j-gray
-
Posts
620 -
Joined
-
Last visited
-
Days Won
5
Posts posted by j-gray
-
-
Thanks, MichalJ.No policies above that remove the scheduled event. You can see that I changed the scheduler policy for automatic updates to 30 minutes. Yet, it still appears as 60 minutes on the client scheduler and is not enabled. The client is receiving all the correct policies otherwise.Can there be only one scheduler policy? I have one for weekly scan, and one for definition updates.Thanks again for your help.
02-windows-scheduler-policy.tiff
-
-
Most, if not all of my Windows clients display this Critical problem under 'Functionality Problems'.
I have a dynamic group of Windows workstations to which I've applied the 'Security Product for Windows - Antivirus - Balanced' policy. In this policy, updates are configured and Scheduler is set for 'Regular automatic update' (every 60 minutes). All workstations that are currently online are up to date. I verified they're getting assigned to the correct dynamic group and that the policy above is applied to them, as well.
What am I doing wrong, and/or why is this message showing?
Thank you.
-
Concerning the other issue, I will try to discuss this with developers. However, if I may ask, how this was solved with the previous solution you were using. We are trying to extend and improve our portfolio, to provide the same functional parity for both Windows and OS X users, so addressing OS X only environments is a valid requirement.
Thanks for your reply and consideration.
Solutions I've used in the past all offer scanning by IP range and/or subnet, as well as Windows network polling (NetBIOS) from the central console. Systems are then flagged as offline, online, or online with agent installed. From these results, online systems without an agent installed can be easily seen and selected for agent install. For Windows systems without agent installed, NetBIOS can identify the OS. I'm not sure what was used for OS X fingerprint -perhaps simply ICMP response info or other.
Here are some details on Kaspersky, which I've used in the past: hxxp://support.kaspersky.com/learning/courses/kl_102.98/chapter1.4/section1
Symantec had its own network audit tool that worked very well across multiple subnets: https://support.symantec.com/en_US/article.TECH100454.html
Hope that helps. This is a much needed feature for us, as presently we have no good way to tell what systems are running with no AV.
-
We recently moved to ESET 6 from another competing AV, so I can't compare it to previous versions of ESET. One of the reasons we chose ESET was because of the feature and gui parity between OS X and Windows clients and the ability to manage both from the same interface. This is important in a mixed environment.
I prefer an MMC to a web gui for management, as it's always more flexible and more functional. However, because I work primarily on a Mac, I appreciate the fact that the RA is browser-based.
That said, I have two complaints that are major issues for us, which will likely cause us to not renew our 1500 licenses.
- There needs to be a better option for detecting unprotected clients and auto-installing at least the agent. Group Policy is not a deployment option for OS X. And RDS is not a viable option for environments with multiple sites and multiple subnets per site. Further, there is no RDS application for OS X devices, leaving no options for OS X-only subnets. And finally, WinPcap (the basis for Windows RDS), hasn't been updated or patched for 3 years -meaning potential security issues and compatibility issues with Windows 10. The RA server should be able to perform this, as well as an OS fingerprint without an agent so workstations can be placed into proper groups prior to agent install.
- There needs to be a better method for deploying and/or managing the agent via imaging. Any time a technician deploys an image, they have to send me the name/ip of the system so I can run the 'Reset Cloned Agent' task. If they're imaging multiple systems at a time, which is common, they need to track all those workstations and send me lists. There should be a simple command-line and terminal option within the agent so the SID can be stripped prior to imaging. The SID can then be generated when the new workstation comes online and there is no need for configuring multiple clone tasks.
We like the product for the most part, however, it falls short in a mixed Enterprise environment.
-
This is one of my biggest complaints with the RD sensor; it only works on the subnet where it's located. You would need to install an RD sensor on each unique subnet where you want to detect rogue systems.
-
-
Is it possible to edit the expiration date in an existing task? If so, how?
Also, how does one create a task with no expiration? For example, I don't want the Product Activation task to expire or stop running.
Thank you
-
Ok, so it appears the install was botched --only the Agent appears in Add/Remove Programs, and I couldn't find the Antivirus string in the trace.log file. However, the program folder exists, the icon is in the system tray, and I can launch the GUI without issue.
Now the tricky part; I can't reinstall the AV, because the ekrn process cannot be stopped (access denied). And I can't uninstall it, because Windows doesn't think it's installed.
What's the recommended process to fix a botched install given the above issues?
-
Agent status html page shows all Green/OK with current replication date/time stamps.
They seem to be updating fine -definitions, policies, etc...
-
Hi Martin,
Thanks for the reply. No, agents have not been reverted or restored at any point. Restart on one client had not effect --I'm able to open the client GUI and communication and database updates are fine. I don't find any errors in client or server Trace logs. I also rebooted the server and no change in behavior.
