[ACT.0 when try to activate the license]

is our public ip getting block.. when usually the ip get unblocked ?

[ACT.0 when try to activate the license]

22 hours ago, Marcos said:

You have most attempted to authorize using wrong EBA credentials several times in a row. The block should be removed automatically after some time. To speed it up, please raise a support ticket and provide your public IP address.

i already use this support form in this link https://www.eset.com/int/support/contact/ and provide the public ip

[ACT.0 when try to activate the license]

i try to activate using eba account.

previously when activated using license key and eba account always got ecp.3 and act.0

now i can activated with license key but still got ecp.3 and act.0 when using eba account.  

i attach the log when i tried eba account

ees_logs-ACT0.zip

[ACT.0 when try to activate the license]

today we have ecp.3 and act.0 when activate the license in endpoint. is there any issue on server side ?

[Error when activation ESET Server for Linux]

12 minutes ago, Marcos said:

Please try now. Do you activate EEA by running "./lic -k" followed by your license key?

no but using eba account.

[Error when activation ESET Server for Linux]

here's the log

 

customer_info_and_activation_log.zip

[ACT.0 when tried to change license]

suddenly our pc can't activate the license. 

and i tested in another machine with the license already activated but just change the license and with eba login to switch the license owner.

we are using squid proxy for activation when this happen.

i want to attach the with diagnostic log but the size is 250MB

 

[Error when activation ESET Server for Linux]

i've got same error in another linux machine. i post the log for activation soon

[Error when activation ESET Server for Linux]

suddenly it already activated today. but the windows still get ACT.0. i'll post in another thread

[Error when activation ESET Server for Linux]

i tried to activate a license manually for product ESET for Linux but got error an internal error during the activation process

 

we tried with our proxy and direct connection but the error still the same.  is the activation server down ? because we have another endpoint windows but get ACT.0 when tried to activated with the another license (with or without proxy)

customer_info.zip

[malware attack from EpicNet]

suddenly there's another uploader in my friends youtube account channel and know his username and password, and when he check the google mail there's another warning suspicious login from his pc. even after change the username password everytome

tried scan with ESET but nothing was found.

tried malwarebytes there's another detection but after restart there's another detection about it even after quarantine it. 

how to resolve this issue and find the malware

i attach the log collector and file log from malwarebytes

eea_logs (1).zip malware-2.txt

[Ransomware Lockbit 3.0, Can ESET detection this ransomware ?]

check this one https://www.virustotal.com/gui/file/0d38f8bf831f1dbbe9a058930127171f24c3df8dae81e6aa66c430a63cbe0509/detection

also check the community tab

[inconsistent filter data report]

i tried to duplicate report Computers encrypted with ESET Full Disk Encryption in Full Disk Encryption built in template but get inconsistent filter data report in filter section.

is there a way di duplicate without the error or is this a bug ?

 

 

ESET PROTECT (Server), Version 10.0 (10.0.2133.0)
ESET PROTECT (Web Console), Version 10.0 (10.0.132.0)

[automatic repair loop when encrypting with efde]

20 minutes ago, Kstainton said:

Hi,

You can acquire the required logs via the ESET Recovery USB in the following folder:

USB:\\efi\boot\logfiles\

Then submit a ticket via https://www.eset.com/int/support/contact/.

Thank you.

thanks we'll check the flashdrive that we used before and send the logs if still exist in the flashdrive

[automatic repair loop when encrypting with efde]

5 minutes ago, Kstainton said:

Hi @hari.senen,

You followed what we would suggest if you had submitted a case with us. If Windows has gone into Automatic Repair, you need to decrypt the Workstation in order to allow Windows access to the data and repair where required.

I am afraid I couldn't tell you why the machine had gone into Windows Automatic Repair, there are a few things that could cause this. I understand you have now reinstalled from a backup and we would no longer be able to collect any useful logs from the machine to provide you with more context.

I would have to advise you submit a ticket with us if this happens again: https://www.eset.com/int/support/contact/ as hopefully then we can shed more light on this for you.

Thank you,

Kieran

 

 

 

yes we tried to decrypt using recovery data from console as suggested in https://help.eset.com/efde/en-US/recovery_data.html but the result is no disk encrypted that's why there's option fix mbr like this https://support.eset.com/en/kb7174-repair-the-full-disk-encryption-master-boot-record-using-the-recovery-tool from tools ESET Recovery Media Creator but didn't succeed.. tried to use hxxp://support.microsoft.com/en-us/kb/927392 but get access denied when use bootrec /fixboot command.

anyway when we encounter this issue again is there a way we get the log or just contact the support ?

