Jump to content

AStevens.SHG

Members
  • Posts

    24
  • Joined

  • Last visited

Everything posted by AStevens.SHG

  1. During testing of deploying the latest version of ESET Endpoint Security over older 6.2 version, we find the firewall is non-function, even after a reboot following the upgrade. However, a second reboot then seems to clear the problem, this means we need to find a way to run two reboots in the deployment which is tricky for SCCM (we deploy this way so as to give the users some choice in when they apply the update as per their schedule). Seems to be a recent problem, normally one reboot is sufficient, I suspect it's a recent Windows Update that's changed this, or maybe something in this newest version of Endpoint Security, is this a known problem? Is there a new build of Endpoint Security on the way that can update and be functional in one reboot? Thanks.
  2. Description: Remove old Active Directory users from Mapped Domain Security Groups in Access Rights. Detail: We use Mapped Domain Security Group from Active Directory to grant permission sets to users, Administrators, Read Only Administrators, Service Desk Users, Reporting Users, etc. However, when those users leave the business, and their AD accounts are disabled and deleted, they're still listed in the Domain Users tab for Mapped Domain Security Groups. Although those accounts can no longer login to ERA, to keep it tidy and security/auditors happy, we would like to be able to remove them.
  3. Thanks @MichalJ so hopefully pretty soon for v7, not months away/end of year or next year kind of thing, granted things can slip of course for variety of reasons. "is one of" or the current "in" works to allow multiple matches of one criteria, the options being pre-existing. But for combining a multiple separate conditions, the only way currently is to get fancy with regex (if that's an option on the particular field), which I've had trouble in the past with ESET accepting the regex syntax when trying to do bit more complex (yes to these, no to those words/letters/symbols/etc.). Nesting can be complex, but can also provide a lot more flexibility, Dynamic groups and reports of course.
  4. Description: Nested OR and AND in Dynamic Groups / Virtual Machines Detail: Nested OR and AND in Dynamic Groups creation, so you can have two or more sets of OR under an AND, or two or more sets of OR under an AND, or any combination. Example Virtual Machine or not (Physical) so we can split these two types apart, some advice here for how to determine it, will likely require nested criteria:https://blogs.technet.microsoft.com/kevinholman/2014/10/16/faq-how-can-i-tell-which-servers-are-physical-or-virtual-in-scom/ PS. What's the rough expected release date for ESMC V7 at the moment?
  5. Description: Dynamic Group Filters - Computer Type Detail: This is a request going back to 2015: As in that post, we want to be able to create Dynamic groups of Laptops, Desktops and Virtual Machines (and by contrast Physical Machines), some may want to get as granular as the different kinds of Desktops and Laptops, but I doubt anyone needs/wants that level. At the moment we either have to use a name mask, or there is checking for the "Not Presence" of a battery, although I wonder if some UPS setups may skew the results. As I said back then, please read from the SystemEnclosure and based on some simple logic work out if it's a Desktop, Laptop, or Other/Unknown, this I expect is what other products do. https://technet.microsoft.com/en-us/library/ee156537.aspx?f=255&MSPPError=-2147217396 In addition, you can also work out if it is a Virtual Machine or not (Physical), some advice here for how to determine it: https://blogs.technet.microsoft.com/kevinholman/2014/10/16/faq-how-can-i-tell-which-servers-are-physical-or-virtual-in-scom/ It maybe we'll have to create this one, once you enable the multiple nested OR and AND in Dynamic Groups (I hope you're adding that, looks as though you are for Reporting side). We might have to include Model information to correctly identify Microsoft Surface hardware.
  6. Hi @MichalJ I've tried some variations, and it doesn't appear wildcards (*) are accepted, it's 6.5 and 6.6 versions. %USERprofile%\Downloads\putty.exe as a test does work, so that's interesting, will see what we can do with that.
