bbahes

Hi! Is it possible to remove predefined rules in EES v5 ? I have defined few rules in ERA v5, still on client I see so many rules (see attachment). Is it possible to get firewall in clean state and make my own rules? Thanks!

If I pay for product it should be well documented and work out of box. If I pay for product I have at least some right to say I am not happy with quality. I have been deploying v6 in test lab since 6.1 and I don't see it for production ready. One day transition to v6 will be inevitable, but not yet. Having to do all these things you say is something someone from beta test team should have done. Doing test in test lab is just that. Test. Not searching for unknown bugs. Go ahead and look for example documentation on Active Directory deployment from Microsoft. You are guided step-by-step on what to do. Nowadays you even get online virtual lab for test.

Before using v6 in production you should have done few tests then you would have known all this in advance. But, all that's left for you is: a) ask for refund and return to Kaspersky or b) try ESET v5 I would suggest b). This way you will stay protected and still be able to test v6. v5 is really complete product and show you why ESET is amazing! Yes, they have gone in wrong direction with v6, but let's wait and see for two more major releases this year.

First I have to thank you for listening and reading our posts here regarding v6. Second, my two companies that have together 100 clients have extended licenses for one more year since we are very happy with v5 product we are monitoring v6 development and have postponed decision for antivirus switch on to next year. The main reason we don't need product like v6 is usability on administration side. For example, yesterday you had problem with your antivirus definition database. With the blazing speed I was able to see that version is 13102 on my ERA v5 server and that clients most probably have this version since they don't have any other way to download definition update other than mirror. This is very important to us, because with your v6 solution you force us to use third party product that only routes clients to your servers and I have no easy way to see which version is current. I say no easy way because you force us to use HTML interface to customize this interface in very strange way. In v5 I only had to click Tools - Server Options... - Updates and BANG! all information is in single location. Having console information with all clients listed in first plan and with single click of mouse to open Threat log and see what is threat on clients (that self updates, no HTML refresh!) is something your team should have foreseen even for "next gen" product. Having control of update on single point like mirror is mayor thing for us. You helped with mirror tool for v6 but this is not as easy as v5 was. With selecting all my clients and with few clicks (in responsive console interface) I was able to push new database to clients in few seconds. I was very confident in my actions knowing that all my clients will get database from ERA server and all almost at same time. With v6 you force everything with so many clicks and page refresh. This is in moment of panic like yesterday frustrating. And I wonder did I click that HTML button did it send HTTP POST to ERA... What about situations where I am unable to connect to ERA web interface? Don't you think there should be some alternative? Do you really think sys admins love administration tools in HTML? We do, but when we monitor things that are not critical, like I do with Unifi wifi controller. But when things get complicated we need robust tools like console management. If there is no plan to change this, and as you say there is none I expect that you at least return mirror feature within interface. Do you think that would be possible? Thanks again for reading! Regards. bbahesWe are an insurance company and thus have to comply with a lot of policies. Which means none of our machines have direct internet access. It took some effort, but everything accept for the agent deployment, is done "offline" in our company. We have all of our 150+ servers and 400+ workstations available in one view. Rolling back the definitions yesterday took te exact same amount of time on ERA6 and ERA5: less than 2 minutes for all clients to revert (we use both, migrating now). Just saying: it is possible not to route it through ESET and have the same amount of control you have in v5. We use an update proxy (mirror) and the shared local cache. There is only one machine in our network that is allowed to get updates directly from the internet. That beïng said: it takes much more effort to setup initialy than v5 which just works. (The agent we still download from the internet, simply did not get an offline install to work...). If you need help setting up a local mirror you may send me a pm, should not be a problem. The webinterface is better in 6.3, and I can understand why they chose a webinterface. Resellers of ESET are able to manage multiple installations. However: they certainly did not think this through. They should have known a lot of clients want the same kind of install as with 5: single mirror for all the clients. I think they are listening though I was able to setup everything you say in my test lab, because we also have many workstations in network that don't have any internet access, however it took so much more effort than in v5 as you said. For our full switch this has to be simplified and documented. I agree 6.3 is better, and we hope next two releases will bring even more reason to switch to v6, that is why we extended our license for one year more.

