abbotti

Thanks for the clue! Enabling mac address spoofing makes a difference. I have a VM running the CentOS ERA v6 server appliance and another VM running Ubuntu 14.04 with a component installation of ERA. I have turned on Mac Address Spoofing on both. The trace.log on both VMs now shows 9 probes out of 12 returning for a typical Windows 7 desktop machine, or 8 out of 12 for a Linux Samba server, and the machines are now showing up as rogue computers on the ERA web interface. Thanks again for your help! (Now I just need to work out what to do with them!) For the curious, mac address spoofing can be enabled on the VM under Hyper-V using this PowerShell command: Set-VMNetworkAdapter -VMName MyVM -MacAddressSpoofing On

I also tried using an unsupported locale (en-GB in my case) the first time I installed the appliance, so having them documented would be good. Here are a couple of other things I found useful: If installed under Hyper-V, run: yum install hyperv-daemons to make keyboard input behave properly in the Hyper-V RDP session to the Linux text console. Otherwise it's a bit random whether a character typed on the keyboard gets seen by the Linux kernel. (This seems to be a problem with Linux on Hyper-V in general - it's even worse on systems where there is no feedback when typing a password!) Set the time-zone to make the date and time strings in the logs more relevant to your location. This is controlled by the /etc/localtime file, which can be a copy of, or a symlink to, one of the time-zone files in /usr/share/zoneinfo. In my case, I used a symlink to the Europe/London time-zone file as follows: ln -snf /usr/share/zoneinfo/Europe/London /etc/localtime There is also a time-zone name stored in the /etc/sysconfig/clock file on the line beginning "ZONE=". I edited that to use the same time-zone name. (I think it is used by CentOS's "system-config-date" utility, which isn't installed by default in the ERA applliance, but can be installed using yum. It has quite a few dependencies though, so probably not worth it.)

I have been struggling to get rogue computer detection working with the ERA v6 virtual appliance on Hyper-V. I have been looking at the logs in /var/log/eset/RogueDetectionSensor/trace.log to try and figure it out. The first problem was a lot of errors similar to this: 2015-07-03 09:34:27 Trace: OSDetector: 10.0.0.182 [Thread 7f0460dfa700]: Port number: 139 is closed. Failed with error: Permission denied. System error code: 13 2015-07-03 09:34:27 Trace: OSDetector: 10.0.0.182 [Thread 7f0460dfa700]: Port number: 22 is closed. Failed with error: Permission denied. System error code: 13 That looked like an SELINUX problem. The SELINUX violations are logged in /var/log/audit/audit.log: type=AVC msg=audit(1435917536.372:13): avc: denied { getopt } for pid=1454 comm="RDSensor" laddr=10.0.0.8 lport=54633 faddr=10.0.0.182 fport=139 scontext=system_u:system_r:rdsensor_t:s0 tcontext=system_u:system_r:rdsensor_t:s0 tclass=tcp_socket I tried reinstalling the RDSensor by logging into a terminal as root and running eset_installers/RDSensor.sh. That reinstalled (and restarted) RDSensor along with its SELINUX policies, but it didn't seem to help. To get rid of the "Permission denied" errors, I had to disable SELINUX by editing /etc/selinux/config and changing it to "permissive" mode and then reboot the system. ("permissive" mode still logs the SELINUX violations in /var/log/audit/audit.log, but ignores the violations.) Unfortunately, the rogue computer detection still does not work. Here is an example of it attempting to scan a Windows 7 machine: 2015-07-03 09:59:04 Trace: PC Detection [Thread 7f0df1009700]: Computer with IPv4: 10.0.0.181 2015-07-03 09:59:44 Trace: CNetStat [Thread 7f0de21fc700]: Computer with IP: 10.0.0.181 has Netbios computer name W7-DAVE 2015-07-03 09:59:44 Trace: CNetStat [Thread 7f0de21fc700]: ip with: 10.0.0.181 resolved to: W7-DAVE.redacted.domain 2015-07-03 09:59:45 Trace: CNMapOSDetect [Thread 7f0de21fc700]: Starting OS detection on IP : 10.0.0.181 2015-07-03 09:59:45 Trace: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Port number: 139 is opened 2015-07-03 09:59:45 Information: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probes and waiting for responses 2015-07-03 09:59:45 Trace: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Using adapter: eth0 2015-07-03 09:59:45 Trace: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Filter Compile string is: "ip src host 10.0.0.181" 2015-07-03 09:59:45 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 0 2015-07-03 09:59:45 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 1 2015-07-03 09:59:45 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 2 2015-07-03 09:59:45 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 3 2015-07-03 09:59:45 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 4 2015-07-03 09:59:46 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 5 2015-07-03 09:59:46 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 6 2015-07-03 09:59:46 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 7 2015-07-03 09:59:46 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 8 2015-07-03 09:59:46 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 9 2015-07-03 09:59:46 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 10 2015-07-03 09:59:46 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Sending probe id: 11 2015-07-03 09:59:46 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Catching replies 2015-07-03 09:59:51 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: Time is up! 2015-07-03 09:59:51 Debug: OSDetector: 10.0.0.181 [Thread 7f0de21fc700]: 0 returned probes out of 12 2015-07-03 09:59:51 Warning: CInfoWorker [Thread 7f0de21fc700]: Info Worker warning: OS Detection on 10.0.0.181 failed: Not enough probes returned 2015-07-03 09:59:51 Trace: Basic Filter [Thread 7f0de21fc700]: Canceling machine: 10.0.0.181 2015-07-03 09:59:53 Trace: Basic Filter [Thread 7f0df1009700]: 10.0.0.181:Machine is not known. Not Filtered I had the same problem with the failed OS detection probes when I tried a component installation of ERA v6 on an Ubuntu 14.04 server also running on Hyper-V.