hari.senen
-
Posts
50 -
Joined
-
Last visited
Posts posted by hari.senen
-
-
22 hours ago, Marcos said:
You have most attempted to authorize using wrong EBA credentials several times in a row. The block should be removed automatically after some time. To speed it up, please raise a support ticket and provide your public IP address.
i already use this support form in this link https://www.eset.com/int/support/contact/ and provide the public ip
-
i try to activate using eba account.
previously when activated using license key and eba account always got ecp.3 and act.0
now i can activated with license key but still got ecp.3 and act.0 when using eba account.
i attach the log when i tried eba account
-
today we have ecp.3 and act.0 when activate the license in endpoint. is there any issue on server side ?
-
12 minutes ago, Marcos said:
Please try now. Do you activate EEA by running "./lic -k" followed by your license key?
no but using eba account.
-
-
suddenly our pc can't activate the license.
and i tested in another machine with the license already activated but just change the license and with eba login to switch the license owner.
we are using squid proxy for activation when this happen.
i want to attach the with diagnostic log but the size is 250MB
-
i've got same error in another linux machine. i post the log for activation soon
-
suddenly it already activated today. but the windows still get ACT.0. i'll post in another thread
-
i tried to activate a license manually for product ESET for Linux but got error an internal error during the activation process
we tried with our proxy and direct connection but the error still the same. is the activation server down ? because we have another endpoint windows but get ACT.0 when tried to activated with the another license (with or without proxy)
-
suddenly there's another uploader in my friends youtube account channel and know his username and password, and when he check the google mail there's another warning suspicious login from his pc. even after change the username password everytome
tried scan with ESET but nothing was found.
tried malwarebytes there's another detection but after restart there's another detection about it even after quarantine it.
how to resolve this issue and find the malware
i attach the log collector and file log from malwarebytes
-
check this one https://www.virustotal.com/gui/file/0d38f8bf831f1dbbe9a058930127171f24c3df8dae81e6aa66c430a63cbe0509/detection
also check the community tab
-
i tried to duplicate report Computers encrypted with ESET Full Disk Encryption in Full Disk Encryption built in template but get inconsistent filter data report in filter section.
is there a way di duplicate without the error or is this a bug ?
ESET PROTECT (Server), Version 10.0 (10.0.2133.0)
ESET PROTECT (Web Console), Version 10.0 (10.0.132.0) -
20 minutes ago, Kstainton said:
Hi,
You can acquire the required logs via the ESET Recovery USB in the following folder:
USB:\\efi\boot\logfiles\
Then submit a ticket via https://www.eset.com/int/support/contact/.
Thank you.
thanks we'll check the flashdrive that we used before and send the logs if still exist in the flashdrive
-
5 minutes ago, Kstainton said:
Hi @hari.senen,
You followed what we would suggest if you had submitted a case with us. If Windows has gone into Automatic Repair, you need to decrypt the Workstation in order to allow Windows access to the data and repair where required.
I am afraid I couldn't tell you why the machine had gone into Windows Automatic Repair, there are a few things that could cause this. I understand you have now reinstalled from a backup and we would no longer be able to collect any useful logs from the machine to provide you with more context.
I would have to advise you submit a ticket with us if this happens again: https://www.eset.com/int/support/contact/ as hopefully then we can shed more light on this for you.
Thank you,
Kieran
yes we tried to decrypt using recovery data from console as suggested in https://help.eset.com/efde/en-US/recovery_data.html but the result is no disk encrypted that's why there's option fix mbr like this https://support.eset.com/en/kb7174-repair-the-full-disk-encryption-master-boot-record-using-the-recovery-tool from tools ESET Recovery Media Creator but didn't succeed.. tried to use hxxp://support.microsoft.com/en-us/kb/927392 but get access denied when use bootrec /fixboot command.
anyway when we encounter this issue again is there a way we get the log or just contact the support ?
