[Blocking all streaming websites but one specific video]

2 hours ago, Marcos said:

What about creating a permissive url-based rule for the url you want to allow and another blocking rule for the youtube.com domain and putting it below it?

Not working

[Blocking all streaming websites but one specific video]

Hi,

Is posible Block all streaming websites but one specific video (e.g. Youtube)?

Thanks.

[HASH on the Inspect]

Hi,

1.How does inspect generate the hash of an executable?

2. Why in some case the executable have is an unknown hash?

best.

[Search URL or IP]

ok thanks,

This is limitation of EIC should release and improve the Relationship graph

 

[Search URL or IP]

Hello,

It is possible to see the URL or IP from site not listed as malicious and the endpoint downloaded malware from this site.
ESET Inspect only see the executions.

With other XDR this is possible.

 thank you.

[Exclusion for CreateProcess]

Hi,

James thanks for your time.\

Best

[Exclusion for CreateProcess]

@JamesR can you help me please? 

[Exclusion for CreateProcess]

Hello,

what is bad?

<definition>
    <parentprocess>
        <operator type="AND">
            <operator type="OR">
                <condition component="FileItem" property="FileName" condition="is" value="php-cgi.exe" />
                <condition component="FileItem" property="FileName" condition="is" value="php.exe" />
            </operator>
            <condition component="FileItem" property="Path" condition="starts" value="c:\php\" />
        </operator>
    </parentprocess>
    <process>
        <operator type="AND">
            <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" />
            <operator type="OR">
                <condition component="FileItem" property="FileName" condition="is" value="cmd.exe" />
                <condition component="FileItem" property="FileName" condition="is" value="conhost.exe" />
            </operator>
            <operator type="OR">
                <condition component="FileItem" property="Path" condition="starts" value="%SYSTEM%" />
                <condition component="FileItem" property="Path" condition="starts" value="%WINDIR%\syswow64\" />
            </operator>
            <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" />
        </operator>
    </process>
    <operations>
        <operation type="CreateProcess">
            <operator type="and">
                <condition component="FileItem" property="FullPath" condition="is" value="c:\php\php.exe" />
                <condition component="FileItem" property="FullPath" condition="is" value="c:\php\php-cgi.exe" />
            </operator>
        </operation>
    </operations>
</definition>

 

 

 

 

 

[False positives of Windows system file detection]

On 3/4/2023 at 9:51 AM, Marcos said:

Couldn't it be that you are using a developer version of Windows 11? Are the files still detected when you re-scan them? If so, please provide logs collected with ESET Log Collector.

Resolutions not use developer version of Windows 11. 

[False positives of Windows system file detection]

+1 is false positive or what? ? 

[ECOS SLOW - BIG TENANT O365]

Hi,

Slow loading pages, user's module,

This causes the browser example message (see attach) when work assigning a policy to users.

Firefox, Chrome same in mode incognito 

regards. 

[ECOS SLOW - BIG TENANT O365]

Hello, 

Why ECOS load slow on tenant with 100k of users? 

Datacenter on USA, 

some else present this issues? 

 

[Detection by Endpoint Security alerts]

Hello @Lockbits@JamesR

Thanks, 

 Some other tips for optimization or make exclusion and rules. 

it's very appreciated.

 

Best 

[Detection by Endpoint Security alerts]

21 hours ago, vanroy said:

Hello,  

How have you resolved this?

"Detected by ESET Endpoint Security product" alerts

 

best.

hello @JamesR

[Detection by Endpoint Security alerts]

On 2/8/2021 at 4:16 PM, Lockbits said:

Hello guys,

I've two suggestions:

1) The option to apply exclusions for web control detections or "Detected by ESET Endpoint Security product" alerts. We've a customer that is using web control and we configured the product so all blocked websites are logged in EPC console setting the verbosity accordingly. The problem is that this information is also sent to EEI console and this add a ton of unnecessary data and difficult the detection of valuable data. We can disable the verbose level but this will also affect the blocked website being logged and reported to ESMC.

I mean this:

 

Hello, 

How have you resolved this?

"Detected by ESET Endpoint Security product" alerts

 

best.

[Login failed: UserInfoProvider: ESET Protect Server not available]

Hello,

Have issue w/ ESET Enterprise Inspector to login result "Login failed: UserInfoProvider: ESET Protect Server not available" 

it was working fine and the user password is correct. after 1 day the issue persist!

All services ESET protect and ESET Enterprise Inspector working!

ESET protect and ESET Enterprise Inspector Installation is on the same server!

 

On the log EEI see!

