "There has been a network or file permission error.  The network connection may be lost. (<filename.docx)>

4)  This results in the original file being renamed to "Word Work File _L3.tmp" and a saved file named "Word Work File L_1.tmp" -- but the original <filename.docx> -- is completely gone.

 

WORKAROUND:

 

In ESET, if the following default check box is *disabled*:

Preferences --> Real-time Protection -- > Advanced Options --> Scan Options:  Advanced Heuristics

 

Then the user can open and save the .docx file without the original file being "deleted" and the two "Word Work File..."s created and left behind.

 

 

 

SERIOUS BUG 2 -- Word will SPOD if the above is attempted, but the server connection is made via AFP instead of SMB.

 

We attempted to reproduce the above bug on a 10.10.2 client by having the client connect to the server via AFP instead of SMB.   This has worse results.

 

In this case, the user goes to save the file, but the following happens:

 

1)  A "Word Work File D_.tmp" file is created on the server.

2)  Word goes into a SPOD -- and does not recover and must be force quit.   Which seems to still leave something locked on the system as it requires a hard shutdown to restart.

3)  After client restart, "Word Work File D_.tmp" on server is still flagged "in use" and can not be deleted by client.

 

WORKAROUND -- have not determined if there is one short of turning the RTF *off*.   Nor do I know if this is limited to .docx files (I just ran across this one right now while documenting the bug above...)

 

 

BUG 3 (not as serious)  -- Occasionally, server files can not be duplicated with default ESET settings (also when connected via SMB)

 

To reproduce

1)  Same default install of ESET, same clients, same server as above, but connecting via SCEP

2)  User goes to a server folder containing a number of files.

3)  User attempts to duplicate files on the server.  (Simple command-d duplicate)

4)  Occasionally, user will be unable to duplicate the file and the Finder shows a dialog box that says "The operation can't be completed because the item "<filename.docx>" is in use.

 

WORKAROUND:  subsequent attempts at duplicating the same file will work if the user tries again.  

 

or

 

Disable:   Preferences --> Real-time Protection -- > File Open 

 

None of these issues occur without ESET (or SCEP) installed.

 

These are all pretty terrible bugs, frankly, and are easily reproducible...

 

 

Is there anyone on the forum that can address any of these issues?

[Temporarily disable RTFSP from the command line?]

Is there a way to temporarily disable the Real Time File System Protection from the command line (and then reenable it?)

 

sudo launchctl unload <something>

 

for example?

 

Thanks!

[Where Are The Log Files For Eset Located On A Mac?]

Our overall goal here is to be able to generate a report on multiple machines to see what viruses are being detected on each of them, but not having to parse a system.log file that would rotate every day (which is still doable, but...)

 

We had hoped we could block of the logging to system.log and read the logs that the *application* is still displaying, but it seems not...

[Where Are The Log Files For Eset Located On A Mac?]

Yeah, those are not world-readable, unfortunately.   It seems like those might be the files, though...

 

But maybe not.  I don't see the timestamps on anything change if I download "eicar.com"?

 

We'd probably have to filter against the system.log file...

[Where Are The Log Files For Eset Located On A Mac?]

Which is the specific log file that correlates with what is visible in Tools --> Log Files, though?

[Where Are The Log Files For Eset Located On A Mac?]

So, I thought that might be the case, but based on this thread:

 

https://forum.eset.com/topic/2324-how-to-disable-systemlog-logging/

 

I currently am running things intentionally disabling all logging to /var/log/system.log (because the default logging is *much* too chatty...)

 

But Tools --> Log Files still shows logged events (such as downloading eicar.com), so *that* information is being read from somewhere (maybe not a readable text log file...) to display it.

 

That's what I'm trying to find out -- Logging must be done in multiple locations -- where is the logging done that Tools --> Log Files reads from?

 

- Steve

[Where Are The Log Files For Eset Located On A Mac?]

I know I can look at Tools --> Log Files to see activity, but are these log files written to a readable file on the Mac somewhere that will show me what the RTFSP detects?

 

If so, where?

 

Thanks!

 

- Steve

[How to disable system.log logging?]

Should this be expected to work on *all* versions of Cyber Security?   Or just the current 6.0 version?  Or only under 10.9 (vs. 10.8?)

 

Can you clarify?

 

(The reason I ask is that when I tried this under SCEP 4.5  -- which I fully understand is Microsoft's licensing of your product-- the computer will kernel panic after restart (over and over) and I had to comment that line out of "scep.cfg"...)

[How to disable system.log logging?]

Hello,

 

In some testing I and another did today, we beleive we may have found the solution you are looking for.  Can you execut the 2 following commands from a terminal and then rebooting?  Please inform us if this works to filter all the esets entries in your system.log.

