j-gray
-
Posts
620 -
Joined
-
Last visited
-
Days Won
5
Posts posted by j-gray
-
-
I've run in-depth scan and clean jobs on a number of systems and some come back with Active Threats. These all appear to be HTML related threats (ScrInject, Iframe, etc.) that are within a user's browser cache folder.
Each system shows a scan status of "Action selection postponed until scan completion", and 'Threat handled = no' for each detected threat. Reports show that the scans have completed.
From what I can tell, cleaning/removal is postponed until completion, the scan completes, yet no cleaning occurs and threat(s) remain active.
I can manually delete this items with no issues, however, I would prefer that ESET handles them.
Can anyone explain exactly what's happening and why the items aren't cleaned? It's not like they're executables or dll's that are in use or in memory and I'm certain the user with the infection is not logged on at the time of the scan.
Thank you.
-
Rogue Detection Sensor is not an option; we have too many subnets and potential workstations are not online consistently enough for the Sensor to be useful anyway.
We use AD sync, but don't want to install the agent/AV on some servers, and are not ready to install to our OS X devices.
So we need a way to locate only Windows workstations that are 1) currently online, and 2) do not have the agent installed.
Our previous AV had a built in ping sweep that could identify online workstations and their OS. Does ESET have anything similar?
Any other ideas on how to go about this?
Thank you.
-
Any further information on this? I'm experiencing the exact same thing with several systems.
I've manually deleted the detected items (found in a user's IE cache), re-run the scan with in-depth scan with cleaning enabled. Scan has completed successfully multiple times, nothing detected in the last few days. However, system still shows with over 100 Active Threats.
-
Thanks for the replies.
The RA is on v.6.1. I haven't upgraded yet, as there seemed to be a number of issues, particularly with the client agent that made me hesitate.
Alternatively, is there an option somewhere to remove clients that have not contacted the server in X number of days?
-
I'm finding workstations appearing twice in the RA console with inaccurate information.
We have AD sync enabled. In one instance, a workstation with the same name appears twice, both show ESET agent and AV installed with the current version. One instance appears in the correct AD OU, where the second instance does not. The last check-in for for the correctly located one was in July. The other one in the wrong container checked in just a few days ago.
It appears when workstations are re-imaged (without ESET agent or AV on the image), the stale workstations remain in the RA console. This appears to keep the correct/new workstation from appearing at all. As many times as I forced an AD sync the correct/new workstation would not appear and the old, stale workstations would not disappear.
Once I manually deleted the two stale instances and forced another sync, the new workstation appeared in the proper OU.
What is the best method to ensure that the RA console has up-to-date and accurate information and also to locate and remove old/duplicate workstations?
-
They are saved in a .dat file which is not in a plain text format.
The folder is C:\ProgramData\ESET\<product name>\Logs
Can these client logs be viewed at all via the Remote Administration server?
Or is there any other way to view logs and/or troubleshoot the client without having to remote into individual systems?
-
Are the log files located in a directory where they can be viewed without requiring the GUI? If so, where are they located?
-
I mean "Computer scan" logs in Endpoint on the client. These should use the local time.
Quite a few seem to be failing and logging in to each workstation to launch and check the endpoint GUI is not feasible.
Are the log files located in a directory where they can be viewed without requiring the GUI? If so, where are they located?
-
It could be that the computers were shut down when the scan was still running or it crashed for some reason and thus agent did not report it as completed. I'd suggest checking it directly in the Endpoint scan log when the user gets online.
Which log file are you referring to and where is it located? I'm looking at the trace.log file, which looks pretty cryptic. It doesn't seem to reflect the correct time, either.
-
It could be that the computers were shut down when the scan was still running or it crashed for some reason and thus agent did not report it as completed. I'd suggest checking it directly in the Endpoint scan log when the user gets online.
What is the expected behavior when the workstations come back online? Will the scan resume, or will it simply trigger a failed status in the RA console once the agent reports back?
-
Can you RDP or team viewer etc to the client and double click the eset icon, as that will show you what scans are in progress.
Thanks for the reply.
Looks like they're all offline now and they're remote, so I don't have access at the moment.
Oddly, the client task still shows that status as 'Running'.
The workstations have likely been off close to an hour and our RA agent connection policy is set to every 60 seconds, so I'm not sure why the task status is not updating correctly.
Either way, if the scans take this long to complete, I'm not sure we'll ever clear the 'Active Threat' statuses.
-
Scans are still running after almost 6 hours, according to RA console. Is this normal for 500GB hard drives?
-
I'm running a task on 6 clients to remove 'Active Threats'. From Client Tasks, I can see the task started and is presumably still running. However, one client finished the full/in-depth scan in 1 hour, yet the other 5 are apparently still scanning after 3+ hours.
