AStevens.SHG

During testing of deploying the latest version of ESET Endpoint Security over older 6.2 version, we find the firewall is non-function, even after a reboot following the upgrade. However, a second reboot then seems to clear the problem, this means we need to find a way to run two reboots in the deployment which is tricky for SCCM (we deploy this way so as to give the users some choice in when they apply the update as per their schedule). Seems to be a recent problem, normally one reboot is sufficient, I suspect it's a recent Windows Update that's changed this, or maybe something in this newest version of Endpoint Security, is this a known problem? Is there a new build of Endpoint Security on the way that can update and be functional in one reboot? Thanks.

Description: Remove old Active Directory users from Mapped Domain Security Groups in Access Rights. Detail: We use Mapped Domain Security Group from Active Directory to grant permission sets to users, Administrators, Read Only Administrators, Service Desk Users, Reporting Users, etc. However, when those users leave the business, and their AD accounts are disabled and deleted, they're still listed in the Domain Users tab for Mapped Domain Security Groups. Although those accounts can no longer login to ERA, to keep it tidy and security/auditors happy, we would like to be able to remove them.

Thanks @MichalJ so hopefully pretty soon for v7, not months away/end of year or next year kind of thing, granted things can slip of course for variety of reasons. "is one of" or the current "in" works to allow multiple matches of one criteria, the options being pre-existing. But for combining a multiple separate conditions, the only way currently is to get fancy with regex (if that's an option on the particular field), which I've had trouble in the past with ESET accepting the regex syntax when trying to do bit more complex (yes to these, no to those words/letters/symbols/etc.). Nesting can be complex, but can also provide a lot more flexibility, Dynamic groups and reports of course.

Description: Nested OR and AND in Dynamic Groups / Virtual Machines Detail: Nested OR and AND in Dynamic Groups creation, so you can have two or more sets of OR under an AND, or two or more sets of OR under an AND, or any combination. Example Virtual Machine or not (Physical) so we can split these two types apart, some advice here for how to determine it, will likely require nested criteria:https://blogs.technet.microsoft.com/kevinholman/2014/10/16/faq-how-can-i-tell-which-servers-are-physical-or-virtual-in-scom/ PS. What's the rough expected release date for ESMC V7 at the moment?

Description: Dynamic Group Filters - Computer Type Detail: This is a request going back to 2015: As in that post, we want to be able to create Dynamic groups of Laptops, Desktops and Virtual Machines (and by contrast Physical Machines), some may want to get as granular as the different kinds of Desktops and Laptops, but I doubt anyone needs/wants that level. At the moment we either have to use a name mask, or there is checking for the "Not Presence" of a battery, although I wonder if some UPS setups may skew the results. As I said back then, please read from the SystemEnclosure and based on some simple logic work out if it's a Desktop, Laptop, or Other/Unknown, this I expect is what other products do. https://technet.microsoft.com/en-us/library/ee156537.aspx?f=255&MSPPError=-2147217396 In addition, you can also work out if it is a Virtual Machine or not (Physical), some advice here for how to determine it: https://blogs.technet.microsoft.com/kevinholman/2014/10/16/faq-how-can-i-tell-which-servers-are-physical-or-virtual-in-scom/ It maybe we'll have to create this one, once you enable the multiple nested OR and AND in Dynamic Groups (I hope you're adding that, looks as though you are for Reporting side). We might have to include Model information to correctly identify Microsoft Surface hardware.

Hi @MichalJ I've tried some variations, and it doesn't appear wildcards (*) are accepted, it's 6.5 and 6.6 versions. %USERprofile%\Downloads\putty.exe as a test does work, so that's interesting, will see what we can do with that.

Description: Firewall rule, Local Application wildcard support Detail: Currently it's possible to make Firewall rules using a condition based on the local Application, however you must input a full executable file path, such as: C:\Program Files (x86)\PuTTY\putty.exe We would like to be able to use wildcards, so we can instead enter either of these: C:\Program Files (x86)\*putty.exe *putty.exe This allows us to open the rule up to either any executable with that name within subfolders of a folder location, or any on the computer. This would come in handy for such applications to include their version number in their installation path (): C:\Program Files (x86)\Program v3.2\program.exe As well as programs that install into the user profile location: C:\Users\*\AppData\Roaming\Spotify\Spotify.exe Although in this case, perhaps a different wildcard to *, as we want to restrict it to only permit only 1 level of folder wildcard, so that C:\Users\folder1\folder2\folder3\AppData\Roaming\Spotify\Spotify.exe doesn't work/match. The applications I've used as an example here are not representative of the actual applications we would use these rules on necessary, just examples I could immediately think of to give an idea.

@MichalJ Thank you. Point 1 - The most urgent requirement is to print Firewall rules in a readable format (CSV / TSV / XLSX / DOCX / PDF) to review, or record for auditing, really need something ASAP for this. However, I expect this will extend to all "Lists" within ESET, zones, IDS exceptions, app modification web and device control, and other exclusion lists, anything similar. I do see an "Import" option on Exclusions popup, but only when viewing the top level Antivirus, Files and folders to be excluded from scanning, not on real-time, on-demand, etc. file extensions exclusions popup. Secondly, I would say more for an ERA Administrator, it would also be very useful to be able to export the rules, zones and other "lists" in ESET to CSV / TSV and then be able to import them. While we are able to Duplicate a whole policy, this would give more flexibility to create and import a previous list, while quickly removing/adding lines in the CSV file before. Point 2 - Excellent, is there a rough ETA on ESMC V7 yet? Point 3 - Great, thank you.

