BrianMorris
-
Posts
49 -
Joined
-
Last visited
Posts posted by BrianMorris
-
-
I still have over 100 endpoints with this message.
-
On 10/20/2022 at 7:04 AM, igi008 said:
Hello, many thanks for this idea.
Actually we have something like you mentioned in our EDR layer (ESET Inspect), which provides better visibility in your network and helps you identify suspicious behavior.
For example, these rules related to this MITRE ATT&CK Technique: https://attack.mitre.org/techniques/T1219/ can be helpful.
However, including other conditions in such rules is a quite interesting idea.
igi008 -- this is really great, thanks for sharing
-
-
A few of my systems were either imaged or had the drive moved to a different computer and this happened. I deleted the asset in PROTECT Cloud and it showed back up.
Sometimes I’ll install the Agent installer on top of the existing agent and it will start working.
-
On 5/26/2022 at 1:44 AM, hamed_masoomi67 said:
What should I do to match the license console and the console?
Did you figure this out? I will go into my MSP Administrator (or eba.eset.com for non-MSP) and deactivate any computers that aren't checking in any longer. This kind of thing happens sometimes for me for some unknown reason.
-
Hmm, it's a little tough to know what you mean. Did you deactivate the license in ESET PROTECT Cloud or the MSP Administrator site (msp.eset.com)?
For simplicity, they have this helpful guide when you select Remove from the menu on a particular computer in PROTECT Cloud -- follow this and you'll be good (there is a deactivate prompt at the end).
-
I can't seem to find any change logs or any info on 9.1.2051. What's new?
-
On 6/23/2022 at 4:07 AM, igi008 said:
Hello,
many thanks for your post. It is a bit tricky because URI can also be a phishing link (in the case of web protection). ESET may be put on the list of phishers when we will send such notifications. However, we will try to open this topic internally again, and we will try to find an appropriate solution.Valid point. You could address this by changing the HTTP to HXXP for the purposes of these notification emails.
-
Thanks, Marcos. I don't seem to have any policies for the Agent active. I remember having those on the On Prem version, but I don't have one in the CLOUD. There doesn't seem to be any Agent policies in the Built-In Policies list.
I just created a brand new policy from scratch for the ESET Management Agent and will test. Thanks.
-
-
-
I saw that last year occasionally when CLOUD was new to me. I haven't experienced that in the last 6 months.
-
2 hours ago, VlP said:
Without URI identificator are notifications useless...
Yes! I feed these alerts into my ticketing system, but it misses this key piece of info 🙁
-
here’s an interesting comment:
https://www.dell.com/community/Virus-Spyware/UEFI-infiltration-found-by-ESET/td-p/6191946
”CompuTrace is a commercial product that is embedded into firmware to help people recover stolen laptops. Doing that requires it to exhibit some virus-like behavior, such as phoning home, and it can also be used to remotely wipe the system since some companies might want to do that if their laptops are stolen. But before you can do any of that, you first have to activate your system's CompuTrace instance. Dell includes the actual application in the firmware, but it doesn't do anything until it's activated. If you haven't yet activated it, you also have the option of deactivating it, but if you do that you will NEVER be able to reactivate it. And if you've already activated it, I believe it can never be fully deactivated.”
-
cosign!
-
6 hours ago, damtechmatt said:
I can t understand why they cant add a little symbol next to the machine name like they do with Full Disk Encryption.
YES!!! I'm been asking about that since last fall:
https://forum.eset.com/topic/29581-edtd-at-a-glance/
-
I just reviewed my own config and settings. All of the email accounts in my one Outlook profile have the Detected Items folder (although they were probably added many years ago by ESET!)
"The emails that will be stored in "Detected items" will also contain infected files? Or they will be moved in Eset quaratine?"
ESET would quarantine infected files, but the email itself would reside there (that's my experience).
Thunderbird doesn't seem to be a supported email client.
-
-
BTW, I may need to change this up with the EDTD name change:
https://help.eset.com/elga/en-US/overview.html
On March 23, 2022, ESET Dynamic Threat Defense was re-branded to ESET LiveGuard Advanced. In ESET business products, you can find it also as ESET LiveGuard. Both names refer to the same service.
-
This was a HUGE problem for me. Here's how I solved for it:
I created a Dynamic Group Template - see the pic for hints on how to set it up.
I then created a Dynamic Group inside my Static Group of clients with the EDTD license. I set that Dynamic Group to notify me if the Dynamic Group changed.
Reply if you need more details!
-
Here is the documentation on how to do it:
https://help.eset.com/protect_cloud/en-US/admin_server_settings_syslog.html?zoom_highlightsub=syslog
"1.Click More > Settings > Syslog and click the slider bar next to Enable Syslog sending"
When I go there, the Settings link is greyed out. Do I need to submit a ticket to enable it?
ALSO -- can I export logs for certain Static Groups or is it all or nothing? (I'm an MSP)
-
Back in this post, I asked how I could figure out which computers didn't have EDTD activated:
None of the tips did what I needed, but I just figured it out. I have a Static group of clients that have EDTD licenses, but I couldn't figure out a way to quickly figure out which had EDTD and which didn't. If I add a new computer, it doesn't throw errors about EDTD not be activated, so I can't do a group based on that.
Here is what worked:
-
Interesting. I think it would be a great idea to just have a little alert when creating the Dynamic Group that it may take "up to x hours/minutes" for matching assets to appear. Also maybe something about the endpoint needing to be online. I was thinking that all of this information is available to view, so it would just pull it from the server, but as you've explained, it doesn't work that way..
-
Inspired by some recent posts here, I figured out how to create dynamic lists of computers with McAfee or Java or anything installed. My RMM does a lousy job of this, so this is *so* helpful.
One thing that threw me off in the past is that the report is blank right after the creation. You need to wait awhile for it to fill in.
Threat found ML/Augur
in Malware Finding and Cleaning
Posted
We manage about 350 endpoints and this ML/Augur detections has been creating all these tickets for us on many computers for files that have been resident for years. Virustotal has shown no other vendor agreeing so far.
Seems like a false positive wild fire to me.