  7. Description: Firewall rule, Local Application wildcard support Detail: Currently it's possible to make Firewall rules using a condition based on the local Application, however you must input a full executable file path, such as: C:\Program Files (x86)\PuTTY\putty.exe We would like to be able to use wildcards, so we can instead enter either of these: C:\Program Files (x86)\*putty.exe *putty.exe This allows us to open the rule up to either any executable with that name within subfolders of a folder location, or any on the computer. This would come in handy for such applications to include their version number in their installation path (): C:\Program Files (x86)\Program v3.2\program.exe As well as programs that install into the user profile location: C:\Users\*\AppData\Roaming\Spotify\Spotify.exe Although in this case, perhaps a different wildcard to *, as we want to restrict it to only permit only 1 level of folder wildcard, so that C:\Users\folder1\folder2\folder3\AppData\Roaming\Spotify\Spotify.exe doesn't work/match. The applications I've used as an example here are not representative of the actual applications we would use these rules on necessary, just examples I could immediately think of to give an idea.
  8. @MichalJ Thank you. Point 1 - The most urgent requirement is to print Firewall rules in a readable format (CSV / TSV / XLSX / DOCX / PDF) to review, or record for auditing, really need something ASAP for this. However, I expect this will extend to all "Lists" within ESET, zones, IDS exceptions, app modification web and device control, and other exclusion lists, anything similar. I do see an "Import" option on Exclusions popup, but only when viewing the top level Antivirus, Files and folders to be excluded from scanning, not on real-time, on-demand, etc. file extensions exclusions popup. Secondly, I would say more for an ERA Administrator, it would also be very useful to be able to export the rules, zones and other "lists" in ESET to CSV / TSV and then be able to import them. While we are able to Duplicate a whole policy, this would give more flexibility to create and import a previous list, while quickly removing/adding lines in the CSV file before. Point 2 - Excellent, is there a rough ETA on ESMC V7 yet? Point 3 - Great, thank you.
  9. Description: Individual firewall rule hit count. Detail: Similar to hardware firewalls, it would be nice to see a hit count, packets matched, kind of information per individual firewall rule in Endpoint protection, also for that information (similar to above requests) to be visible in ERA, and total of the hits across all clients with the same rule. So we can generate reports, this makes it easier to find rules no longer being used and can be removed safely.
  10. Description: See Endpoint client logs within ERA. Detail: We would like to be able to see the logs from a client (Detected threats, Events, Computer scan, Blocked files, HIPS, Firewall, Filtered websites, Antispam protection, Web control and Device control) within the client entry in ESET Remote Administrator. While some threats and problems are highlighted in ERA, not everything is. A Filtered website blocked by Anti-Phising blacklist for example doesn't seem to appear in ERA, can only view it on the client's log.
  11. Description: Export list of firewall rules (zones, exclusions and any other configurable lists) Detail: IT Security would like to regularly review the list of firewall rules, zones, exclusions, basically any configurable list within ESET on a regular basis. There doesn't appear to be an easy way of doing this, from an ESET client you can export settings to an XML file, but this isn't readable for management staff.
  12. Excellent, pity it can't be hot-fixed in the current 6.5 release, but glad to know it will be corrected in V7. We don't currently use "users", but have noticed it there and intrigued for the possibilities you mention, user variables in policies sounds interesting. Two issues we have that I wondered if this would help with, is a desire to include the current/last logon user detail from AD (username, Full Name/Display name, email, telephone, etc.) in reports, the Service Desk/Deskside support want user information as presumably they track down the user, and then from there the computer. Currently we have to do some look up using other products (KBOX, SCCM). User variables in policies for Endpoint sound interesting, would it be possible to have an application path in a firewall rule to allow C:\Users\%username%\AppData\Roaming\Application\Application.exe or %userprofile%\AppData\Roaming\Application\Application.exe ? Or would it be more of a user scope under a Local tab, so this rule only applies to these domain users logged onto the machine? Or a whole policy applying to a specific domain user or users whatever PC they are on? Also interesting, though... that would probably require the syncing of AD Groups (Domain Local, Global Group) and ESET understand Group Inheritance, as you'd likely want to assign it based on groups of users, than one or two specific users (though that would come in handy for IT/Testing).