The client alert details does show 'Critical' problem of "No regular updates scheduled", but I'm unable to determine exactly what that means.
-
I have a dynamic group to collect workstations with agent only and no AV.
This rule seems to work, however, the dynamic group shows some systems that show AV installed; AV version, recent connection, and Virus DB as updated, etc. But when I look at Installed Applications under the client details, it only reports the agent and no AV.
So in short, the RA Console shows some clients with AV and agent installed, but those specific clients' details show only the agent installed.
What could be causing the incorrect status?
-
I have a dynamic group to collect workstations with agent only and no AV.
This rule seems to work, however, the dynamic group shows some systems that show AV installed; AV version, recent connection, and Virus DB as updated, etc. But when I look at Installed Applications under the client details, it only reports the agent and no AV.
So in short, the RA Console shows some clients with AV and agent installed, but those specific clients' details show only the agent installed.
What could be causing the incorrect status?
-
To suppress the warning on clients, configure a policy to be applied on clients that will have "Operating system is not up to date" disabled under User interface -> Application statuses.
Thanks for your reply.
I see this available in policies for Windows. However, the only option for OS X under User Interface is 'Show splash-screen at startup'.
Are there no other options to control the end-user experience in OS X?
-
Sorry, I should have been more specific. This is the warning that the ESET software version and/or OS (not signature) is out of date that the user can see on the client-side.
-
I want to know which clients are not up to date in the RA console, but I don't want users to get the warning notification on their desktop client.
Is there a way to disable only that warning (that the ESET client is out-of-date) for the client?
Thank you.
-
On Mac you define privileged users who are entitled to change settings. There's no password protection like on Windows.
Could you please clarify?
I'm finding that users can manipulate client settings, which we do not want.
For example, they can enable things that are disabled by policy, such as Device Control. And they can disable things like Anti-Phishing protection, etc. and even shut down the client.
How can we block clients from changing settings?
-
You have to use Active Directory Sync (if you use AD), or install the Rogue Detection Sensor on a workstation/server in each subnet where you want to discover workstations.
...and don't get me started on this design
-
@bbraunstein; thanks a bunch for the info and willingness to help out the community.
Not what I wanted to hear, but I appreciate it, nonetheless. Sounds like if we make some noise, something useful might come.
Thanks again.
-
Thanks for fielding questions.
I'd be curious to know if they have any recommendations for discovering unmanaged systems where RDS is not an option.
We're a mixed environment (Windows and OSX) with multiple subnets across multiple sites. This makes RDS unfeasible, plus there are no options for OSX-only environments.
Thanks again.
-
FWIW, I'm seeing similar as folks above.
In RA console, under 'Computers > Groups > Computers with active threats', it lists 4 workstations with a total Active Threat count of 29.
Over in the left pane, the 'Threats' icon shows a red count of 692 (see attached pic). However, The 'Threats > Computers with active threats' here shows 'Computers with active threats (88)'. This is confusing, because the list of 88 threats shows only the 4 unique computers (those listed in previous 'Computers' section). On the other hand, it shows a total of 5955 threats, which seems to be historical and includes threats that have been cleaned, dating back to July when we switched to ESET from our previous vendor.
With all this contradicting information, it's difficult to tell what needs attention and what can be safely ignored.
-
Well, sorry to tell you but yes, you're misinformed.
You will find the sensor can be deploy in linux and windows.
Apologies, I omitted Linux, as we do not use it in our environment, so is irrelevant for us. And Linux RD is not a solution for subnets which are OS X only.
-
Hello j-gray,
We have the RD Sensor specifically for this situation, but since you don't want to use it, you could look up the computers in AD using a script checking installed software.
Thanks. It's not that I don't want to use it, it's just not viable given the number of subnets and the operating systems we have.
Unless I'm misinformed, the RD sensor can only be installed on Windows computers. That leaves no options for subnets that are OS X only.
Further, the required third-party utility (WinPcap) for the RD Sensor hasn't been under development for over 2 years. From the information on their site, it is not supported on Win8/Win10 workstations, nor Win2012 servers and is therefore approaching obsolescence.
In fact, WinPcap doesn't appear to be supported any longer, in general. As it has had significant vulnerabilities in the past, this is also cause for concern.
There needs to be a better solution.
*edit: latest WinPcap release from 2013 appears to support Win8 and Win2012, but no support for Win10 or Win2012 R2.
-
So, if I create a new task with 'In-Depth Scan' and 'Scan with Cleaning', it will still not remove these items?
Otherwise, in the New Client Task window, I do not have the option for 'Strict Cleaning'.
No regular updates scheduled
in ESET PROTECT On-prem (Remote Management)
Posted
I followed ESET KB for setting up the scheduled scan. I couldn't find any documentation for scheduled updates for v.6, so I assumed it was a similar process as the scan. Looks like I assumed wrong
I'll try the client task and see if that does the trick.
Thanks again.