katbert
-
Posts
78 -
Joined
-
Last visited
-
Days Won
1
Posts posted by katbert
-
-
Is it possible to send known threats to EDTD?
It my test environment I extracted files mimikatz_trunk.zip. Almost all files was deleted by on-access protection. In ESMC console I go to Threats and select "thread resolved" filter. I see detected mimikatz modules. I selected one of modules and opened Threat Details. I see
Threat name = Win64/Riskware.Mimikatz.DAction taken = cleaned by deletingScanner = Real-time file system protectionIn the bottom of Threat Details page I press Send file to EDTD button, and see message of creating client task.
One minute ago I see in Client tasks\Eset security product\send file to edtd, and this task was finished successfully
But in Submitted files list in ESMC console I don't see this file. And in local interface of File Security - I don't see this file too.
Is it bug in ESMC console, or submitting 100%-known threats is not possible?
-
1 hour ago, Marcos said:
You are right. In EFSW, diagnostic logging can be enabled here:
Thanks for the explanation!
And how about certificate issue from my previous post?
Quotewe found solution
if Windows Server don't trust certificate of ts.eset.com - send files log is empty and no error logged
after import Digicert and thatwe root certs - Eset can send files successfuly, and show all previuosly sent files
this is a bug, I think
-
we found solution
if Windows Server don't trust certificate of ts.eset.com - send files log is empty and no error logged
after import Digicert and thatwe root certs - Eset can send files successfuly, and show all previuosly sent files
this is a bug, I think
-
-
This screen for Endpoint Security. How to enable diagnostics logging in File Security?
-
23 minutes ago, Marcos said:
I'd suggest temporarily enabling diagnostic logging verbosity, submitting a file manually and then checking the ESET event log for possible errors.
How to enable diagnostic logging?
-
Just now, MartinK said:
Not sure, but maybe file is not actually submitted because it is already known, i.e. it was submitted previously - are you testing with some custom made file?
Yes, with custom files.
-
We have trial 1-month license for EDTD:
ESET Dynamic Threat Defense for Endpoint Security + File Security
ESET Dynamic Threat Defense for Mail SecurityWe add license to EBA Account, activete some servers. I see EDTD license in ESMC Console (Computer - show details), and see EDTD settings in local GUI of File Security.
If I manually submit files - I see message about successfully sended files. But I don't see submitted files in local GUI or ESMC console, as described here:
https://help.eset.com/edtd/en-US/?manual_upload.html
Local Sent files log is empty. Agent version is 7.0.577 and File Secuirity version is 7.0.12018
-
I updated ESMS server components from 7.0.66.1 to 7.0.72.1 (server, agent, web console) using web-console popup window. And I updated Apache HTTP Proxy using all-in-one installer 7.0.72.1. Last step - update Tomcat. I uninstalled Tomcat 7.0.90 from Windows Control Panel, run all-in-one installer and install web console with tomcat 7.0.92 x64.
Web console installed successfully and work. But in Windows Control panel\ Programs and features I don't see uninstaller for Tomcat 7-0-92
Is in bug of all-in-one installer 7.0.72.1? And how to uninstall Tomcat 7-0-92 x64 (it may be required to next update)?
-
I found Component upgrade task description here:
https://help.eset.com/esmc_install/70/en-US/components_upgrade.html
QuoteThe following components must be upgraded manually:
•Apache Tomcat (we strongly recommend that you keep Apache Tomcat up-to-date, see Upgrading Apache Tomcat)
•Apache HTTP Proxy (can be achieved using All-in-one installer, see Upgrading Apache HTTP Proxy)
•ESMC Rogue Detection SensorI updated Apache HTTP Proxy using all-in-one installer: backup configs, stop service, run setup.exe. Apache HTTP Proxy updatet successfully.
But in Windows Control Panel \ Programs and fetures - I see Apache HTTP Proxy with old installetion date and without version
Is it normal?
-
I updated ESMC Server in the test environment. In the server's trace.log file I found events about database upgrade, and final event:
QuoteInformation: CDatabaseModule [Thread 1078]: CDBSetupperBase::PerformUpgradeIfNecessary: Finished successfully.
-
I run upgrade from popup window in ESMC web console, logoff from web console and close browser.
This is recommended way to update ESMC from 7.0.66 to 7.0.72:
https://help.eset.com/esmc_install/70/en-US/upgrade_procedures.html
Quote3. Upgrade from ESMC 7.0.66.1 to ESMC 7.0.72.0 Service Release
The ESMC 7 Service Release was released on 15th November 2018. If you have installed ESMC before that date, we recommend your to upgrade your infrastructure to the latest version.
•The recommended way of upgrade for ERA 6.x users is the component upgrade task.
•ESMC 7.0.66.1 users are prompted by Update ESMC notification to upgrade the Server component. After the Server is upgraded successfully, upgrade your Agents using component upgrade task.
