[Exclude whitelisted/ignored emails from rules?]

I have a series of rules setup in ESMX 7 to filter specific emails, some of which contain "Dear Customer", which is a common thing spammers put in their emails. Unfortunately some legitimate emails also have this keyword, and so the rules are filtering those emails, despite the sender of the affected emails being on both the "Approved Domain to IP List" and the "Ignored Domain to IP List".

How can I configure the rule to only match against emails that are not on the approved or ignored list?

This is affecting rules configured not just for emails coming in but also those being scanned on-demand within the database.

[ESET Dynamic Threat Defense is not accessible alert in ESMC Console.]

3 minutes ago, Marcos said:

Please see the explanation above. There are 2 possibilities:
1, You did not purchase an ESET Dynamic Threat Defense license, however, you enabled it via a policy. As a results, EDTD doesn't work and informs you about that.
2, You purchased an EDTD license but you didn't add it through an EBA account to the ESMC license manager and didn't send a software activation task for EDTD to clients.
 

But why has it *JUST* started happening? And why, out of the 30 or so Endpoints we have are there are 2 Endpoints showing this alert?

Nothing has changed our end. It just started happening at random.

We renewed our licenses in November 2018, yet it's just started happening now. This suggests to me something has changed, but at your end.

[ESET Dynamic Threat Defense is not accessible alert in ESMC Console.]

Same here, only 5% of our Endpoint clients show up in ESMC with this alert. The others have no alert showing. Reinstalling and reactivating Endpoint Antivirus does nothing.

Have you broken something ESET?

[BUG - Endpoint Antivirus says Windows Updates are available, but notification is disabled?!]

I'm running Endpoint Antivirus 7.0.2091.0 on Windows 10 1809 but I never noticed this issue with Windows 10 1803.

As per the screenshot below, EEA says Windows Updates are available, but at the same time the notification option is set to "no updates" and greyed out (configured via ESMC).

Is this a known issue or something new and is there anything I can do to resolve it or is this something for you to sort?

[NodSslWriteEncryptedData SSL Error]

Never mind, I have removed it from the Windows server and installed it on to the existing ESMC server. All sorted.

[APN/DEP Certificate Internal Server Error!]

I am trying to create a new APN/DEP Certificate. I have filled out the subject and clicked "submit request". There is a long pause followed by an error message:

Failed to create private key or CSR: Internal server error: Trace info: CEcpCommunicator: ECPSignAppleCsr request failed, error=0x10401001.

The trace.log says:

2019-01-03 13:25:49 Error: LicenseModule [Thread 7f94e67dc700]: SignAppleCsr: Failed to retrieve signed CSR [SeatID=xxxxxxxx]. Error: CEcpCommunicator: ECPSignAppleCsr request failed, error=0x10401001.
2019-01-03 13:25:49 Error: LicenseModule [Thread 7f94e67dc700]: CEcpCommunicator: ECPSignAppleCsr request failed, error=0x10401001.
2019-01-03 13:25:49 Error: CServerSecurityModule [Thread 7f95777fe700]: CEcpCommunicator: ECPSignAppleCsr request failed, error=0x10401001.
2019-01-03 13:25:50 Error: ConsoleApiModule [Thread 7f94cdfab700]: 2081 Error while processing CreateCertificateRequestAndPrivateKey 157943: CEcpCommunicator: ECPSignAppleCsr request failed, error=0x10401001.

Any ideas?

[NodSslWriteEncryptedData SSL Error]

I have ESMC 7.0.471.0 running on a Linux VBA and ESET MDM Core 7.0.406.0 running on Windows Server 2012 R2.

On the MDM server, the status.html file says:

Error: CReplicationManager: Replication (network) connection to 'host: "<ESMC_IP>" port: 2222' failed with: Receive: NodSslWriteEncryptedData: SSL error.

On The ESMC server, the trace.log says:

2019-01-03 08:17:27 Error: NetworkModule [Thread 7f9556ffd700]: Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations., ResolvedIpAddress:<MDM_IP>, ResolvedHostname:<MDM_PTR_1>,<MDM_PTR_2>, ResolvedPort:7318
2019-01-03 08:17:27 Error: NetworkModule [Thread 7f9556ffd700]: Protocol failure for session id 1970, error:Receive: NodSslWriteEncryptedData: Internal error in the underlying implementations.

