MichalJ gave kudos to dmaasland in How to detect which process changes background desktop
Try something like this:
<?xml version="1.0" encoding="utf-8"?> <rule> <definition> <operations> <operation type="WriteFile"> <operator type="or"> <condition component="FileItem" property="Path" condition="starts" value="%APPDATA%\microsoft\windows\themes\cachedfiles\" /> <condition component="FileItem" property="FullPath" condition="is" value="%APPDATA%\microsoft\windows\themes\transcodedwallpaper" /> </operator> </operation> <operation type="RegSetValue"> <condition component="RegistryItem" property="Key" condition="starts" value="HKCU\software\microsoft\windows\currentversion\explorer\wallpapers\backgroundhistorypath" /> </operation> <operation type="RegDeleteValue"> <condition component="RegistryItem" property="Key" condition="starts" value="HKCU\software\microsoft\windows\currentversion\explorer\wallpapers\backgroundhistorypath" /> </operation> </operations> </definition> <description> <name>Wallpaper was altered</name> <explanation> The wallpaper was altered </explanation> <category> Default </category> </description> </rule>
MichalJ gave kudos to Marcos in Documentation on PROGRAM COMPONENT UPDATE - Auto Update
On August 25 we are starting to roll out the very first uPCU update to v8.0.2039 version for those with older Endpoint v8.0 versions. The rollout will be staggered and we expect it will take about 2 weeks to get downloaded by all users with an older version of Endpoint v8.0.
MichalJ gave kudos to BrianMorris in Check which workstations need updates
Thanks for the response! Ok, I re-read what you posted above and you gave me some hints. I found that I can click on the outdated Agent version and click "Update installed ESET products..." and then just tell it to upgrade all of those agents. This is a huge help.
MichalJ gave kudos to Marcos in ESET Cloud Office Security (ECOS) 96.3 released
Release Date: August 18, 2021
ESET Cloud Office Security 96.3 has been released.
Added: Teams and SharePoint Sites reports
Added: Bulk download of quarantined items
Added: Date and time uses the same format as in ESET Business Account
Added: User details contain information about the license that the user is protected with
For more information, visit the ESET Cloud Office Security help page or contact your local reseller, distributor or ESET office.
MichalJ gave kudos to Marcos in ServerApi - Get Task progress
I assume there are not many users well versed in API here. However, I'd like to contact the French distributor regarding your tickets since the answer you quoted above is not acceptable and the support personnel should have contacted ESET HQ to get an answer and then relay it to you. Please provide the support ticket ID that would help us identify the ticket and possibly also your public license ID in the form of XXX-XXX-XXX.
MichalJ gave kudos to tmuster2k in Cant select server to upgrade from 6.x to 7.0
This is what I would recommend when upgrading from 6.4.
1. download the 6.5 server msi >>https://download.eset.com/com/eset/apps/business/era/server/windows/v6/latest/server_x64.msi
2. Run the MSI to do upgrade over the top by using the defaults. If you get some kind of access denied then you will need to enter database user name. usually era_user and password is located in >> C:\ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Configuration
3. If you are running SQL Server express 2008 then you will need to upgrade that to 2014 at minimum. The all in one may do it. upgrades of SQL usually require reboot.
4. After reboot download the EP 8.x installer >> https://download.eset.com/com/eset/apps/business/era/allinone/latest/x64.zip
5. run the setup.exe and try the upgrade all components option now.
If any of them fail just uninstall and then do install from all in one. Tomcat may need full re-install.
Also if you are running Java 32 bit you will need to uninstall and install Java 64 bit >>
MichalJ received kudos from Romain Dheilly in New updated machines lost their product activation
Hello @Romain Dheilly, even if you have just used the software install task, the application should work in a way, that it will keep the license (even if no license was selected in the software install task). I will check with the teams here, whether they have witnessed similar behavior from the other customers.
One of the things that I know tends to happen is, when customer accidentally installs EES and his license is for EEA, that will result in products being not activated, as the license and product do not match. When you have attempted the manual reactivation (vie the software install task), what was written in the task details / executions history? What was the reason for it to fail?
MichalJ gave kudos to MartinK in Update Agent Version
This seems to be an common misunderstanding and we should probably improve communication to users so that it is clear.
