bbahes
-
Posts
521 -
Joined
-
Last visited
-
Days Won
5
Posts posted by bbahes
-
-
6 hours ago, itman said:
FYI - it is no great secret that AV vendors have used DNS tunneling for quite some time:
https://www.helpnetsecurity.com/2016/09/19/dns-data-transport/
https://help.zscaler.com/zia/about-dns-tunnel-detection
It appears to me that the network perimeter security appliance's manufacturers are trying to demonstrate their "new and improved" detection methods at the expense of the AV vendors to counter criticism of their past ineffectiveness against malicious DNS tunnel attacks.
-EDIT- Also if one wants to look for nefarious tunneling activities, start looking closely at the manufacturer of the OS you are using, Microsoft.
Times change, as did ESET Endpoint change over time. For example, v5 did not have anti ransomware module, v6 (guessing) and v7 does.
As for Microsoft remark, I would welcome any solution from security vendors, like ESET, that would warn about this activity from Microsoft or any other software vendor and possibly block it on user demand.
-
30 minutes ago, MichalJ said:
Just to update concerning the DNS usage:
ESET services that are using DNS:
- Parental / WebControl, for the URL reputation
- Anti-theft (consumer only) concerning the config change status / updates
- EDF (licensing) concerning the config change status / updates
- Antispam (backup communication) for hashes / status
- AV Cloud (ESET Live Grid) - partial communication.
It´s described within the following KB article:
https://support.eset.com/kb332/?locale=en_US&viewlocale=en_US
Correct me if I'm wrong, but I don't see in KB article, statement that you use DNS for information exchange, only for DNS queries.
For example, for ESET Live Grid you only say "These IP addresses need to be enabled for HTTP port 80. Also, an access to your local DNS server is required for DNS queries on UDP port 53."
If port 53 or DNS protocol is used for something other than name resolution, that should be noted in that text.I don't see problem in information exchange as long it's transparent and highlighted clearly in documentation. That way we could avoid problems with 3rd party products.
-
2 hours ago, wim said:
PaloAlto is blocking this because you are using DNS to pass info through the network. I don't see any reason why ESET would use this covert channel to distribute or receive info to/from clients. We will keep this type of traffic blocked on our network until there is a clear explanation what kind of info is exchanged via DNS and why it is done this way.
If we have clients on our network that have ESET installed and whose installation will not work anymore, we will send them to ESET support.
Wim Holemans
Network/Security Teamleader
University of Antwerp
Is this documented?
-
40 minutes ago, MartinK said:
I would recommend to double check system requirements for security product you installed. I am not familiar with Oracle Linux, but maybe enabled SELinux is causing problems? Or there are missing dependencies result in product's inability to start...
You are right, SELinux might be main "problem".
-
1. Is option "Use All Server" selected just above server list?
2. What do you get in File > Edit Connections ?
-
3 hours ago, MichalJ said:
What other product is installed on the system?
Only agent. However, there was attempt made to install ESET File Security for Linux/FreeBSD which failed. After that I manually tried to install ESET Antivirus for Linux.
-
3 minutes ago, MartinK said:
Please double check all UEAVBE4 dependencies are already installed on the machine. If I recall correctly, i386 version of libc is required (even on x64 system), and also few other libraries, including gtk. Details should be available in product documentation.
In case you are preparing deployment on larger amount of similar systems I would recommend to installs manually first to verify everything works.
This is test environment. I tried to install it manually, but got error:
-
-
1 hour ago, MartinK said:
You have to install AGENT on that machine, manually or using so called AGENT live-installers. Once done, you can use Software installation task do deploy product.
Basically it generates bash script inside tar.gz archive?
-
23 hours ago, Foiler said:
A business with only two Windows 7 computers on the network both have the same problem .. Outlook prompts for re-entry of password almost every day.
Microsoft support are suggesting we have "network problems". However, this is a very unsophisticated setup, just a simple network and an inexpensive router with default setup. The mail setup is Office 365. The only "network" filtering possible would be the antivirus perhaps? Windows Firewall is disabled.
The antivirus is Eset Endpoint Antivirus version 5. Is it possible there is a setting in that which is blocking port 443 or access to Microsoft Certificates?
Just wondering if anyone else has had similar problems?
You could check policy settings: Windows desktop v5 > Personal firewall > Settings > SSL > SSL protocol checking
We had similar situation but it was due UTM settings.
-
38 minutes ago, Pinni3 said:
Looks like my problem is solved. Writing this as I want to clear things. Problem was caused by security profiles on UTM. Now everything works nice. Thank You ESET Crew for any help and Your private time You gaved me, I really appreciate it.
Thanks for sharing info. Out of curiosity, did you investigate UTM logs for this issue or used packet capture tool on server and client?
-
On 9/27/2018 at 8:17 AM, MichalJ said:
@Campbell IT Concerning your feedback. Issue with "logged in users" is, that there could be more than one user logged in on the machine, so choosing just one, might not be valid. However we are tracking improvement request to have this (adding the information in computer details was the first step). We are working on a redesigned computer table element, that would be more robust from the point of view of displaying the desired information.
Detection engine (previously VSDB) is not coming back, as it´s just one of many modules in the product, and the information does not really indicate whether the product is updated or not. We are instead working on adding information about "last update attempt" and "last successful update". Out of curiosity, for what purpose you would use the Detection Engine version info for?