-
we have a problem on efde.
one of our laptop use efde. when the efde start to encrypt the user feel the laptop became slow and try to restart (according to the console, this user encrypt the disk in less than 10% before restart).
the problem came up. after pre boot authentication efde the laptop start to diagnose the windows and didn't succeed so back to pre boot authentication. after successfull in pre boot authentication the windows show automatic repair couldn't repair your pc and always show this when tried to restart
we tried to using recovery data (efderecovery.dat generated from console) but it says no disk encrypted.
tried to fix mbr from usb bootable efderecovery.dat still get the same error..
using windows 10 iso as suggested but got access denied when using the bootrec /fixboot
fortunately the data already backup in external device. and decided to reinstall as the user really need to get back the laptop.
my question is,how is this happen ? is it possible because efde ?
what should we do when this situation happen again in another laptop ?
-
got the same problem
when i look into apache HTTP proxy (still not using ESET Bridge) the bootstrapper epi.exe given answer 503 and 502 instead 200 so the console can't download the package installer before the epi download success
[29/Dec/2022:13:17:36 +0700] "GET hxxp://repository.eset.com:80/v1//com/eset/tools/installers/bootstrapper_era/metadata3 HTTP/1.1" 302 95 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)" [29/Dec/2022:13:17:36 +0700] "GET hxxp://repositorynocdn.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/metadata3.default HTTP/1.1" 200 73920 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)" [29/Dec/2022:13:17:36 +0700] "GET hxxp://repository.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/v4/4.2.4.0/epi.exe.eula/manifest.erm HTTP/1.1" 200 7682 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)" [29/Dec/2022:13:17:48 +0700] "GET hxxp://repository.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/v4/4.2.4.0/epi.exe HTTP/1.1" 503 6799 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)" [29/Dec/2022:13:18:05 +0700] "GET hxxp://repository.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/v4/4.2.4.0/epi.exe HTTP/1.1" 502 576 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)"
-
i've seen there's data limit configuration in agent policy.
if this data limit is implemented will it only affect the logs sent by the agent to the console ?
or affect the policies sent from the console as a whole along with the logs from the agent to the eset console ?
because i didn't find more information about this configuration
-
18 minutes ago, Marcos said:
The server is overloaded. Please open a support ticket for assistance with further investigation.
we already open ticket with our local support .they suggest to increase the limit file and use their tuning database suggestion but the problem still exist. is there anything we can contact to support ticket beside the local support for this issue.
-
we have a problem in our client ESET Protect Server
The agent shows
our server is
ESET Protect : Dell R430
OS : Centos 7
RAM : 32GB
CPU : Xeon E5-2630 v4 2.2GHz
HDD : 2x600GBethernet : 2
ESET server version : latest version 9
Mysql ESET Database : Dell R440
OS : centos 7
RAM : 16GB
CPU : Xeon Bronze 3204
HDD : 1TBethernet : 2
which handle 15.000 client in agent interval 55 minute with data limit 100MB, the server and database itself in separate ethernet from endpoint user connected. we know this issue after we check the report update and in real condition on the user itself. the replication didn't use proxy, the proxy only use for connect eset service on the cloud (livegrid, update, epns, etc).
we already increase limitfile on eraserver.service but the problem still exist.
