karsayor

Installed new Rocky Linux appliance, and need to setup LDAPS connection. Used this procedure : Configure LDAPS connection to a domain | ESET PROTECT On-Prem | ESET Online Help But it did not work. I also remembered that during the setup of the Appliance, there was no way to integrate it into Active Directory like before when it asked username and password to join the domain during setup : ESET PROTECT VA configuration | ESET PROTECT On-Prem | ESET Online Help Also this article doesn't mention if it applies to Rocky Linux, I suspect it doesn't because rejoin domain option is not available, and Samba is disabled in the webmin interface : KB7849] Configure domain connection for ESET PROTECT Virtual Appliance How can we configure LDAPS now for both login to the appliance with domain user and static group sync for example ?

Hello I'm trying to setup LDAPS AD Sync task, it doesn't work.. Without LDAPS it works fine. I did setup the appliance with these two articles : https://help.eset.com/protect_deploy_va/11.0/en-US/?configure_ldaps_connection_to_a_domain.html https://help.eset.com/protect_admin/11.0/en-US/?sg_server_tasks_ad.html But, when I try to do a sync task : On the appliance itself, I can do a ldapsearch with ldaps just fine with the same user and server On the Domain Controller I can see that it's trying to do a LDAP Bind but it's failing Anyone already had this ? Made the same setup on appliance for other customers / domains and it works fine..

Hello So I could enable logging of allowed traffic as well. But it only worked on the client, allowed logs were not uploaded to ESET Protect Appliance, I don't know why. The issue is that somehow, the built-in default rules were messed up and the rule "Block incoming NETBIOS requests" was no longer there, replaced by a duplicate of rule 31 ! Left is the built-in rules when creating a new Policy, right was the built-in rules in the policy that caused issues. So I backed up custom rules, disabled the "Rules" setting in the policy, saved, and reconfigured. Then it worked correctly. I don't know what messed up the rules, since you cannot modify them manually.

But how do I do this, sorry I tried to check but unable to find out !

I have an issue with the endpoint firewall that is allowing a connection that should not be allowed. My two Domain Controllers are able to browse computers on port 445 (SMB), all others computers and servers are not able to browse the computers. It must be related to one of the default rule, but I do not know which one since I'm not able to turn on logging of allowed connections, I do not have any idea of what's happening and which rule is allowing this trafic. How can I enable a full logging of the firewall to be able to see which rule is used to allow a connection ? Thanks !

Anyone ?

We are trying to achieve a "zero trust" firewall configuration on clients. Even when connect to the domain, nothing except what defined by custom rule should be open. Until recent changes in ESET Policies / Firewall, we used to only remove everything from trusted networks list and set the option "Consider every network as public" so that we were sure that Endpoint were never reachable through SMB, RDP, ... Now with new policies this is much more complicated. The default network connection profiles which cannot be removed nor edited are related to the Windows Firewall which detects the Domain and set the firewall to automatically trust the whole subnet it's connected to. First I think it's not a very good security practice to automatically open ports between endpoints, even though I understand it was made not to impact many customers that used the default trusted network configuration before. But this should be removable, I do not want my computers to trust and allow the whole network by default ! == How should I proceed to change this behaviour ? Add a new Profile with Greater Priority, remove the Trusted Connection option and set Any as activator ? Is this a good way or not recommended ?

I understand this, I was meaning having access to the source (Read) to those lists of blocked IP addresses to add them to our perimetric firewall to be blocked before the get to the server

I agree with you, unfortunately the perimetric defenses we have seem to have some other blacklists than ESET is using. Can we get the list of ESETIPBlacklists somewhere so we can add them to our firewall dynamically ?

Hello Peter, Ok sure will do thanks !

Ok thanks, it's sad because almost all our customers have their own ESET Protect Appliance on-prem

I did not create an exclusion to allow this trafic, only for it not to create a log because it fills everything. Block is yes, notify and log is no. I'm not sure I understand, EsetIpBlacklist.A is when blocked before trafic sent, EsetIpBlacklist.B is when blocked after trafic sent ? So I only need to exclude log for EsetIpBlacklist.A and EsetIpBlacklist.B, since there are no other EsetIpBlacklist.C nor the old EsetIpBlacklist ?

ESET employees maybe you can help us about this if already known ?

Hello I had to set some exclusions for IDS to prevent the logs to overfill, I disable the logging of these events : Until a few month I had the Threat Name on EsetIpBlacklist now it seems there is an EsetIpBlacklis.B, EsetIpBlacklis.A, ...? Is there any list of all possible threat EsetIpBlacklist* names ? Can we use a wildcard in threat name to catch them all ? Thank you !

OK. That was not clear to me because : Changelog doesn't contains any info about security concerns being fixed (CVE, ..) Changelog contains info about stability issues which we do not encounter, so to us it's not critical Either way I think there are some missing info in the changelog if it's that important.

It's a Server Security product, version is 10.0.12010.0 and update prepared to 10.0.12012.0

Hello With automatic update enabled, products are preparing the update and wait for a reboot to finish. I think it's fine, but why is the security alert in red (critical) and not in yellow (warning) ? It should be a warning IMO. Or is the machine no longer protected while waiting for the reboot ?

Hello I find very little information about the new Vulnerability & Patch management. As I understand, it's a new feature only on 10.1 endpoints and Protect Cloud console. We are almost using exclusively on-prem consoles for our customers (we are MSP provider). This feature will also be included in the on-prem console ?

Hi @Peter Randziak I agree that release schedule should be done with care if there are significants changes in the new version. I tought it was only a "bugfix". I tried to click on the check for updates in GUI but it doesn't seem to find anything. Also, is there a way to trigger the Auto-Update/uPCU with a task from management console ?

Thanks. When is this version 9.0.12017.0 scheduled to be released via auto-update ? It should be done before the next patch tuesday IMO

Ok it seems clients already started the auto-update process, let's see how it goes during next week

So 9.1.2063 has been released and seem to be the fix to this issue ?

Hello, any news about the definitive fix @Marcos?

Hi We cannot afford to fix this manually, we have many customers and doing this would take way too much time. Do you know when a full version of endpoint containing fix will be released? Some outlook clients are crashing because of this, and we had to disable the plugin via policy to allow customers to work

Yes, it seems to be working for the report !