After the release of Service Release installers, the ESMC 7.0.66.1 installers are not available.
In Windows Application eventlog I see events fro MsiInstaller - about successfully update server_x64.msi (with reboot suppressed) and agent_x64.msi. Final event in Application evenltog is
era-updater
Execution finished with 0x0: (0x0),In Windows Control Panes - I see, only Server and Agent updated to version 7.0.577.0. Tomcat and Apache http proxy have old versions.
My questions:
- How can I see end of upgrade process, launched from web console popup window?
- How can I see end of database update process (which can work some time in ver 6.x - and admin can't login console)
- Which ESMC Components I still need to update manually?
-
I want to log all files, scanned by real-time protection. I'm using Eset File Security 6.5.12014.1
I enable "Log all objects" option in settings \ Real-time file system protection \ ThreatSense parameters
But I don't see any logs. Where can I find them?
-
I'm in process of upgrade ERA from 6.5.34.0 to v7
Upgrading Webconsole steps from: https://support.eset.com/KB6925/
- Stop Tomcat service,
- backup 3 configs: .keystore, server.xml and EraWebServerConfig.properties
- uninstall old Tomcat
- install new Webconsole and Tomcat from all-in-one installer v7
- restore 3 configs
I compare configs from backup (which used by Webconsole v 6.5) and new-genegatet configs from Webconsole v7
I see, what server.xml - have only one difference - password to keystore.
So, restoring of server.xml + keystore - restore ONLY self-signed certificate of Webconsole v6. I'm right?
-
Only minumum number of policies. One policy for workstations with EEA and single server.
If EEA is not supporter on server OS - I will install EFSW
-
I try to uninstall Tomcat and install new version of Tomcat using all-in-one installer without reboot.
But all-in-one installer require reboot.
Why Server_x64.msi don't ask for reboot, if it is needed?
-
I'm in process of manual update from ERA 6.5.34.0 to v7 using this article: https://support.eset.com/KB6925/
I successfully completed first step - upgrade server using Server_x64.msi. But in Application Windows log I see event 1029 from MsiInstaller: Product: ESET Security Management Center Server. Restart required. The installation or update for the product required a restart for all changes to take effect. The restart was deferred to a later time.
Should I restart the Windows Server now or later - after updating Tomcat?
-
I have ERA 6.5.34 and Windows Server 2008 R2 with ERA Agent 6.5.522
I'm try to install EAV 6.6.2086.1 on this server using ERA software installation task, but task failed with error "Task failed-try to install software manually". I found software-install.log, and see MSI error 5003 - this version is NOT for server operating system. If I run eea_nt64_rus.msi locally - I see a screen with recomendations to use special server antivirus, but I can press next and continue installation.
Is it possible to install EAV 6.6 on server using ERA software installation task? Or see actual error in ERA console (without reading local software-install.log on local computers)?
-
Is it possible to create rules to delete e-mail attachments like *.exe or *.js using Eset Endpoint Antivirus or Eset Endpoint Security?
-
Unexpectedly quarantined message contains embedded jpg image with .com in the file name, but Outlook don't show this image as attachment.
Thanks for answers!
-
I have Eset Mail Secuirity for MS Exchange, аnd rule to send to quarantine messages with danger extensions (*.js, *.vbs etc).
This rule works fine for many days, but one message was quarantined unexpectedly. This message contain only two pdf attachments. But *.pdf don't block by my rule.
Maybe Eset analyze pdf files as containers - and name of one of parts was blocked by rule? Some other antivirus check pdf like this:
mypdf.pdf/data0001
mypdf.pdf/data0002
mypdf.pdf/data0003
mypdf.pdf/data0004How Eset "see" parts of PDF container?
-
I'm testing LiveGrid in Eset Endpoint Antivirus 6.5.2094. I use this article: hxxp://support.eset.com/kb5552/?viewlocale=en_US
Eset Antivirus successfully block download cloudcar.exe
Next, I download this file with disabled http scanning. And Eset don't block running of this file.
Which actions Eset can do using reputation data from LiveGrid - only block download attapts or block attempts to run files?
-
On 27.05.2015 at 6:13 PM, michalp said:
Push install requires internet connection. There isn't any workaround for this.
Now I'm testing agent 6.5.522 push install from ERA 6.5.31 on workstation without inet access - and see successfull installation from c:\windows\temp\agent_x86.msi
Agent was installed using Apache HTTP proxy on ERA server?
-
Is lastest build of Eset Endpoint Antivirus - 5.0.2265 - compatible with Windows 10 Creators update (1703)?
Known threats and EDTD
in ESET PROTECT On-prem (Remote Management)
Posted
This is a bug or by-design?
In EDTD help described upload of EICAR test file (100%-known malware)
https://help.eset.com/edtd/en-US/?submit_esmc.html