[automatic repair loop when encrypting with efde]

we have a problem on efde.

one of our laptop use efde. when the efde start to encrypt the user feel the laptop became slow and try to restart (according to the console, this user encrypt the disk in less than 10% before restart). 

the problem came up. after pre boot authentication efde the laptop start to diagnose the windows and didn't succeed so back to pre boot authentication. after successfull in pre boot authentication the windows show automatic repair couldn't repair your pc and always show this when tried to restart

we tried to using recovery data (efderecovery.dat generated from console) but  it says no disk encrypted.

tried to fix mbr from usb bootable efderecovery.dat still get the same error..

using windows 10 iso as suggested but got access denied when using the bootrec /fixboot

fortunately the data already backup in external device. and decided to reinstall as the user really need to get back the laptop.

my question is,how is this happen ? is it possible because efde ?

what should we do when this situation happen again in another laptop ?

[all in one installer not downloading]

 got the same problem 

when i look into apache HTTP proxy (still not using ESET Bridge) the bootstrapper epi.exe given answer 503 and 502 instead 200 so the console can't download the package installer before the epi download success

 

[29/Dec/2022:13:17:36 +0700] "GET hxxp://repository.eset.com:80/v1//com/eset/tools/installers/bootstrapper_era/metadata3 HTTP/1.1" 302 95 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)"

[29/Dec/2022:13:17:36 +0700] "GET hxxp://repositorynocdn.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/metadata3.default HTTP/1.1" 200 73920 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)"

[29/Dec/2022:13:17:36 +0700] "GET hxxp://repository.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/v4/4.2.4.0/epi.exe.eula/manifest.erm HTTP/1.1" 200 7682 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)"

[29/Dec/2022:13:17:48 +0700] "GET hxxp://repository.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/v4/4.2.4.0/epi.exe HTTP/1.1" 503 6799 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)"

[29/Dec/2022:13:18:05 +0700] "GET hxxp://repository.eset.com:80/v1/com/eset/tools/installers/bootstrapper_era/v4/4.2.4.0/epi.exe HTTP/1.1" 502 576 "-" "ERA Server Update (Linux; A; 64bit; BPC 10.0.2133.0; OSR 3.10.0-1160.76.1.el7.x86_64; APP era; HWF: 01002550-2055-6328-2C47-14DAC3CFE4C7; PLOC en_US; PCODE 901.0.0; PX 1)"

 

[agent data limit]

i've seen there's data limit configuration in agent policy.

if this data limit is implemented will it only affect the logs sent by the agent to the console ?

or affect the policies sent from the console as a whole along with the logs from the agent to the eset console ?

because i didn't find more information about this configuration

 

[Rpc message response BUSY]

18 minutes ago, Marcos said:

The server is overloaded. Please open a support ticket for assistance with further investigation.

we already open ticket with our local support .they suggest to increase the limit file and use their tuning database suggestion but the problem still exist. is there anything we can contact to support ticket beside the local support for this issue.

 

[Rpc message response BUSY]

we have a problem in our client ESET Protect Server

The agent shows 

our server is 

ESET Protect : Dell R430
OS : Centos 7
RAM : 32GB
CPU : Xeon E5-2630 v4 2.2GHz
HDD : 2x600GB

ethernet : 2

ESET server version : latest version 9

Mysql ESET Database : Dell R440
OS : centos 7
RAM : 16GB
CPU : Xeon Bronze 3204
HDD : 1TB

ethernet : 2

 

which handle 15.000 client in agent interval 55 minute with data limit 100MB, the server and database itself in separate ethernet from endpoint user connected. we know this issue after we check the report update and in real condition on the user itself. the replication didn't use proxy, the proxy only use for connect eset service on the cloud (livegrid, update, epns, etc).

we already increase limitfile on eraserver.service but the problem still exist.

is there a way to fix this problem

 

 

[Configuration of Apache HTTP Proxy as a reverse proxy for remote clients]

remove this command

 

ProxyRemote * hxxp://internalESETProtectMgmtServer.domain:2222

since it's DMZ setup then you must forward port from you firewall network 

[Configuration of Apache HTTP Proxy as a reverse proxy for remote clients]

change 

ProxyPass / https://internalservername.domain:2222
ProxyPassReverse / https://internalservername.domain:2222

to 

ProxyPass / https://r.edtd.eset.com/ timeout=300 keepalive=On ttl=100 max=100 smax=10
ProxyPassReverse / hxxp://r.edtd.eset.com/ keepalive=On

use proxy remote when you want to forward request from branch site to main site

change from

<VirtualHost *:3128>
    ProxyRequests On
</VirtualHost>

to

<VirtualHost *:3128>
    ProxyRequests On
    ProxyRemote * hxxp://YOUR_MAIN_IP_ESET_PROXY_OR_WEB_PROXY:3128
</VirtualHost>

 

[Block STOP DJVU Process]