is there a way to fix this problem
-
remove this command
ProxyRemote * hxxp://internalESETProtectMgmtServer.domain:2222
since it's DMZ setup then you must forward port from you firewall network
-
change
ProxyPass / https://internalservername.domain:2222 ProxyPassReverse / https://internalservername.domain:2222
to
ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10 ProxyPassReverse / hxxp://r.edtd.eset.com/ keepalive=On
use proxy remote when you want to forward request from branch site to main site
change from
<VirtualHost *:3128> ProxyRequests On </VirtualHost>
to
<VirtualHost *:3128> ProxyRequests On ProxyRemote * hxxp://YOUR_MAIN_IP_ESET_PROXY_OR_WEB_PROXY:3128 </VirtualHost>
-
Hello,
i wanna block stop DJVU using EEI Rule Set
let's say they using this command
C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe\ --Admin IsNotAutoStart IsNotTask
and the executable
C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe
maybe the C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe is random
so i create the ruleset like this
<?xml version="1.0" encoding="utf-8"?> <rule> <severity>warning</severity> <definition> <process> <operator type="AND"> <condition component="FileItem" property="Extension" condition="is" value="exe" /> <operator type="AND"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin IsNotAutoStart IsNotTask" /> <operator type="OR"> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotAutoStart" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotTask" /> <operator type="AND"> <condition component="LiveGrid" condition="less" property="Reputation" value="8" /> <condition component="Module" condition="isnot" property="SignatureType" value="Trusted" /> <condition component="Enterprise" condition="isnot" property="Safe" value="1" /> </operator> </operator> </operator> </operator> </process> </definition> <description> <name>STOP DJVU Process</name> <explanation> This is stop djvu encryption process. This file is payload dropper for encryption process STOP DJVU Ransomware. </explanation> <maliciousCauses> </maliciousCauses> <category> Default </category> <recommendedActions> [remediation:kill] [remediation:block] </recommendedActions> </description> <actions> <action name="BlockProcessExecutable" /> <action name="BlockParentProcessExecutable" /> <action name="CleanAndBlockProcessExecutable" /> </actions> </rule>
the second one block the process when this command executed
command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC) command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC)
so i create this
<?xml version="1.0" encoding="utf-8"?> <rule> <severity>warning</severity> <definition> <process> <operator type="AND"> <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="icacls" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="deny *S-1-1-0:(OI)(CI)(DE,DC)" /> </operator> </process> </definition> <description> <name>STOP DJVU icacls Process</name> <explanation> This is stop djvu process use icacls process </explanation> <maliciousCauses> </maliciousCauses> <category> Default </category> <recommendedActions> [remediation:kill] [remediation:block] </recommendedActions> </description> <actions> <action name="BlockProcessExecutable" /> <action name="BlockParentProcessExecutable" /> </actions> </rule>
and the third one create registry key with this data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper
data:\C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\701fd32c8bd585ae93d7e2d6.exe\ --AutoStart
but i still don't know how to create it.
my question is ?
- is the ruleset effective for stop djvu ransomware, if not is there another way ?
- how to create ruleset for registry in third one for djvu process
-
18 hours ago, MFKDGAF said:
I have a static group called Workstations with 3 computers in them that are on 3 different subnets. Under the static Workstations group I have 3 dynamic groups based on their subnet as follows. However, the dynamic template is not working for the Remote Systems dynamic group.
-Workstations
-Office 1
-Office 2
-Remote Systems
Office 1's dynamic template is:
Operation AND
Network IP addresses . IP subnetwork = (equal) 192.168.1.0
Office 2's dynamic template is:
Operation AND
Network IP addresses . IP subnetwork = (equal) 192.168.2.0
Remote Systems' dynamic template is:
Operation NOR
Network IP addresses . IP subnetwork = (equal) 192.168.1.0
Network IP addresses . IP subnetwork = (equal) 192.168.2.0
ESET PROTECT (Server), Version 8.1 (8.1.2209.0)
ESET PROTECT (Web Console), Version 8.1 (8.1.221.0)CentOS (64-bit), Version 7.9.2009
Any ideas why the dynamic group template for Remote Systems would not working?
Would there be a better way to approach this?
you could try this
office 1 :
Operation AND (if there's 2 subnetwork in office 1, then i suggest use OR)
Network IP addresses . IP subnetwork contains 192.168.1.
office 2
Operation AND (if there's 2 subnetwork in office 2, then i suggest use OR)
Network IP addresses . IP subnetwork contains 192.168.2.
Remote :
Operation NAND
Network IP addresses . IP subnetwork contains 192.168.1.
Network IP addresses . IP subnetwork contains 192.168.2.
-
Is ESMC or ESET Protect api integrate to IBM SOAR ?
is there any guidence for this if ESMC or ESET protect can integrate it ?
ACT.0 when try to activate the license
in ESET Endpoint Products
Posted
is our public ip getting block.. when usually the ip get unblocked ?