Unfortunately these super helpful error messages are not helpful enough to indicate whatever the problem is.

The status.html on the MDM server says the Peer Certificate is valid. The MDM server appears in the ESMC Web Console and has been activated, but the Web Console also says:

There is a problem with connection to remote peer

Any ideas what is going on here?

[ESMC Setup Bug]

Thanks for the quick reply. I have removed the Agent for now to continue with the setup.

[ESMC Setup Bug]

I am trying to install the Mobile Device Connector on Windows Server 2012 R2 which is already running an ESET product and the ESET Agent. The installer does not allow me to unselect the Agent and the pre-installation checkup screen now says:

ESET Management Agent
Selected software component is already installed on this computer. Uninstall it or do not select this component if possible.

The fact the message says "if possible" suggests I should be able to continue since the installer has greyed out the Agent option, but out of all the options (back, retry, close), back goes back, retry does nothing and close just closes the installer.

Surely I don't need to remove the Agent only to have the installer reinstall it? That seems a bit backwards!

[Why has this option been removed??]

In ESMX 6.5, I used the "Header with the originating IP" found under Server > Mail Transport Protection > Advanced Settings, and found it especially useful for cases where our email was ever temporarily held by our secondary MX as ESMX was treating the originating IP address as the secondary MX.

In ESMX 7.0, this option has been removed, but there is no mention of the removal in the change logs or release notes. As far as the documentation is concerned, there is no option and never was.

In ESMC 7.0, the policy for ESMX is labelled "V6+" so the option should still be visible for V6 clients, but it's not, even if creating a brand new policy.

Where has the option gone?

[Email quarantined as spam because CC email address appears on cloud blacklist?!]

An email has been quarantined by EMSX, not because of where it's come from (Outlook.com) but only because the CC email address is on a cloud blacklist. There's nothing in the email body that's of spam origin either; it's a legit email.

Why is EMSX blocking emails that do not originate from a spam source?

I don't know why you would want to block an email based purely on the fact one of the email addresses it has been sent to is on a blacklist - that makes no sense.

[Whitelisted domains still being greylisted in V7!]

This issue is still occurring, now with other domains.

For example, emails from southernmonitoring.co.uk (HELO = outlook.com) are sending from IP 40.107.3.132, and according to the "Domain to IP whitelist", this domain contains 40.107.0.0-40.107.255.255. This domain is being greylisted for the reason "unknown sender and IP address".

I need to know what's happening about resolving this issue please.

[Feature Request - Add Domain or Sub-Domain to Greylist Whitelist]

Is it possible to add an option to add a separate option for adding the sub-domain to the greylisting whitelist?

Currently the only option that exists is that which says "Add domain to greylisting whitelist", which in fact doesn't add the domain to the whitelist if the sending domain contains a sub-domain, in which case it will actually add the sub-domain to the whitelist instead of just the domain.

Prior to using ESMX, we used Vamsoft ORF which had both the options to either add the domain or the sub-domain.

[V7 Agent cannot be installed]

One of our clients running EEA V7 is no longer communicating with ESMC.

Long story short, I have manually uninstalled EEA and the V7 Agent. EEA has uninstalled but the Agent claims it cannot be uninstalled due to permissions.

Using MSCONFIG, I have disabled the Agent service, rebooted, then removed the Agent folder from Program Files. I have also removed all traces of EraAgentSvc from the registry, but the ESET Management Agent service still appears in the list of Windows services.

The Agent will not reinstall, it claims I don't have permissions!!!

Other than format the PC and start over, I don't know what else I can do?

[EMSX V7: Database scan could not be started]

OK thanks.

[EMSX V7: Database scan could not be started]

The documentation says I need Hyper-V, but I am running XenServer. I take it that means the scan targets function does not apply to me then?

[EMSX V7: Database scan could not be started]

With Diagnostic Logging enabled, I can now see a lot of stuff in the Events log. I can see the schedule task starting:

Time;Module;Event;User
28/09/2018 11:20:45;Microsoft Exchange Server protection;OD: Executing scheduled task;SYSTEM

However there is still nothing relating to the failed task. Should there be? If so, what will it look like?

