hari.senen

is our public ip getting block.. when usually the ip get unblocked ?

i already use this support form in this link https://www.eset.com/int/support/contact/ and provide the public ip

i try to activate using eba account. previously when activated using license key and eba account always got ecp.3 and act.0 now i can activated with license key but still got ecp.3 and act.0 when using eba account. i attach the log when i tried eba account ees_logs-ACT0.zip

today we have ecp.3 and act.0 when activate the license in endpoint. is there any issue on server side ?

no but using eba account.

here's the log customer_info_and_activation_log.zip

suddenly our pc can't activate the license. and i tested in another machine with the license already activated but just change the license and with eba login to switch the license owner. we are using squid proxy for activation when this happen. i want to attach the with diagnostic log but the size is 250MB

i've got same error in another linux machine. i post the log for activation soon

suddenly it already activated today. but the windows still get ACT.0. i'll post in another thread

i tried to activate a license manually for product ESET for Linux but got error an internal error during the activation process we tried with our proxy and direct connection but the error still the same. is the activation server down ? because we have another endpoint windows but get ACT.0 when tried to activated with the another license (with or without proxy) customer_info.zip

suddenly there's another uploader in my friends youtube account channel and know his username and password, and when he check the google mail there's another warning suspicious login from his pc. even after change the username password everytome tried scan with ESET but nothing was found. tried malwarebytes there's another detection but after restart there's another detection about it even after quarantine it. how to resolve this issue and find the malware i attach the log collector and file log from malwarebytes eea_logs (1).zip malware-2.txt

check this one https://www.virustotal.com/gui/file/0d38f8bf831f1dbbe9a058930127171f24c3df8dae81e6aa66c430a63cbe0509/detection also check the community tab

i tried to duplicate report Computers encrypted with ESET Full Disk Encryption in Full Disk Encryption built in template but get inconsistent filter data report in filter section. is there a way di duplicate without the error or is this a bug ? ESET PROTECT (Server), Version 10.0 (10.0.2133.0) ESET PROTECT (Web Console), Version 10.0 (10.0.132.0)

thanks we'll check the flashdrive that we used before and send the logs if still exist in the flashdrive

yes we tried to decrypt using recovery data from console as suggested in https://help.eset.com/efde/en-US/recovery_data.html but the result is no disk encrypted that's why there's option fix mbr like this https://support.eset.com/en/kb7174-repair-the-full-disk-encryption-master-boot-record-using-the-recovery-tool from tools ESET Recovery Media Creator but didn't succeed.. tried to use hxxp://support.microsoft.com/en-us/kb/927392 but get access denied when use bootrec /fixboot command. anyway when we encounter this issue again is there a way we get the log or just contact the support ?

we have a problem on efde. one of our laptop use efde. when the efde start to encrypt the user feel the laptop became slow and try to restart (according to the console, this user encrypt the disk in less than 10% before restart). the problem came up. after pre boot authentication efde the laptop start to diagnose the windows and didn't succeed so back to pre boot authentication. after successfull in pre boot authentication the windows show automatic repair couldn't repair your pc and always show this when tried to restart we tried to using recovery data (efderecovery.dat generated from console) but it says no disk encrypted. tried to fix mbr from usb bootable efderecovery.dat still get the same error.. using windows 10 iso as suggested but got access denied when using the bootrec /fixboot fortunately the data already backup in external device. and decided to reinstall as the user really need to get back the laptop. my question is,how is this happen ? is it possible because efde ? what should we do when this situation happen again in another laptop ?

got the same problem when i look into apache HTTP proxy (still not using ESET Bridge) the bootstrapper epi.exe given answer 503 and 502 instead 200 so the console can't download the package installer before the epi download success [29/Dec/2022:13:17:36 +0700] "GET hxxp://repository.eset.com:80/v1//com/eset/tools/installers/bootstrapper_era/metadata3 HTTP/1.1" 302 95 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)" [29/Dec/2022:13:17:36 +0700] "GET hxxp://repositorynocdn.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/metadata3.default HTTP/1.1" 200 73920 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)" [29/Dec/2022:13:17:36 +0700] "GET hxxp://repository.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/v4/4.2.4.0/epi.exe.eula/manifest.erm HTTP/1.1" 200 7682 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)" [29/Dec/2022:13:17:48 +0700] "GET hxxp://repository.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/v4/4.2.4.0/epi.exe HTTP/1.1" 503 6799 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)" [29/Dec/2022:13:18:05 +0700] "GET hxxp://repository.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/v4/4.2.4.0/epi.exe HTTP/1.1" 502 576 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)"

i've seen there's data limit configuration in agent policy. if this data limit is implemented will it only affect the logs sent by the agent to the console ? or affect the policies sent from the console as a whole along with the logs from the agent to the eset console ? because i didn't find more information about this configuration

we already open ticket with our local support .they suggest to increase the limit file and use their tuning database suggestion but the problem still exist. is there anything we can contact to support ticket beside the local support for this issue.