Hello,

i wanna block stop DJVU using EEI Rule Set

let's say they using this command

C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe\ --Admin IsNotAutoStart IsNotTask

and the executable

 C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe

maybe the C:\Users\mike\AppData\Local\Temp\701fd32c8bd585ae93d7e2d6.exe is random

so i create the ruleset like this

 

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <severity>warning</severity>
    <definition>
        <process>
            <operator type="AND">
                <condition component="FileItem" property="Extension" condition="is" value="exe" />
                <operator type="AND">
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin IsNotAutoStart IsNotTask" />
                    <operator type="OR">
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="--Admin" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotAutoStart" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="IsNotTask" />
                    <operator type="AND">
                        <condition component="LiveGrid" condition="less" property="Reputation" value="8" />
                        <condition component="Module" condition="isnot" property="SignatureType" value="Trusted" />
                        <condition component="Enterprise" condition="isnot" property="Safe" value="1" />
                    </operator>
                    </operator>    
                </operator>
            </operator>
        </process>
    </definition>
    <description>
        <name>STOP DJVU Process</name>
        <explanation>
            This is stop djvu encryption process. This file is payload dropper for encryption process STOP DJVU Ransomware.
        </explanation>
        <maliciousCauses>
        </maliciousCauses>
        <category>
            Default
        </category>
        <recommendedActions>
             [remediation:kill]
             [remediation:block] 
        </recommendedActions>
    </description>
    <actions>
        <action name="BlockProcessExecutable" />
        <action name="BlockParentProcessExecutable" />
        <action name="CleanAndBlockProcessExecutable" />
    </actions>
</rule>

 

the second one block the process when this command executed

command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC)
command:icacls \C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\ /deny *S-1-1-0:(OI)(CI)(DE,DC)

so i create this

<?xml version="1.0" encoding="utf-8"?>
<rule>
    <severity>warning</severity>
    <definition>
        <process>
                <operator type="AND">
                    <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="icacls" />
                    <condition component="ProcessInfo" property="CommandLine" condition="contains" value="deny *S-1-1-0:(OI)(CI)(DE,DC)" />
                </operator>    
        </process>
    </definition>
    <description>
        <name>STOP DJVU icacls Process</name>
        <explanation>
            This is stop djvu process use icacls process
        </explanation>
        <maliciousCauses>
        </maliciousCauses>
        <category>
            Default
        </category>
        <recommendedActions>
             [remediation:kill]
             [remediation:block] 
        </recommendedActions>
    </description>
    <actions>
        <action name="BlockProcessExecutable" />
        <action name="BlockParentProcessExecutable" />
    </actions>
</rule>

and the third one create registry key with this data

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

 

data:\C:\Users\mike\AppData\Local\a8d875e5-2268-43a5-84ee-71bb510ca522\701fd32c8bd585ae93d7e2d6.exe\ --AutoStart

but i still don't know how to create it.

 

my question is ?

1. is the ruleset effective for stop djvu ransomware, if not is there another way ?
2. how to create ruleset for registry in third one for djvu process

[Dynamic Group Template - Computer Subnet]

18 hours ago, MFKDGAF said:

I have a static group called Workstations with 3 computers in them that are on 3 different subnets. Under the static Workstations group I have 3 dynamic groups based on their subnet as follows. However, the dynamic template is not working for the Remote Systems dynamic group.

-Workstations

     -Office 1

     -Office 2

     -Remote Systems

 

Office 1's dynamic template is:

Operation AND

     Network IP addresses . IP subnetwork = (equal) 192.168.1.0

 

Office 2's dynamic template is:

Operation AND

     Network IP addresses . IP subnetwork = (equal) 192.168.2.0

 

Remote Systems' dynamic template is:

Operation NOR

     Network IP addresses . IP subnetwork = (equal) 192.168.1.0

     Network IP addresses . IP subnetwork = (equal) 192.168.2.0

 

ESET PROTECT (Server), Version 8.1 (8.1.2209.0)
ESET PROTECT (Web Console), Version 8.1 (8.1.221.0)

CentOS (64-bit), Version 7.9.2009

 

Any ideas why the dynamic group template for Remote Systems would not working?

Would there be a better way to approach this?

you could try this

 

office 1 :

Operation AND  (if there's 2 subnetwork in office 1, then i suggest use OR)

  Network IP addresses . IP subnetwork contains 192.168.1.

 

office 2

Operation AND (if there's 2 subnetwork in office 2, then i suggest use OR)

  Network IP addresses . IP subnetwork contains 192.168.2.

 

Remote :

Operation NAND

Network IP addresses . IP subnetwork contains 192.168.1.

Network IP addresses . IP subnetwork contains 192.168.2.

[Integration API ESMC or ESET Protect]

Is ESMC or ESET Protect api integrate to IBM SOAR ?

is there any guidence for this if ESMC or ESET protect can integrate it ?