It looks like the issue is occurring because of where the scheduled task is created. In this case, I am using ESMC to create the scheduled task. Compared to creating the task in ESMX, when done through ESMC I am not getting the dialog where I can select public folders, mailboxes etc. I only get this when creating the scheduled task from ESMX.

On that note, if the scheduled task is created in ESMX, it executes and completes successfully without error. However if created using ESMC, it fails every time.

Also, using either ESMX or ESMC to create the scheduled task, even though I am telling it to start at 00 seconds, it's actually starting at 45 seconds. Why is that?

So for now my workaround is to not use ESMC to create the scheduled tasks and to do it from within ESMX instead.

[EMSX V7: Database scan could not be started]

Sorted, thanks. Now running a scan with Diagnostics Logging enabled...

[EMSX V7: Database scan could not be started]

Interestingly, that option has a padlock symbol and it says disabled. When I click the cog icon next to it, it takes me to Tools > Log Files > Logging Filter, where all 4 options are enabled and editable (not enforced).

I have checked the policy in ESMC and unenforced every option with the word "diagnostic" in the description, but the Diagnostic Logging option is still showing the padlock symbol and won't allow me to enable it.

Is this a bug? The fact the cog takes me to a place where everything is enabled is surely a bug in itself?

How else can I enable Diagnostic Logging?

[EMSX V7: Database scan could not be started]

I have created a scheduled task for the Mailbox Scan to start every Sunday at 06:00, but for whatever reason it always says it cannot start. I can run it manually and it always completes, but only since V7 was installed it won't run as a scheduled task.

The mailbox database scan log is very unhelpful! All it says is "database scan could not be started" but nothing else!!!

How can I resolve this issue with the very little information EMSX has provided me with?

[XmonSmtpAgent: Failed to process ON END OF HEADERS event]

I have sent you a PM with the dump output as requested.

[XmonSmtpAgent: Failed to process ON END OF HEADERS event]

Thanks, how much output do you need? I am seeing unhandled exceptions, format exceptions and so on right now.

[Whitelisted domains still being greylisted in V7!]

As per this post, in V6 I added certain domains to the Domain to IP Whitelist so that any emails from those domains would skip Greylisting, but the domains continued to be greylisted and was promised it was resolved in V7. However I have just checked the logs and found the issue is still happening in V7!

Just to confirm, in ESMX V7, I already have a number of whitelisted domains, including ehouse.co.uk (sender domain) and outlook.com (HELO domain for ehouse.co.uk).

The sender IP address for ehouse.co.uk is 40.92.65.17 and the IP range 40.92.0.0-40.95.255.255 is showing for both domains within the whitelist. Yet the reason for greylisting the email is "unknown sender and IP address".

Other domains are affected, such as gmail.com and hotmail.co.uk. Again, I have whitelisted both the sender domain and the HELO domain, but the emails from any of those domains are still greylisted.

Interestingly, if I simply open the Domain to IP Whitelist and click "OK" without making any changes, the whitelisted domains are no longer greylisted and an entry appears within the Events log "domains were successfully imported".

When the server is rebooted, the whitelisted domains are greylisted until I reopen the Domain to IP Whitelist interface and click "OK".

This is the exact issue I had with V6!

How come the issue is still occurring and when will it be fixed?

[XmonSmtpAgent: Failed to process ON END OF HEADERS event]

That command doesn't work. I have put procdump.exe into the V15/Bin folder and run that command but it just shows the help information for procdump. Any ideas?

[Antispam cloud connectivity protection status has been removed]

This event is being logged in ESMX v7, but what does it mean and is it something to be concerned about?

Time;Module;Event;User
30/08/2018 10:09:56;Mail server protection;Antispam cloud connectivity protection status has been removed;SYSTEM
29/08/2018 15:16:52;Mail server protection;Antispam cloud connectivity protection status has been removed;SYSTEM
29/08/2018 15:13:52;Mail server protection;Antispam cloud connectivity protection status has been set (limited connection);SYSTEM