Is there any way to tell percent scanned/percent remaining, time to estimated completion, or anything that indicates progress for each client?
-
I've done something similar using three nested groups to detect whether Eset Endpoint was not installed and Vipre (my old product) was also not installed. Took a while to work out how to get this to work using three separate dynamic group templates which are applied to nested dynamic groups (each one filtering out the machines that do not match the rule) and the 'Operation" option (setting to NAND so it's looking for queries that return FALSE).
My rules (nested) are:Name: "Installed Software List Populated" - Operation: "AND" - Rule: "Installed software . Application vendor" contains "Microsoft"Name: "No ESET Endpoint Security" - Operation "NAND" - Rule: "Installed software . Application name" contains "ESET Endpoint Security"Name: "No Vipre" - Operation: "NAND" - Rule: "Installed software . Application vendor" contains "ThreatTrack Security, Inc."The first rule was added because sometimes newly added clients had not populated the software list (and as such rules checking if something is not installed would always return TRUE); there will always be something from Microsoft installed so this just confirms that the list has been populated.Note that I'm not looking at whether the agent is on-line (the task triggered by the group will not run if it's not online so this is not a concern). I'm also not sure that its worth checking if the Agent is installed because the software list will not be populated if the agent is not on the machine.Hope this is of some use.Yes, very helpful. Thank you.
-
...then a group inside it to check for the av version.
This seems to be the issue. I can't seem to construct the logic for 'no av'.
To me, "Installed software . Application name ≠ (not equal) ESET Endpoint Antivirus" means the client has software installed that is *not* ESET. Which would be anything other than ESET, hence all systems are returned.
-
Thanks, bbraunstein.
That's what I have, but it continues to pull all systems recently checked in.
My Rule is:
Installed software . Application name = (equal) ESET Remote Administrator Agent
Installed software . Application name ≠ (not equal) ESET Endpoint Antivirus
I also tried specifically 'ESET Endpoint Antivirus (6.1.2227.0)' since this is what's specified in the console, but still got all systems.
I've been rolling out ESET slowly using Rip and Replace. It's been a bit spotty, so I'm trying to keep an eye on things with more manual management. At this point I'm trying to capture the systems where it was only able to install the agent and not the rest of the product.
-
I'm trying to create a dynamic group of workstations that are 1) presently online, and 2) have the Agent installed, and 3) do not have Antivirus installed.
Unfortunately, I'm not finding the logic for this in the expression builder.
Can anyone offer any suggestions how to most effectively locate online systems that need AV installed?
Thank you.
-
I'm finding the same issue with a new/clean install of the latest version of RA on a fresh 2012 R2 build. It was running without issues for almost a full month, but now I've had to restart the proxy service each of the last two days after clients stop updating.
-
I opened a support case for this issue.
It turns out that despite a reboot of the server running ESET RA, the Apache Proxy service was still borked. Support restarted the service and everything started updating again.
However, today I found the same issue and had to restart the service again. It appears to be running, but apparently isn't working correctly. Really would like to know what is causing it to fail.
-
Latest version of RA 6. Everything was working fine until a few days ago when clients were no longer able to communicate with the server. I rebooted the RA server and clients could all connect again.
However, the RA server does not appear to be pulling signature updates.
Can someone tell me 1) where to check the signature version on the RA server, and 2) how to force it to pull a new signature.
I've checked the log files and can't tell why it is not updating, so any suggestions what to check would be helpful.
Thank you.
-
This is a new/clean install on a fresh server. I've run it up with the basic/default settings and am now attempting to push the agent so we can manage the clients. I haven't created any installers, as we intend to use push install, only.
-
I'm having the exact issue on a clean install of 6.1.437.0 (https://forum.eset.com/topic/4994-remote-agent-push-fails-on-windows-and-os-x/)
Please post if you get any helpful tips.
-
Thanks for the reply. I'm still not having any luck. Local firewalls are down, nothing is blocked outbound. Been through all the troubleshooting steps and get the same error for both OS X and Windows:
"Package not found in repository"
Any help would be appreciated. If we can't get the agent installed, we'll move on to another product.
-
One other piece... documents say "Link to the repository is incorrect - In ERA Web Console, navigate to Admin > Server Settings, click Advanced settings > Repository and make sure the URL of the repository is correct."
But it does not say what the correct URL is. It is currently set to 'Autoselect'.
Action Selection Postponed on detected threats
in ESET PROTECT On-prem (Remote Management)
Posted
Looking at one specific example, one scan reported the same threat (HTML/Iframe.B.Gen) on the same .htm file in the same location a total of eight times. So it reports 8 active threats even though it's the same file.
And I can't figure out why ESET is unable to delete or quarantine a basic .htm file.
We're seeing this behavior on most of our systems that have Active Threats detected.
Any help is appreciated.