In case of components upgrade task, you are actually selecting version of ESET PROTECT Server component, that you can actually upgrade to. In other words, in case your infrastructure is based on ESET PROTECT Server for Windows, you will be offered only the same or later version for the same platform. This version is later used for selection of compatible AGENT installers. So for example, as you have selected version 8.1.1223.0 as compatibility version, when this task is executed on macOS device, ESET repository is searched for latest AGENT version for macOS, that is compatible with ESET PROTECT 8.1.1223.0. which is currently version 8.1.3215.0. So the most confusing part is that you are actually not selecting version of AGENT to be installed, but just reference version used for compatibility.
MichalJ received kudos from j-gray in Adding Enterprise Inspector
Hello @j-gray, I will try to help.
Our EDR works in a way, that it requires a separate server with a separate console, however the "EDR console" is inteded only for incident investigation. Management / deployment / activation still happens in ESET PROTECT.
So given the fact that you have already deployed ESET PROTECT environment, those are the steps needed:
Install ESET Enterprise Inspector on a dedicated machine. You will have to connect it to your ESET PROTECT, as it uses single sign on between those two, and ESET PROTECT is the one that is also managing user access rights. On this machine, also install ESET PROTECT Agent (you will need it, for future updates). EEI server needs to be installed manually, you can´t do it from EP Server (not the first time). Once your EEI Server is installed and running, you can proceed with installation of a component called "EEI Agent". Even though it is named "agent" it is a very small binary, that just sends the detection metadata gathered by our Endpoints (Endpoint is the "AGENT" per se) to the EEI Server, where the detection logic resides. You will have to specify the EEI server connection details into the policy for EEI agent, that you can assign to group all (they will connect). Also, you will have to activate EEI Agent (If you have the latest version of ESET PROTECT, there is a context menu option called "deploy EEI Agent", that will do the trick for you). Once you have your environment setup, EEI detections will appear also in ESET PROTECT. From there, you can easily navigate to details of each detection. You can also access the EEI UI directly, if you are interested in just the EDR functionality.
Hope that this helps.
MichalJ gave kudos to DonaldDucko in Future changes to ESET Security Management Center / ESET Remote Administrator
In the reports data section, could we please get remaining free space for individual storage drives? In percent of total drive space would be best, and it would need to be per drive, instead of combined.
Thank you in advance!
MichalJ gave kudos to dmaasland in Block ransomware behavior automatically
You can add an action to a rule. If you want to edit a built-in rule, duplicate it first. Then, add the desired action to it:
The action you're looking for would be "BlockProcessExecutable" or "CleanAndBlockProcessExecutable". Check out page 6 in the EEI rule guide: https://help.eset.com/tools/eei/eei_rules_guide_1.6.pdf
Don't forget to also specify the "TriggerDetection". This is the default action if no action is specified, but gets overwritten as soon as you specify your custom action. This causes the rule to not create a detection but only block the executable if you don't add that action as well.
MichalJ gave kudos to Marcos in ESA+CISCO ISE
ESA RADIUS supports PAP and MS-CHAPv2 (both can be found mentioned in following article: https://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_net_acc_flows.html#wp1134831)
It should work if the product supports authentication using external RADIUS server using PAP or MS-CHAPv2. In the past we had customers who used Cisco products including Cisco ISE.
We have RADIUS integration manuals for some Cisco products :
MichalJ gave kudos to Marcos in Eset Full Disk Encryption
Are you referring to the errors in the log or is there an error reported in gui? The resolution of the screen shot of gui is too small to be able to read the text.
The errors in the log mean that ESET's EDF servers were inaccessible. Please read https://support.eset.com/en/kb332 for a list of IP addresses and ports that must be allowed for specific functionalities to work.
MichalJ received kudos from igi008 in Security product configuration - Select Multiples
You do not have to select the configuration during the installer creation. You can simply assign all of the relevant "policy templates" (or custom made policies) to group all (or any group or even an individual computer), which means that the resulting configuration would be created as a merge of those policies.
Alternatively, you can create your own custom template, where you configure the product as you want, and then you choose this template during the installer creation process.
Please note, that there is a difference between a configuration and policy. Configuration sets the values to the desired state, but does not lock them on the client (if the local user has admin rights, he can change the settings). Policy on the other hand, if setting has "apply/force" flags set, would lock the setting, and prevent it from being edited.
Hope that this helps.
