LocknetSSmith

I'm just checking to see if anyone knows if the ESET Endpoint products (I.e. Endpoint Antivirus and Endpoint Security) have definitions to protect against the "skeleton key" infection? If so, what the detection name is? - hxxp://www.darkreading.com/skeleton-key-malware-bypasses-active-directory/d/d-id/1318570 Thanks ~

Brilliant - exactly what I needed. Thanks

I have been meaning to ask this for a while now. What, specifically, is the differences between the different scan types allowed in ESET business solutions? I'm referring to the "InDepth Scan" vs. the "Smart" Scan vs. the "Context-Menu" scan...

I've found that sometimes, to find something bad, you have know what is good, or normal in order to confirm whether malware is on a machine or not. I believe in the industry they call this looking for "anomalous characteristics." So I'd break out ProcExplorer, and check things out. You know that svchost.exe is a generic "host" process for running service DLLs - so that in of itself is not an indication that there is an infection. What else do we know? That it is consuming gross amounts of resources. That is somewhere to start, but for now, I'd check to see that the svchost.exe process in question is running from C:\Windows\System32, and that it has services.msc as its parent process. From there, confirm that it is in fact hosting DLL services. One thing I know for certain, is that on default installations of Windows 7, all service DLLs are signed by Microsoft. ProcExplorer will help you confirm these things. If the DLLs hosted in the svchost process taking all your resources are not signed, you know there's a problem. If the process itself is not running from C:\Windows\system32, there is a problem. If it's parent is not services.msc, you have a problem. If these things are all as they should be, it could just something non-malicious that has to be repaired. I've found that running chkdsk /f or sfc /scannow is often helpful for these sorts of non-malware related issues. If it is malicious, you could use the service script feature of SysInspector to put a stop to it, or HiJack This. Or by hand, using ProcExplorer, you could dig down to where the bastard is running from. Anyway that's my two cents worth.

Ahh, I see. Is there any type of hit to performance? What sorts of files are downloaded? Things to do with Bayesian filtering? Just curious.

I'm guessing this setting has been available for some time, and I'm just now catching it, but can anyone clarify what the following setting does?... I'm also wondering why it is disabled by default, but I'm guessing the answer to the first question will clarify the second. "Enable Advanced Antispam Control" On the ERA, the equivalent setting is "Enable advanced Antispam scanning"

I recently upgraded to ERAS/ERAC v. 5.2.2 and I one of the settings I've found in the Policy Manager, under Windows Desktop v5 -> HIPS -> Settings is "Enable ESET Endpoint Security Self-Defense" Can anyone shed some light on what this is? Doesn't Endpoint Antivirus and Endpoint Security already have Self Defense? Any information would be appreciated.

One of our network technicians was recently asked by ESET Support to exclude an executable that resides within a folder that is already excluded in our ESET policy via Remote Administrator. I was just looking for insight into this. My thought was that when you exclude a folder, that you are excluding everything within that folder, including executable (.exe) files. Is this not the case?

Not sure if this will help our not, but in our domain environment, ESET was also detecting port scan attacks. Upon investigation it was an internal server that was periodically scanning ports. I excluded the IP address of the server and the problem was solved.

Description: Ability to exclude sites from Protocol Filtering by FQDN instead of just IP Address Detail: We have found that in some cases, certain websites need to be excluded from Protocol filtering for the personal firewall in Endpoint Security. In some cases, finding the IP Address for these sites is very difficult, as some sites use such a wide array of IPs.

Has anyone ever seen catchme.sys running from the temp directory be flagged as possible rootkit activity? I know that Catchme.sys is associated with some rootkit detection tool or another (not sure which one), but from what I've read, it should be running from C:\ I've found it running from C:\users\%username%\appdata\local\temp and it keeps getting flagged by certain diagnostics tools as a rootkit. VirusTotal shows the file to be clean by ESET and others, but on this particular machine, the user has lost their ability to create New Folders. Any ideas?

This isn't meant to be a criticism of any kind, but just a question, one of my Support staff was responding to an ESET Endpoint AV detection of Conduit, but noticed some strange behaviors on the machine that lead him to want to check for rootkits (that is a long story and isn't important to the question at hand, at least for the moment). I understand that ESET isn't or can't be responsible for how other tools react to it, but I'm just curious, Rogue Killer detected that the ehdrv.sys driver was hooked - has anyone had this happen, or think of a reason this might have happened?

I know that the Virus Radar site is still in beta, but often we rely on the site to get addition information about ESET Threat detections, and often it seems there is no detail provided - I know the sheer volume of malware variants makes it very hard to include detailed breakdowns of every infection, but I also understand that we consider ESET Virus Radar to be a trusted authority in regards to malware research, so when we come to the site looking for details on a threat detected by ESET, and can't get anymore information than variant names, and perhaps some dates on when it was discovered/seen, then we're forced to return to Google, and sorted through the results for something authentic. So, point being, I love the site, and we use it often - we just can't wait for the day when we can search for ESET Threat Detections, and get comprehensive details for all of our searches (i.e. if ESET can detect it, hopefully ESET Virus Radar will contain additional data!).