  13. Description: Export list of computers from Dynamic or Static Group / Additional reporting filter options Detail: Rather than having to create a report, it would be useful to just be able to export a Group's (Static or Dynamic) list of computers out to CSV, TSV, PDF, etc. Especially as Reporting filtering is more limited than Dynamic Group filtering. Would be nice to have additional reporting filter options, such as "does not contain", "does not equal regex", "not in", "not prefix/postfix", etc. etc. As well as being able to set two (or more) criteria for a single field, e.g. "OS name has prefix" "Microsoft" AND "OS name has not postfix" "R2". Also the option of "OR" rather than just "AND". And being able to group multiple ANDs or ORs. Hopefully some or all of this is included in the new changes in the next version as highlighted in previous post by MichalJ. Other posts:
  14. Description: Remote Administrator Console Login accept username in UPN format. Detail: When logging into the ESET Remote Administrator console, if using an AD login, you need to specify the username as "DOMAIN\username", however if you try to use the UPN format (common due to increased cloud usage) "username@fully.qualified.domain" then it's not recognised. Also, if you don't include a domain then it's also not recognised. Please support the UPN format and have the server default to a domain (if ERA installed on Windows, default to the domain the server is joined to), or allow an option to specify a default domain in ERA settings.
  15. Description: Static Group Synchronization using "Objects to Synchronize" set to "Computers Only" will sync all computers from AD Domain. Detail: After creating a Server Task of Static Group Synchronization for a Active Directory domain, the "Objects to Synchronize" was set to "Computers Only" (we do not require the entire AD OU structure synchronized to ESET Remote Administrator, we use Dynamic Groups and assign policies there), and the "Distinguished Name" under Synchronization settings is black or set to the highest level "DC=test,DC=domain,DC=com", no computers are synchronized or existing computer objects moved, even though "Computer Creation Collision Handling" is set to "Move". If we set the "Distinguished Name" under Synchronization settings to "OU=Domain Controllers,DC=test,DC=domain,DC=com" then we see the domains DCs, their computer accounts which exist in that OU (just that OU of course), get moved to the Static Group for the domain. This seems odd, given you can set a top level synchronisation using Distinguished Name (or "leave empty to synchronize the whole tree", the tooltip says), and below that you can enter multiple Distinguished Name(s) you wish to exclude from the synchronization. Therefore this actually seems like an unnoticed (or maybe it has been noticed) bug in this function implementation. Obviously, our end goal here is to have a single static group per Active Directory domain and all computers for the relevant domain be synchronized into that static group away from the Lost & Found static group, however we do not want all OUs from the domain synchronised under the static group, it's not necessary. Last tested on ERA 6.5.522 Also to add to this, the option for "Users Only" when making a User AD Synchronization is also missing, please add and like the computer above works to sync all AD users to a single Static Group.
  16. Hi Marcos, Please read from the SystemEnclosure and based on some simple logic work out if it's a Desktop, Laptop, or Other, this I expect is what other products do. Our naming mask only works so much, as some of our companies (we're a group of companies) decided to name the computer by the asset tag (:facepalm:) https://technet.microsoft.com/en-us/library/ee156537.aspx?f=255&MSPPError=-2147217396
  17. So I'm trying to use a Custom PFX file to sign a Server Certificate, but it's not working, I've tried a Intermediate Cert PFX, I've tried an Intermediate Cert with the Root CA Cert in a PFX, and I've also tried just a RootCA Cert PFX file, it won't create and sign the Server Certificate. Failed to create certificate: Creating and signing peer certificate failed. Check peer certificate validity, certification authority validity and their overlap.: Trace info: CreatePeerCertificate: Peer certificate validity is not fully covered by certification authority validity Failed to create certificate: Creating and signing peer certificate failed. Check input parameters for invalid or reserved characters, check certification authority pfx/pkcs12 signing certificate and corresponding password.: Trace info: CreatePeerCertificate: CryptAcquireCertificatePrivateKey failed with Cannot find the certificate and private key for decryption. Error code: 0x8009200b CreatePeerCertificate: PFXImportCertStore failed with Access denied. Error code: 0x80090010