First I have to thank you for listening and reading our posts here regarding v6. Second, my two companies that have together 100 clients have extended licenses for one more year since we are very happy with v5 product we are monitoring v6 development and have postponed decision for antivirus switch on to next year. The main reason we don't need product like v6 is usability on administration side. For example, yesterday you had problem with your antivirus definition database. With the blazing speed I was able to see that version is 13102 on my ERA v5 server and that clients most probably have this version since they don't have any other way to download definition update other than mirror. This is very important to us, because with your v6 solution you force us to use third party product that only routes clients to your servers and I have no easy way to see which version is current. I say no easy way because you force us to use HTML interface to customize this interface in very strange way. In v5 I only had to click Tools - Server Options... - Updates and BANG! all information is in single location. Having console information with all clients listed in first plan and with single click of mouse to open Threat log and see what is threat on clients (that self updates, no HTML refresh!) is something your team should have foreseen even for "next gen" product. Having control of update on single point like mirror is mayor thing for us. You helped with mirror tool for v6 but this is not as easy as v5 was. With selecting all my clients and with few clicks (in responsive console interface) I was able to push new database to clients in few seconds. I was very confident in my actions knowing that all my clients will get database from ERA server and all almost at same time. With v6 you force everything with so many clicks and page refresh. This is in moment of panic like yesterday frustrating. And I wonder did I click that HTML button did it send HTTP POST to ERA... What about situations where I am unable to connect to ERA web interface? Don't you think there should be some alternative? Do you really think sys admins love administration tools in HTML? We do, but when we monitor things that are not critical, like I do with Unifi wifi controller. But when things get complicated we need robust tools like console management. If there is no plan to change this, and as you say there is none I expect that you at least return mirror feature within interface. Do you think that would be possible? Thanks again for reading! Regards.

No, but it helps me understand how ESET utilizes firewall in their virtual appliance By the way. In your "Apache HTTP Proxy installation - Linux" - hxxp://help.eset.com/era_install/63/en-US/index.html?http_proxy_installation_linux.htmyou say "at least version 2.4.10" but you never say that CentOS 6.7 (which is OS of your virtual appliance) does not support by default version 2.4 only 2.2 Why "at least version 2.4.10"? In short: each appliance contains Apache HTTP Proxy of supported version and with prepared configuration (/opt/apache/). In case you have not deployed appliance with enabled proxy, it is not started automatically and you have to enable it manually by steps described in mentioned article (section "How do I enable Apache HTTP proxy on my ERA Virtual Appliance after initial configuration?".) OK. I will give it a try right now and report results. So I did clean install and followed instructions to activate Apache HTTP Proxy and tested client that has access to internet blocked. The update passed ok and as I look at log file in appliance I see client hits proxy with requests. Is it possible to see this log (or list of client requests) in ERA rather to view log file in appliance? This could mean that we might consider to upgrade to v6 in future. We want to stay on v5 because of better GUI for administration.

No, but it helps me understand how ESET utilizes firewall in their virtual appliance By the way. In your "Apache HTTP Proxy installation - Linux" - hxxp://help.eset.com/era_install/63/en-US/index.html?http_proxy_installation_linux.htmyou say "at least version 2.4.10" but you never say that CentOS 6.7 (which is OS of your virtual appliance) does not support by default version 2.4 only 2.2 Why "at least version 2.4.10"? In short: each appliance contains Apache HTTP Proxy of supported version and with prepared configuration (/opt/apache/). In case you have not deployed appliance with enabled proxy, it is not started automatically and you have to enable it manually by steps described in mentioned article (section "How do I enable Apache HTTP proxy on my ERA Virtual Appliance after initial configuration?".) OK. I will give it a try right now and report results.

No, but it helps me understand how ESET utilizes firewall in their virtual appliance By the way. In your "Apache HTTP Proxy installation - Linux" - hxxp://help.eset.com/era_install/63/en-US/index.html?http_proxy_installation_linux.htmyou say "at least version 2.4.10" but you never say that CentOS 6.7 (which is OS of your virtual appliance) does not support by default version 2.4 only 2.2 Why "at least version 2.4.10"?

It's not possible to improve it. Apache HTTP Proxy would have to be replaced with an ESET Http proxy that would need to developed from scratch. There's no reason to reinvent the wheel once there is already an efficient and reliable proxy servers from other companies that specialize in this area. Do you have KB article that explains how to setup apache proxy on your virtual appliance?

But why not improve this inside ERA? Why complicate things with proxy configuration and maintenance of third party product?