we have a problem in our client ESET Protect Server The agent shows our server is ESET Protect : Dell R430 OS : Centos 7 RAM : 32GB CPU : Xeon E5-2630 v4 2.2GHz HDD : 2x600GB ethernet : 2 ESET server version : latest version 9 Mysql ESET Database : Dell R440 OS : centos 7 RAM : 16GB CPU : Xeon Bronze 3204 HDD : 1TB ethernet : 2 which handle 15.000 client in agent interval 55 minute with data limit 100MB, the server and database itself in separate ethernet from endpoint user connected. we know this issue after we check the report update and in real condition on the user itself. the replication didn't use proxy, the proxy only use for connect eset service on the cloud (livegrid, update, epns, etc). we already increase limitfile on eraserver.service but the problem still exist. is there a way to fix this problem

remove this command ProxyRemote * hxxp://internalESETProtectMgmtServer.domain:2222 since it's DMZ setup then you must forward port from you firewall network

change ProxyPass / https://internalservername.domain:2222 ProxyPassReverse / https://internalservername.domain:2222 to ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10 ProxyPassReverse / hxxp://r.edtd.eset.com/ keepalive=On use proxy remote when you want to forward request from branch site to main site change from <VirtualHost *:3128> ProxyRequests On </VirtualHost> to <VirtualHost *:3128> ProxyRequests On ProxyRemote * hxxp://YOUR_MAIN_IP_ESET_PROXY_OR_WEB_PROXY:3128 </VirtualHost>

Hello, i wanna block stop DJVU using EEI Rule Set let's say they using this command C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe\ --Admin IsNotAutoStart IsNotTask and the executable C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe maybe the C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe is random so i create the ruleset like this <?xml version="1.0" encoding="utf-8"?> <rule> <severity>warning</severity> <definition> <process> <operator type="AND"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <operator type="AND"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin IsNotAutoStart IsNotTask" /> <operator type="OR"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotAutoStart" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotTask" /> <operator type="AND"> <condition component="LiveGrid" condition="less" property="Reputation" value="8" /> <condition component="Module" condition="isnot" property="SignatureType" value="Trusted" /> <condition component="Enterprise" condition="isnot" property="Safe" value="1" /> </operator> </operator> </operator> </operator> </process> </definition> <description> <name>STOP DJVU Process</name> <explanation> This is stop djvu encryption process. This file is payload dropper for encryption process STOP DJVU Ransomware. </explanation> <maliciousCauses> </maliciousCauses> <category> Default </category> <recommendedActions> [remediation:kill] [remediation:block] </recommendedActions> </description> <actions> <action name="BlockProcessExecutable" /> <action name="BlockParentProcessExecutable" /> <action name="CleanAndBlockProcessExecutable" /> </actions> </rule> the second one block the process when this command executed command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC) command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC) so i create this <?xml version="1.0" encoding="utf-8"?> <rule> <severity>warning</severity> <definition> <process> <operator type="AND"> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="icacls" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="deny *S-1-1-0:(OI)(CI)(DE,DC)" /> </operator> </process> </definition> <description> <name>STOP DJVU icacls Process</name> <explanation> This is stop djvu process use icacls process </explanation> <maliciousCauses> </maliciousCauses> <category> Default </category> <recommendedActions> [remediation:kill] [remediation:block] </recommendedActions> </description> <actions> <action name="BlockProcessExecutable" /> <action name="BlockParentProcessExecutable" /> </actions> </rule> and the third one create registry key with this data HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper data:\C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\701fd32c8bd585ae93d7e2d6.exe\ --AutoStart but i still don't know how to create it. my question is ? is the ruleset effective for stop djvu ransomware, if not is there another way ? how to create ruleset for registry in third one for djvu process

you could try this office 1 : Operation AND (if there's 2 subnetwork in office 1, then i suggest use OR) Network IP addresses . IP subnetwork contains 192.168.1. office 2 Operation AND (if there's 2 subnetwork in office 2, then i suggest use OR) Network IP addresses . IP subnetwork contains 192.168.2. Remote : Operation NAND Network IP addresses . IP subnetwork contains 192.168.1. Network IP addresses . IP subnetwork contains 192.168.2.

Is ESMC or ESET Protect api integrate to IBM SOAR ? is there any guidence for this if ESMC or ESET protect can integrate it ?