bbahes

I wonder, would you consider RHEL as security vendor? If not why not?

Will new application filtering feature announced for future 7.x version of endpoint clients be able to control these situations? We have situations where clients roam outside corporate network and we would want to be able to control things on application level. Thanks!

We did not try to reproduce problem. I will ask user to repeat same process and give you feedback.

What user did in the end is restarted machine. After that alerts went away. We talked to user and he told us that he did not shutdown notebook in Start > Shutdown way but he just closed lid. After he resumed notebook from sleep state this alert started.

Maybe related....but I have one client (Endpoint v7) that has this alert in ESMC:

HI! We got today a event in THREATS: However, I see action as Detected. If we wanted to change action for this types of threats, which specific policy/rule would we need to modify? Thanks!

Description : Add variable for COMPUTER DESCRIPTION Details: We use COMPUTER DESCRIPTION to denote workstation position and/or users and would like to include this field in notification messages.

This is what I see in /var/log/httpd/error_log file: [Mon May 06 09:16:32.930991 2019] [proxy_http:error] [pid 29607] (70007)The timeout specified has expired: [client 192.168.224.8:49679] AH01102: error reading status line from remote server update.eset.com:80 [Mon May 06 09:16:32.931042 2019] [proxy:error] [pid 29607] [client 192.168.224.8:49679] AH00898: Error reading from remote server returned by hxxp://update.eset.com/ep7-dll-rel-lb/mod_049_horusdb_4350/em049_64_l0.dll.nup [Mon May 06 09:29:08.351585 2019] [proxy_http:error] [pid 4953] (70007)The timeout specified has expired: [client 192.168.224.8:50128] AH01102: error reading status line from remote server update.eset.com:80 [Mon May 06 09:29:08.351623 2019] [proxy:error] [pid 4953] [client 192.168.224.8:50128] AH00898: Error reading from remote server returned by hxxp://update.eset.com/ep7-dll-rel-stop1/mod_049_horusdb_4350/em049_64_l0.dll.nup [Tue May 07 09:07:03.708265 2019] [proxy:error] [pid 4185] [client 192.168.224.8:49861] AH00898: DNS lookup failure for: i3.c.eset.com returned by hxxp://i3.c.eset.com:80/ 192.168.224.8 was client that had problem with update on monday. Also I see many (not too many) messages about DNS lookup failure. Is this something I should look on my side, ISP side? cat error_log | grep -o "DNS lookup failure" | wc -l 64

Still...I would be nice to know what really happened. Maybe you could anonymize trace file with https://www.tracewrangler.com/ and share it...

Any comments? https://www.bleepingcomputer.com/news/security/hackers-selling-access-and-source-code-from-antivirus-companies/?fbclid=IwAR3EqbEHNpG3iKSyMA58JsURtKtewSUfqJmRaGwBFaGClDf0Lai5cOdRl64

This was only on one new client. After I logged in as Administrator it downloaded module updates correctly. Proxy policy is same for all clients in company. All others working fine.

I had similar problem minutes ago. Maybe it's similar problem?

I don't know does this matter, but I've logged in as administrator on client PC and started module update manually:

Hi! Deploying EES 7.1 further to new clients. On latest we have problem: Agent is connecting to ESMC:

You are right! Default filter is to filter resolved threats. In this case, JS/AdWare.Agent.AF was resolved on client by connection termination so it did not show up in Threats page. Thanks @MartinK

Hi! After deploying EES 7.1 to 50 clients we have one reporting (notification to e-mail for Malicious file detected (trojan / worm / virus / application) enabled in Notifications) "Malicious file JS/Adware.Agent.AF was detected on computer ..." However, I don't see threat reported in THREATS page in ESMC, but neither on client details > alerts page. We are using default policies and have only 3 that Append firewall rules: Is there something else we need to configure ?

Did you apply both Proxy policy for Agent and Product?

Not siding with ESET support, however, this is basic networking knowledge, not ESET endpoint problem.

If I do this now, what steps would I need to take in order for current clients to communicate correctly with ESMC? Second question, why is this not on by default? Maybe you could make checkbox in initial wizard to ask during deployment for protocol TLS 1.0, TLS 1.1 or TLS 1.2 ?

I see there is column REMOTE HOST that shows VPN IP's. I will try and use information from that column.

Hi! I think this was posted before, but I can't find post. We are deploying EES 7.1 clients and we have problem with IP address column in ESMC . It displays IP address of network adapter that is connected to LAN. However, some of our clients use VPN connections. In ERA v5 we got updated with this information as this is address that client uses to communicate on Layer 3. Is there a option to show/update all IP addresses from clients in ESMC interface?

Hi! We are deploying ESMC 7.x and EES 7.1 to our environment. I have created static group MyGroup under main static group All. I have assigned some default policies to MyGroup. Below MyGroup I have created first department group MyDepartment. Under Policies of MyDepartment I don't see policies I have assigned to MyGroup. Do I have to check some option in order for static group inherit policies from parent group? Thanks!

@Marcos Does Endpoint 7.1 align with ESMC 7.0 policies? I am about to deploy ESMC 7.0.72.0 and EES 7.1 and just wanted to check if features like Audit log and Security report are already supported by ESMC 7.0 or there is ESMC 7.1 about to be released that will support new client features? Thanks in advance!

I was thinking more of using EEI feature: "Easily suppress false alarms by adjusting the sensitivity of detection rules for different computer groups or users. Combine criteria such as file name / path / hash / command line / signer to fine-tune the trigger conditions. ". So critical system files/ updates that have correct signature and hash would be excluded from checking.

Looks to me that you could use EEI technology here. Maybe merge two products?