I believe I have all of that worked out honestly - the user account I created isn't having any issues logging in - that's all fine. But when they log into the ESET Dashboard, they have the ability to change templates, which I don't want them to be able to do. I returned to the User Managed in my ERAC (ERAC -> Tools -> User Manager) and clicked on the username - in the permissions box, nothing is checked at all, so I would assume that means they have a read-only account with no permissions.

I recently created a (what I thought was) Read-Only account in the User Manager on my ERAC. The only purpose of this account was to log into the ESET Dashboard, to view certain templates that I had setup for them. They logged into the Dashboard fine, but were able to add/remove templates as they saw fit. Is there anyway of restricting this so that they do not have rights to make changes within the Dashboard?

Just an update to this - apparently using a Connection string (as above) is not the most efficient method for the ERAS to write to a MySQL database (I want to specifically thank ESET's awesome business support team lead for this information) is by using a DSN Connection string. This works with the driver much more efficiently, whereas the Connection String I listed above is more like "up one, over two, tilt to the left, etc. before writing the data to the MySQL tables. So the word for our environment, is to use DSN=%insert database name here%

I wanted to post this in hopes of helping others that may come across this problem, so you won't have to go through the frustration I had to go through! I weas rebuildling my MSP ERAS/ERAC - we won't go into why. Due to the size of our database in its current state, and the size that it will be when fully ramped up, we were told to use MySQL, with an opportunity to potentially transfer to MS SQL in November (I suspect that if I was using MS SQL right now I wouldn't be posted this as we have MS SQL admins here). When a co-worker initially built the MsSQL database 7 months ago, he sat on the phone with an ESET Engineer for half a day before they were able to get it to work. That is no longer an option for us, so using the ESET KB, I have been attempting to do this myself. As those of you that use the MSP model for ESET Remote Administration know, when you install EMU, it installs ESET RA Server/Console for you, but with default settings, which includes setting up MS Access as the database. This won't work for us, so the option was to install MySQL, and setup an ESET database within it. I downloaded and installing MySQL But in the ERA Maintenance Tool, despite my best efforts, I could not get a successful connection. Connection Test Failed: Operation: [DriverConnect] Native: [0x7D5] State: [s1000] [MySQL][ODBC 5.2(a) Drive]Unknown MySQL server host 'localhost' (2) Here is my connection string: Driver={MySQL ODBC 5.2 ANSI Driver};Server=locahhost;Database=ESET_RA_DB I have also tried this: Driver={MySQL ODBC 5.2 ANSI Driver};Server=hostname;Database=ESET_RA_DB Both Failed. In order to finally get this to work, you have to create a new schema in your MySQL database. The name seems to be important, you have to use eset_ra_db - I tried several other names, include the default MySQL, but this will not work. You also have to create a non-root user account that has full admin rights to the database. I used eraxxxx (x's are numbers I withheld). Obviously use a complex password that never expires. Once this is done, configure your ODBC connector. Note, you HAVE to use the 32 bit ODBC connector reguardless of whether your Server is 64 bit. I'm personally guessing this is because the ESET RA Server software architecture is 32 bit. Finally, in the ERA Maintenance Tool, for your Source database (Microsoft Access if you just installed EMU), you have to test your connection and make sure you get a success message. For your destination database, here is the connection string that I used that finally got me up and running: Driver={MySQL ODBC 5.2 ANSI Driver};Server=127.0.0.1;Database=ESET_RA_DB Cheers, S~

I was rebuildling my ESET Server from scratch today, and thought to myself, wouldn't it be nice if there were a MySQL section on the ESET forum to for ESET people to help each other with getting it all setup, customized, installed even? Just food for thought.

We use the ESET Mobile Security for Android product - has anyone else noticed that you can't push Admin contacts via the ESET Remote Administrator policy? Unless I'm doing something wrong... I have the contacts set in the policy, using the format outlined in the ESET Mobile Security for Android user guide, but they don't pass down to the mobile devices. Is this something that will be fixed I'm wondering? Or am I maybe not doing something right?

Any suggestions on where in the .xml I would insert the folder name to make it look right? I've tried some experiments, but it's not looking good - the logo ends up in odd-ball places.

Thank you sir - that's what I needed.

Does anyone know if Windows various power plans affect ESET's ability to perform a scheduled task? I am working with a client whom has a scheduled Smart Scan to kick off at 2:30am every day, but the scan has not been running. The computers are left powered on at all times, but I noticed today that the hard disks are set to hibernate if idle for a certain amount of time. If the computer is in "sleep mode," I'm assuming then that ESET's scheduled tasks will not run?

I am trying to exclude the following item from some terminal servers for a client of ours - NTUser.pol but as this is a Terminal Server, I need to apply this to all user profiles. Does anyone have any advice on the syntax to apply this exclusion to all users? I was thinking: %allusersprofile%\NTUser.pol Would this work? Would ESET recognize this?

I noticed there is a new app for ESET on the Google Play Store - https://play.google.com/store/apps/details?id=com.eset.ems2.gp I downloaded this app for my personal smart phone and see that it doesn't seem to include Remote Administration - is this new app just for non-business users? The reason I'm asking is that I showed it to a few people here and we all like the interface and layout a lot more than the old version - ESET Mobile Security - https://play.google.com/store/apps/details?id=com.eset.ems but the old version is compatbile with Remote Administration.

will ESET USSD Control work for the Windows 8 phone? https://play.google.com/store/apps/details?id=com.eset.securedialer