MichalJ gave kudos to Marcos in ESET Enterprise Inspector version 1.6.1716 has been released
Release date: June 1, 2021
ESET Enterprise Inspector 1.6.1716 has been released.
The installer is now available for download from the download page.
Added: Granular User Access rights (permission sets in ESET PROTECT)
Added: Incidents view
Added: Remote Connection method
Added: Reduction of “Detection overload”:
Protection against noisy Rules
Default Exclusions suggestions
Profile based configuration in installer to setup the product for various user types
Choice of 3 preset Profiles
Choice of Rules to enable based on four Severity levels
Choice of Data collection options
Choice of Data retention periods
Change of default views
Improved: Database improvements:
Event Filters created automatically for noisy Computers
DB Purge process improvement
Display estimated DB required space on Dashboard
Warning for sub-optimal DB configuration
Warning in case of insufficient space
Improved: User Interface improvements
Improved Details view
Filtering in Raw Events view
Categorization for Rules
Display PEDrop module hash in UI
Improved: Detection capabilities improvements
Ability to detect login brute-force
Ability to detect misuse of trusted DLLs
Ability to monitor discovery techniques using WMI GetObject method
Re-evaluation of Rules severity values (based on latest telemetry statistics)
Change of Ruleset to reflect compromised flag
Improved: REST API improvements
Ability to disable/enable Rules
Ability to create/manage Exclusions
Ability to trigger Network Isolation
Added Trigger Event for Detections
Ability to upload a list of hashes to be blocked
Ability to update Computer state
Ease of deployment – All-in-one installer with EI Agent (ESET PROTECT 8.1 required)
Performance and scaling improvements
As of version 1.6, we are introducing a new feature, "Optional Rules". There is a separate group of rules that are not enabled by default, yet they are installed by the installer but in a disabled state. Users can decide for these rules if they suit their environment and enable them manually.
Having this feature, we have decided to move some of the existing rules to the "Optional" category. It means some of the existing rules enabled in your environment may, after the installation, become disabled because they are updated with the new version of the rule, which is optional now. Please check disabled rules after the upgrade from previous versions if some of the rules you want to have enabled were not disabled by this mechanism.
Online Help (user guide): ESET Enterprise Inspector
MichalJ received kudos from Gintaras P in WEB filtering for Android devices enrolled via MDM
Hello @Gintaras P Per my knowledge, web filtering for our ESET Endpoint Security for Android is currently considered feature, for addition later this year. I will check it with our product management, and come back to you once confirmed.
MichalJ gave kudos to Marcos in This feature is not monitred by Windows Security (firewall)
You must go one step back to select the product:
MichalJ gave kudos to M.K. in Policy not whitelisting spam
the problematic domain you reported has been already removed from the cloud blacklist. The quickest way to solve such cases is to send the email sample to email@example.com (https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab#spam) as those are handled almost immediately.
Also based on the sample we have identified a problem in the algorithm that selects the sender's address from email headers in some cases (Return-path: header), and it will be also addressed by an automatic update.
MichalJ gave kudos to MartinK in Installing Agent through CMD QUITET doesn't work for ESET PROTECT CLOUD
Could you please provide standard trace.log from AGENT or possibly search it for more detailed connection errors? I do not see any obvious problem with deployment method you are using - in case no mistake was made during parameters processing, it should work. From provided status.html it is not clear why connection is failing, it might be network related, but also certificate related. As it seems that certificate of ESET PROTECT Cloud service has been accepted, it might be problem with AGENTs certificate -> in steps you mentions "same old file" next to certificates, but if it means that you are attempting to use the same certificates an you used with on-premise solution, that won't work -> devices managed by cloud service are assigned certificate generated by service itself, and that is only certificate that will enable your devices to connect.
Also note, that there is even simpler deployment method:
Download AGENT MSI file and install_config.ini (so called GPO installer) into the same folder Initiate silent installation of AGENT via msiexec command, but without product specific parameters (those P_***) Observe that installer properties are automatically loaded from install_config.ini, i.e. there is no need to copy them to command line
MichalJ gave kudos to j-gray in Help generating a software report with user login info
I need to find all OS X workstations that are missing a specific app and need to know the assigned user so that they can be contacted. Also need to include the OS version, so that we can work with the specific user to update/replace the device as needed.