We are also working on "tagging functionality" that would allow specification of tag manually (in the first phase) and later automatically, that would replace the "custom fields" functionality in the old ERA V5.
We've had situations where ESET had problems with antivirus database (usually many false positives with web filtering) where we had to revert to previous version. However, that was not main focus for us since fix was delivered in few hours, but we had quick overview of what clients had which version in comparison to ESET server or ERA server.
-
If you use v5 there is Tab "Advanced setup" (Windows desktop v5 > Personal firewall > Settings > Rule setup) where you uncheck "Allow remote desktop in the Trusted zone". Did you try unchecking this option?
-
1 minute ago, MartinK said:
Any chance you still have that "malicious" file available? It is definitely suspicious ...
No. Unfortunately Windows Defender deleted it completely.
-
UPDATE: After deleting and recreating installer in Installers I was able to download normally installer without virus warning.
-
4 hours ago, Ritesh Sharma said:
Problem: unable to create all in one installer. I get internal server error. How can I solve this?
I was testing new virtual appliance instance today and I got the same error. However I was able to resume after I clicked link again "Download 64 bit version".
After that I got message from Windows Defender that it detected virus:
-
Just now, MartinK said:
It seems that appliance was reverted to state when it was not configured yet, so instead of opening https://<hostname>/era/webconsole/, you should open https://<hostname>/ to access configuration webpage.
You are right. As soon as I tried in different browser with https://<hostname> initial wizzard started.
Thank you both for quick response!
-
Hi!
Testing ESMC v7 and after reverting to previous checkpoint in Hyper-V I get error:
-
2 hours ago, Ritesh Sharma said:
We currently have Eset version 5 ERA (5.3.39.0). I was told to install esmc and install agents and then install client software. I was also told that upgrading of eset 5 is not possible.
I have installed my esmc successfully. According to documentation it states to create an all in one installer and deploy that in clients
Problem: unable to create all in one installer. I get internal server error. How can I solve this?
I was able to get agent and installer by downloading it from eset website. When I installed using this the agent and installer package I got from internet it had asked for activation so I entered my key. This works but I want all the clients to be updated via my server (esmc). How can I accomplish this?
Can eset client by activated by ESMC? If so how?
We already have eset clients with eset 4,5,6 on the network. Do I need to uninstall these as clients do show up but it doesn’t show that eset is installed when looking from ESMC
We also have servers 2003,2008,2012 on our network. Is there any difference to client deployment to a normal client e.g. windows 10 client as to a server 2012,2003 client. Or is it the same
Is there any possibility of upgrading my current era server to most recent?
If I use Migration Assistant then what happens to the era console. Does it still work. Do I need to back up? If so what do I need to backup
Requesting if appropriate links can be given to solve the issues at hand
In my organization we also use v5 and plan to move to v7. Reading forum and documentation (Migration assistant vs Migration Tool) we plan have virtual appliance of ESMC and move manually one client at the time.
Basically you have 3 options:
1. Migration scenario 1 - Migration to ESMC 7.x running on a different computer than ERA 5.x.
2. Migration scenario 2 - Migration to ESMC 7.x running on the same computer as ERA 5.x.
3. Migration scenario 3 - Migration to ESMC 7.x where endpoints connect to old ERA 5.x until the ESET Management Agent is deployed by ESMC 7.x.https://help.eset.com/esmc_install/70/en-US/migration_from_era5.html?migration_tool.html
Regarding your problem with internal server error, did you use virtual appliance for ESMC deployment or did you use Windows Server?
As for upgrading your current era server, unfortunately this may be possible for short time. Since the plan is to have it EOL by december this year https://support.eset.com/kb3592/#era
-
2 minutes ago, bbahes said:
For some strange reason, editor did not post entire message.
I also added that you post feature request on https://forum.eset.com/topic/14271-future-changes-to-eset-remote-administrator/
I would only add to your request for scheduled scan, option to scan PST/OST when PC is in idle state.
-
-
9 hours ago, ShaneDT said:
So is there any way to disable this behaviour upon installing EES?
Would selecting the following policy make any difference;
ESET EES Policy / Web and Email / Email Client Protection - Disable checking upon inbox content change
When deploying EES to new customers, it's not practical to be;
a) going through everyone's Outlook folders to confirm they don't have thousands of emails in their Inbox, or
b) explaining to the new customer that Outlook will be unusable for several hours because ESET needs to scan and change attributes that will then need to synchronise with Exchange Online (probably 80% of customers) and there is no way to turn this off, so you'll just have to use webmail while you wait.
It's not a good first impression for a new product (regardless of the virtue of scanning the Inbox).
It would be better to be able to schedule a task to scan the entire Outlook data file at a more convenient time after hours.
This helped us on v5. Please do test this and if possible report back.
-
Description: Agent logs in Endpoint product
Detail: It would be practical to have agent log in Endpoint product Log Files for easier export and review. -
32 minutes ago, Kieran Barry said:
We have recently upgraded from ERA v5 to v6.x and from Endpoint v5 to v7.2
I was asking for situation where you upgraded from v5 to v6. Was this Windows server? We need to jump from v5 to v7.
Outlook prompts for password every day - Office 365 mail - Eset Endpoint Antivirus version 5
in ESET Endpoint Products
Posted
Just out of curiosity, which protocol you use to communicate with O365 servers?