Description: Individual firewall rule hit count. Detail: Similar to hardware firewalls, it would be nice to see a hit count, packets matched, kind of information per individual firewall rule in Endpoint protection, also for that information (similar to above requests) to be visible in ERA, and total of the hits across all clients with the same rule. So we can generate reports, this makes it easier to find rules no longer being used and can be removed safely.

Description: See Endpoint client logs within ERA. Detail: We would like to be able to see the logs from a client (Detected threats, Events, Computer scan, Blocked files, HIPS, Firewall, Filtered websites, Antispam protection, Web control and Device control) within the client entry in ESET Remote Administrator. While some threats and problems are highlighted in ERA, not everything is. A Filtered website blocked by Anti-Phising blacklist for example doesn't seem to appear in ERA, can only view it on the client's log.

Description: Export list of firewall rules (zones, exclusions and any other configurable lists) Detail: IT Security would like to regularly review the list of firewall rules, zones, exclusions, basically any configurable list within ESET on a regular basis. There doesn't appear to be an easy way of doing this, from an ESET client you can export settings to an XML file, but this isn't readable for management staff.

Excellent, pity it can't be hot-fixed in the current 6.5 release, but glad to know it will be corrected in V7. We don't currently use "users", but have noticed it there and intrigued for the possibilities you mention, user variables in policies sounds interesting. Two issues we have that I wondered if this would help with, is a desire to include the current/last logon user detail from AD (username, Full Name/Display name, email, telephone, etc.) in reports, the Service Desk/Deskside support want user information as presumably they track down the user, and then from there the computer. Currently we have to do some look up using other products (KBOX, SCCM). User variables in policies for Endpoint sound interesting, would it be possible to have an application path in a firewall rule to allow C:\Users\%username%\AppData\Roaming\Application\Application.exe or %userprofile%\AppData\Roaming\Application\Application.exe ? Or would it be more of a user scope under a Local tab, so this rule only applies to these domain users logged onto the machine? Or a whole policy applying to a specific domain user or users whatever PC they are on? Also interesting, though... that would probably require the syncing of AD Groups (Domain Local, Global Group) and ESET understand Group Inheritance, as you'd likely want to assign it based on groups of users, than one or two specific users (though that would come in handy for IT/Testing).

Description: Export list of computers from Dynamic or Static Group / Additional reporting filter options Detail: Rather than having to create a report, it would be useful to just be able to export a Group's (Static or Dynamic) list of computers out to CSV, TSV, PDF, etc. Especially as Reporting filtering is more limited than Dynamic Group filtering. Would be nice to have additional reporting filter options, such as "does not contain", "does not equal regex", "not in", "not prefix/postfix", etc. etc. As well as being able to set two (or more) criteria for a single field, e.g. "OS name has prefix" "Microsoft" AND "OS name has not postfix" "R2". Also the option of "OR" rather than just "AND". And being able to group multiple ANDs or ORs. Hopefully some or all of this is included in the new changes in the next version as highlighted in previous post by MichalJ. Other posts:

Description: Remote Administrator Console Login accept username in UPN format. Detail: When logging into the ESET Remote Administrator console, if using an AD login, you need to specify the username as "DOMAIN\username", however if you try to use the UPN format (common due to increased cloud usage) "username@fully.qualified.domain" then it's not recognised. Also, if you don't include a domain then it's also not recognised. Please support the UPN format and have the server default to a domain (if ERA installed on Windows, default to the domain the server is joined to), or allow an option to specify a default domain in ERA settings.

Description: Static Group Synchronization using "Objects to Synchronize" set to "Computers Only" will sync all computers from AD Domain. Detail: After creating a Server Task of Static Group Synchronization for a Active Directory domain, the "Objects to Synchronize" was set to "Computers Only" (we do not require the entire AD OU structure synchronized to ESET Remote Administrator, we use Dynamic Groups and assign policies there), and the "Distinguished Name" under Synchronization settings is black or set to the highest level "DC=test,DC=domain,DC=com", no computers are synchronized or existing computer objects moved, even though "Computer Creation Collision Handling" is set to "Move". If we set the "Distinguished Name" under Synchronization settings to "OU=Domain Controllers,DC=test,DC=domain,DC=com" then we see the domains DCs, their computer accounts which exist in that OU (just that OU of course), get moved to the Static Group for the domain. This seems odd, given you can set a top level synchronisation using Distinguished Name (or "leave empty to synchronize the whole tree", the tooltip says), and below that you can enter multiple Distinguished Name(s) you wish to exclude from the synchronization. Therefore this actually seems like an unnoticed (or maybe it has been noticed) bug in this function implementation. Obviously, our end goal here is to have a single static group per Active Directory domain and all computers for the relevant domain be synchronized into that static group away from the Lost & Found static group, however we do not want all OUs from the domain synchronised under the static group, it's not necessary. Last tested on ERA 6.5.522 Also to add to this, the option for "Users Only" when making a User AD Synchronization is also missing, please add and like the computer above works to sync all AD users to a single Static Group.