We have 30% internal notebook workstations that don't have any access to internet, so they don't hit proxy at all. This is why we need mirror tool in LAN. In future we will be implementing network access control and will isolate clients to part of network with antivirus update server that won't have access to internet. Also having single point where updates are downloaded is really handy for troubleshooting. @bbahes => Basically, you want to distribute the updates from the ERA server (machine on which you have your ERA V6 installed), which will act as the mirror, which basically means, that ERA server will have access to the internet (will be able to download update). Is this assumption correct? Exactly for this reason, we have added the option to install the Apache HTTP Proxy, on the same machine as ERA server, to act as the updates cache. But it does not work only for updates (and installers), it also allows Endpoints to utilize ESET Live Grid, our cloud-based reputation system, which drastically improves the security (as it increases the response times, and improves the detection). Live Grid does not work, in case Endpoints does not have connection to the internet. If you will divert Endpoint communication inside your LAN via the proxy, it will cache the updates, and also allows Live Grid requests to go through. The same is valid for the new licensing system, via proxy, it will be able to communicate to EDF, and utilize the "transparent license update functionality". I assume, that you are currently using offline license file for activation, which you will need to manually replace after the license renewal. Thank you for your feedback. It's proxy. And clients have to be able to resolve dns names or access internet in order to benefit proxy. Can you configure proxy in different way then for clients? Also, is there a way to see from ERA what proxy is downloading and for which client?

in 1 PC, and every 1 or 2 days connect that PC to internet to download ESET Updates. Note: is you use a Firewall like ESET Endpoint Security has, you can select only ESET product connect to internet, in order to keep safe the connection and computers. This was one of the first suggestions from ESET in general after people asked mirror back. However this is still workaround, not a server side solution. I have often asked ESET to make update feature similar to Microsoft WSUS. One simple interface integrated in ERA that handles definition/product updates.

We have 30% internal notebook workstations that don't have any access to internet, so they don't hit proxy at all. This is why we need mirror tool in LAN. In future we will be implementing network access control and will isolate clients to part of network with antivirus update server that won't have access to internet. Also having single point where updates are downloaded is really handy for troubleshooting.

+1

+1

It still feels to me as unfinished product. Many things are still left to be configured outside central web console (Mirror Tool for example...). Documentation is still incomplete. However it's step in right direction since 6.2. We are still on v5 waiting for miracle to happen, v6 to be production ready.

I think they plan to offer, like most antivirus solution now do, cloud solution so that you can manage license from cloud. My guess this is testing phase...live on clients

I am able to access share via admin credentials in Windows Explorer. Proxy is set to "Do not use proxy server" and Connect to Lan as is set to Specified user, IP_ADDRESS_OF_ERA\admin Still I'm getting error Invalid Username and/or Password.

Share the subfolder /tmp/mirrorTool/mirror and set the path on clients as \\server\mirror. I did. However a new problem appears. Now my client says Invalid username and/or password. I am able to access this share from client (Windows 10) and browse folder, delete, create, modifiy....however Endpoint antivirus won't authorize. UPDATE: One thing that happened today. As i powered on virtual machines and started Endpoint antivirus update I got message Could not connect to server. After I accessed share from Windows Explorer with credentials, Endpoint antivirus reverted to message Invalid username and/or password.

I agree, we still use v5, but I'm testing this new Mirror Tool and license is about to expire in less that 30 days so I have to make decision, renew license or drop for competitor product.

So if I wanted to share update files via file share in Update server I would have to enter network share location? What specific folder? What about credentials? It all depends on the operating systems. The mirror tool merely downloads and saves update files to a disk and then you share the files like any other files. See the instructions for sharing files via Samba for instance. I know how to make a share on linux distribution like your virtual appliance CentOS 6.7, however I wanted to know where to enter those credentials in policy and what folder to share? /tmp/mirrorTool/mirrorTemp or /tmp/mirrorTool/ or /tmp/mirrorTool/mirror ?

So if I wanted to share update files via file share in Update server I would have to enter network share location? What specific folder? What about credentials?

Hi! I have created mirror on virtual appliance using command sudo ./MirrorTool --mirrorType regular --intermediateUpdateDirectory /tmp/mirrorTool/mirrorTemp --offlineLicenseFilename /tmp/mirrorTool/offline.lf --outputDirectory /tmp/mirrorTool/mirror Under policy settings for Update for Security product I have entered hxxp://IP_ADDRESS_OF_APPLIANCE:2221under Update server. However I'm getting Unauthorized access on client under Update. What am I doing wrong?

So...I've been trying to update client from mirror and I'm getting error "Unauthorized access" on client. Mirror is created on virtual appliance. What do I have to change in policy?

So I did figured out what I have to enter in cron. Basically its entire command for creating mirror. I really hope that you complete documentation for Mirror Tool for Linux and include configuration steps for SELinux for samba file shares and iptables. Or at lease configure next virtual appliance to enable samba file share from start. Thanks.