 

sudo /Applications/ESET\ Cyber\ Security.app/Contents/MacOS/esets_set --section global --set syslog_class=none

sudo /Applications/ESET\ Cyber\ Security.app/Contents/MacOS/esets_set --section global --set syslog_class

 

You will notice the commands will first add "syslog_class = none" to the esets.cfg.  The second command will comment out the entry which should effectively stop logging to the system log.

 

If for some reason the commands are giving syntax errors, please let me know the following information:

     - The Mac OS X version

     - Which ESET CyberSecurity product you are using (CyberSecurity or CyberSecurity Pro)

     - The version number for your CyberSecurity product (5 or 6).

 

We may need to adjust the folder path depending on your installed ESET product.

 

Again, please reply to this thread to let us know if this resolves the issue.

 

 

This made no difference for my testing.   

 

I have the same results as above -- where running the two commands adds a:

 

#syslog_class = "none"

 

line to my esets.cfg file

 

I am running 10.9.2 and 6.0.9.1 of the trial version of "Cyber Security" (as seen by what comes up in the "About" screen...)

[How to disable system.log logging?]

So, right now, I have the value set to:

 

syslog_class = ""

 

This has *greatly reduced* the logging -- but has not eliminated it.

 

I am still getting these:

 

Apr 24 11:23:11 <myhost> esets_daemon[275]: summ[01130c00]: vdb=18016, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv800016q/C/com.apple.internetaccounts/mds/mdsDirectory.db_", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 24 11:25:48 <myhost> esets_daemon[275]: summ[01130b00]: vdb=18016, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv800016q/C/com.apple.mail/mds/mdsDirectory.db_", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

host-134:log maser$ 

 

 

This would be better than nothing, but it's not eliminating everything (when it probably should be, right?)

[How to disable system.log logging?]

So, in relation to my previous post about excessive default logging in /var/log/system.log with ESET 6, I was directed to modify:

 

/Applications/ESET\ Cybersecurity.app/Contents/etc/esets.cfg

 

To add these lines:

 

[syslog_class]
syslog_class = "error:warning:summ:part"

 

This greatly reduces the number of esets_daemon lines logged to system.log, but it does not eliminate them.

 

From what I can see in an old ESET 4 user guide, there are these logging parameters:

 

ESETS provides system daemon logging via syslog. Syslog is a standard for logging program messages and can be used to log system events such as network and security events.

Messages refer to a facility:

auth, authpriv, daemon, cron, ftp, lpr, kern, mail, ..., local0, ..., local7

Messages are assigned a priority/level by the sender of the message:

Error, Warning, Summall, Summ, Partall, Part, Info, Debug

This section describes how to configure and read the logging output of syslog. The ‘syslog_facility’ option (default value ‘daemon’) defines the syslog facility used for logging. To modify syslog settings edit the ESETS configuration file or use the Web interface. Modify the value of the ‘syslog_class’ parameter to change the logging class. We recommend you modify these settings only if you are familiar with syslog. For an example syslog configuration, see below:

syslog_facility = "daemon" syslog_class = "error:warning:summall" 

 

 

But none of them actually say how to *disable* system logging.

 

Anybody know the trick?

 

[Excessive (?) logging in /var/log/system.log (10.9.2)]

OK.  I'll try that route... Thanks.

[Excessive (?) logging in /var/log/system.log (10.9.2)]

It's been another week (actually over two weeks since the initial post) -- and nothing?

 

I have to say -- if this is how users are supposed to get support for the product -- it's underwhelming and not very confidence-enducing...

[Excessive (?) logging in /var/log/system.log (10.9.2)]

Just to confirm:  This is not an SCEP issue.   This also happens with ESET 6.0:

 

Here's an example of just one minute of using my mac as normal and what gets logged (if I grep "esets_daemon"...)

 

Apr  3 08:50:08 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130700]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/C/com.apple.mail/mds/mdsDirectory.db_", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:11 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130c00]: vdb=17707, agent=fac, name="/Users/maser/Library/Caches/.dat023f.001", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:17 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130800]: vdb=17707, agent=fac, name="/Users/maser/Library/Preferences/com.apple.AddressBook.plist.gS4qOzE", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:34 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130600]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/Mail Attachment.ics", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:34 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130500]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/invite.ics", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:34 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130700]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/4697752104 (18 seconds) Voice Mail.mp3", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:39 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130700]: vdb=17707, agent=fac, name="/Users/maser/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail.plist.npeH6kP", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:47 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130c00]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/Senior Picture Release_04012014144714.pdf", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:47 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130600]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/Senior Picture Office Flyer_04012014144735.pdf", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:47 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130800]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/system.log", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:53 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130600]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/Senior Picture Release_04012014144714.pdf", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:53 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130300]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/Senior Picture Office Flyer_04012014144735.pdf", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:53 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130b00]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/DETAILS.doc", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr  3 08:50:57 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130800]: vdb=17707, agent=fac, name="/Users/maser/Library/Mail/V2/MailData/BackingStoreUpdateJournal", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

A

 

 

There is a *lot* of this kind of logging...