  18. Still looking at this one (as we've got a workaround for the Instance DB, which should hopefully work, I'm still doing this single test servers). Scratching my head at the Installer option to "Load certificates from file" as opposed to "Generate new certificates", reviewing the ERA console after installation (using the generate option), it appears that you can't actually import a Certificate Authority, other than the Public Key to trust a "previous" server/setup, you can't import the private key and continue using it as before, I assume this is probably a design decision intended to be more "secure". Therefore, if you do import certs at this stage, they're useless except to support previous clients setup with an older server, the new server will still need to make a new CA for new certs (agent/proxy) to deploy to clients. There is an option to sign certs with a "Custom PFX" file, but does that mean every time we have to browse to the PFX file to sign a new Server, Agent, Proxy certificate? Ideally, I just wanted to generate a request from ERA, go to our existing Certificate Authority, process a request using the "Subordinate Certificate Authority" template, and give the generated certificate to the ERA server, and be able to export the Private key from the ERA to keep as a backup and re-apply if necessary (db corruption, rebuild of db for some issue, moving to different SQL server and backing up/restoring of db not possible), I guess currently that's not supported and not possible? A "Settings Export" from ERA console wouldn't go amiss either, yes you take regular backups of the SQL database, and probably best to keep a couple of them at pivotal moments indefinitely (like first setup).
  19. Hi scott72, that thread is referring to the webconsole SSL certificate, which I suspect we will get to at some point and we have a commercial wildcard certificate I plan to use for that, and have some previous experience of keystores and getting that to all work, those instructions will be handy though at that stage. At the moment it is specifically an ERA "Server" certificate the installer is asking for, and in our setup we'll have a cluster, so a least two node server names, plus a cluster name, plus the FQDN we'll be using for the cluster, possibly these are all needed in the certificate as subject alternative names? I've tried using IIS or similar to make a request, for some reason it either complains about no template selected or doesn't generate one with the Subject Alternative Names. Normally products allow you to generate a CSR and then we load that into the CA. Additionally, this article shows some later certificate creation and the sign method is either custom pfx file or Certificate Authority, which gives the impression I should generate a Subordinate CA certificate from our CA for the ERA to be a SubCA so it can sign new certs it makes?
  20. Oh good grief, this was one reason we moved to ESET was for v4/v5 and the ease of use on clients, they just checked in and were unique by name or mac, perfect for VDI. Hoping 6.2 makes this easier, or newer versions of ERA 6 before we get to this stage.
  21. I really hope ERA 6.2 addresses our problems with installing ERA 6.1, it'll be worth the wait then, although we need to be rolling out and replacing our old AV by now.
  22. So I understand in ERA v6 certificates are used for securing communications between ERA Server and ERA Agents, as part of the setup you can create a server certificate and an Agent certificate later on I believe. I think this option generates a CA within ERA server. We have our own internal CA, and as such would like to utilise that for certificate generation, however the documentation is very sparse for the installer, what certificate is it asking for, and how do we create a suitable one from our CA, how to make the cert request, and what common name and subject alternative name DNS hostnames does it require? We don't want any wasted certificates in there as I've read you can't remove them currently in ERA 6.1 It's not clear if you can create server and agent certificates outside of ERA v6 and import them in for use, or whether you need to create them inside ERA v6 using your CA, does that mean you need to import the CA certificate into ERA v6? We'd probably not want to do that, can we make a SubCA certificate from our CA for ESET RA to use to generate certificates? I have an open ticket with support, but this is dragging on. Anyone else managed to get this setup working that can shine a light on this? Thanks. Note: We are doing a component ERA Server installation on Windows (see this thread: https://forum.eset.com/topic/5630-installing-eset-remote-administrator-using-sql-2008-r2-failover-cluster-and-a-named-instance/ ), we are stuck at that point, but if we get past that, then it'll be this certificate stage we'll get stuck at again. I ran through the installer a little further on a test system without the cluster SQL instance, and this suggests we just need a server certificate from our CA and don't need the CA certificate as such. Still the question remains on how to make the server certificate, what Subject Alternative DNS names are required, especially given our intended Cluster install. However, if we don't have a CA cert imported will that mean generating the Agent certificate will be harder (create outside of ESET and import), instead of being able to generate within ESET? If we make a SubCA cert and imported that into ESET will it then be able to generate Server and Agent certs easily in the ERA?