2022-03-31 14:29:33 02e0c Info: 2022-03-31 09:49:27 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator])
2022-03-31 14:29:33 02e0c Info: 2022-03-31 10:24:04 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator])
2022-03-31 14:29:33 02e0c Info: 2022-03-31 10:24:27 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator])
2022-03-31 14:29:33 02e0c Info: 2022-03-31 10:25:08 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator])
2022-03-31 14:29:33 02e0c Info: 2022-03-31 10:25:36 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator])
2022-03-31 14:29:33 02e0c Info: 2022-03-31 14:21:23 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator])
2022-03-31 14:29:33 03654 Info: ESET Protect: there was a problem while connecting to ESET Protect Server. User was blocked. Please try again later.
2022-03-31 14:29:33 0352c Info: ESMCMachinesMetadataSyncTask: Failed requesting static groups/machines metadata/alerts. User was blocked. Please try again later.
2022-03-31 14:29:33 03654 Info: ESET Protect: there was a problem while connecting to ESET Protect Server. User was blocked. Please try again later.
2022-03-31 14:29:33 02e0c Error: ESMCAuditExportTask: Error occurred while exporting audit to ESMC. User was blocked. Please try again later.
2022-03-31 14:29:33 00410 Error: ESMC: failure to authenticate during alarm export. User was blocked. Please try again later.
2022-03-31 14:29:33 03654 Error: ERADetectionEventsSyncTask: Failed to export alarms. User was blocked. Please try again later.

 

On the ESET protect trace log see

2022-03-31 19:01:33 Error: ConsoleApiModule [Thread 36bc]: 1383 Error while sending AuthenticateUser request [UserName=Administrator] CUserAccessLimiter::CheckAccess(): User Administrator from ipserver was blocked.
2022-03-31 19:01:40 Error: CServerSecurityModule [Thread b4]: CUserAccessLimiter::CheckAccess(): User Administrator from ipserver was blocked.
2022-03-31 19:01:40 Error: ConsoleApiModule [Thread 36bc]: 1383 Error while sending AuthenticateUser request [UserName=Administrator] CUserAccessLimiter::CheckAccess(): User Administrator from ipserver was blocked.
2022-03-31 19:01:40 Error: CServerSecurityModule [Thread b4]: CUserAccessLimiter::CheckAccess(): User Administrator from ipserver  was blocked.
2022-03-31 19:01:40 Error: ConsoleApiModule [Thread 36bc]: 1384 Error while sending AuthenticateUser request [UserName=Administrator] CUserAccessLimiter::CheckAccess(): User Administrator from ipserver was blocked.

Any ideas for check? 

 

[ESET PROTECT V9 OVA winbind service cannot start]

Hello, @Marcos

@tomo100brt@itman

Any idea for resolver this issues with winbind service cannot start on EP V9 Appliance. 

I see the error

"could not fetch our sid - did we join winbind"

Thanks

 

[ESET Endpoint Antivirus for macOS 7 with completely new architecture Early access program signup]

Hello, 

Please sign me for test @Peter Randziak

[Eset Endpoint v8.1 LiveGrid connection problem]

On 10/19/2021 at 8:39 AM, Marcos said:

Please switch to the pre-release update channel to download Direct Cloud Communication module 1122 which contains a logic for cases when DNS resolution is failing through all available name servers like in your case when CloudFlare name servers were used. Let us know if it resolves the issue for you. The module will be released for general public in a couple of days.

Hi 

Cloud Communication module 1122 is only for EES 8.1 or all Business solutions for windows? 

[Eset Endpoint v8.1 LiveGrid connection problem]

Hello, @Marcos 

Same issue on multiples clients 8.1 not firewall, not proxy, not blocking any traffic. 

What is the solutions? 

 

Best

[Update authorization failed. Please check if your license is valid]

Hello,

only on 2 update servers but 20-200 endpoints notifications intermittently .  

Is problem. 

best

 

[Auto-update mode restarts your server automatically?]

Hello,  @Marcos

 

Any news for the thread?

Thanks  

[Auto-update mode restarts your server automatically?]

Hello,

See

https://help.eset.com/efsw/7.3/en-US/idh_config_update_source.html

Program component update

Auto-update mode restarts your server automatically after the component update has been completed.

this sounds bad for servers in production!

 

[Error loading data: The session is not valid. / Erreur de chargement des données : La session n'est pas valide.]

Hello, 

Tomcat? on ESET PROTECT Cloud?

[Error loading data: The session is not valid. / Erreur de chargement des données : La session n'est pas valide.]

+1

Error on ESET PROTECT Cloud /

Test en chrome and edge. 

Any idea?