  23. We're trying to setup ERA v6, I'm doing a component install because we want a cluster setup, and getting stuck at the database section of the Server install. It appears it's unable to understand our SQL cluster with a named instance, note we are NOT using SQL Express, so we cannot fix the port, SQL Clusters and named instances don't work that way, it uses port 1434 to look up the details, or should do. We've tried with 1434 or leaving the Port field empty, the installer insists on a port being specified, normally in this setup the port is left blank. We have an ERA v5 server, for our older Windows 2000 servers still knocking around we're unable to get rid of (some of them there are plans underway to upgrade or replace), and of course our Linux servers and odd workstations, since v6 doesn't support Linux at the moment. On ERA v5, it was possible to just enter a DSN name into the ESET Installer, and do the SQL db configuration in the Windows ODBC Administrator, that's how our ERA v5 is working, however on the v6 installer this option is not present. Additionally, as part of our testing to confirm this, we found that if an era_db had been created beforehand, then it refused to use it saying it was not for ESET purpose or was corrupted, so we have to grant ESET installer account full server permissions to create a database? That's a bit unusual. I have an open ticket with support, but this is dragging on.... are we the only one wanting an ESET Cluster install and a SQL Cluster with named instance? Anyone else managed to get this setup working?
  24. Another sys admin enters the fray. I've used ESET for years in other businesses and was so pleased to finally be able to dump our aging McAfee and Fisher-Price Symantec.Cloud AV setups in the business for ESET. I'd been out of the loop for a bit, discovered ESET has become a rocky road... we have Windows dating back to 2000 (yeah we are trying to upgrade/get rid of them, promise!), Linux (Servers and a couple of Desktops), and an ever growing Mac estate... which from memory I thought ESET would be perfect for and fix all our worries. Not so... despite the new shiny, pretty, webconsole v6... which can run on Linux (although reading this thread even that's rocky), Eset for Linux is still in the dark days of v4, not v5 and not v6.. eh?! Mac ESET Security product is only v6 as well. v6 does not support Linux or Windows Server 2000 therefore, which is a problem for us. So I had to double the server requirement, build a v5, start getting Linux v4 clients on it (NOT easy!), with help of our local office Linux IT guy, we're on the roll there finally, got ESET Linux file server on a few Dev boxes, hoping to rollout to production ones soon. Push installed to a Windows 2000 server, ah that's more like it, easy, will push out to our remaining Windows 2000 servers soon. Now to build the ERA v6 cluster setup.. Then like most of you, hitting the problems with v6 documentation... I've done many v5 cluster setup with little problems, although I get the distinct feeling I'm the only one who does an ESET cluster setup from talking to support. In v6 however, they've not thought through or tested a cluster setup, for starters it doesn't like a SQL Cluster, it can't find the instance port and wants us to nail a port down, that won't work when it fails over, if anything is using that port, it will fail to start, port assignments on cluster instances are meant to be dynamic, in v5 of course you could just put a DSN name and configure the db connection by ODBC Administrator and that worked. After that, there's this new certificate requirements, again the documentation is awful.. we're doing a new v6 setup, I want to use our own CA and make whatever certificates it needs but there isn't any proper documentation... normally products generate a CR. Although I've not got ERA v6 installed yet, I also raised with support about the components in v6, it's a culture shock, and a lot more manual work outside of ERA for us, and the documentation is lacking, I shall need further help from others again (SSL for the Apache Update Cache?), most of it is clear now, as I go through it may hit some more bumps in the road. I'm talking to support at the moment, but it's so slow as they have to go to Global and wait for an answer back. It's a real shame, and after I've been singing ESET's praises and we're struggling to get v6 up, not to mention the problems I see on this thread about deploying clients, bit worrying.
×
×
  • Create New...