Georgi Stoychev

Thank you for the explanation Marcos!

Hello, We have several employees who travel often and from time to time, they connect to client networks. Recently, one of them connected to such network and in our ESET protect on-prem console, we received multiple alerts from the Firewall module that Security vulnerability exploitation attempt was detected on the endpoint. There is a high chance that this really was such an attempt, but our employee was not aware of this, and he said that he hasn't seen such notification. Is there something we can do to show these notifications on the endpoints as well, since we couldn't find such option in our console?

We have already submitted the file on Friday, but we still haven't received a response.

We observe that this file is being blocked as well - https://github.com/chocolatey-archive/chocolatey/blob/master/src/helpers/functions/Get-ChocolateyWebFile.ps1

The signature of the file, which is being detected in our environment has signature 500E26623522A4EF037924832366675616E4D39F.

Here is some additional info on this case: We've copied the code in a .txt file + running a manual scan - the file is "clean" When the file is renamed to .ps1 + running a manual scan - the file is "bad" When half of the code is in the .ps1 file (tried with both halves) + running manual scan - the file is "clean" I am attaching the problematic file in .txt format. get-chocolateywebfile 1.txt

Hello, We are using Chocolatey in our corporate environment, and started to receive thousands of alerts about this file being malicious - "file:///C:/ProgramData/chocolatey/helpers/functions/Get-ChocolateyWebFile.ps1". For the moment, we have added an exclusion in our ESET Management Console, since we received about 1000+ alarms. Can you tell us how can we investigate further what could be the cause of it? It seems pretty serious.

Hi Marcos, The old certificate was about to expire next month. We just restarted the server and we can see that the clients are connecting again.

Hello, Couple of days ago, we changed our ESET Protect On-Prem server certificate, as it was about to expire, and the old certificate was revoked. Today we see that several computers, which were offline when we replaced the certificate, are not connecting to the server. We saw in the logs in "C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs" an error message "Error: Remote server peer certificate is not trusted by this agent. Details: NodVerifyCertificateChain failed: NodVerifyTrustResult: 42, NVT_NotTrusted, X509ChainStatus: 0x4, X509CSF_Revoked, certificate" We have a backup of the old server certificate, but would like to use the new one. Is there some step that we may have missed when we changed the old certificate? We haven't restarted the server after the change. Could that be the issue?

Okay, thank you. This is the first occurrence of such issue, since we are using ESET Protect (about 3 years), and we are not sure how we could reproduce it

Hi Marcos and thanks for the reply! Is there anything we should do on our side?

Hello, One of our colleagues received an alert that the update information is not consistent and that he should restart his computer. After the restart, the following notification appeared: After a few minutes, we checked the ESET Protect console and there wasn't anything disturbing about that particular computer and the status was OK. What could be the cause of this issue and should we be worried about it?

Hi Marcos, Thank you for the suggestion. This occurs with all of our machines. There are users logged in, each time such notification is received. This is the current configuration of the notification:

Hello, I am not sure if this question has been asked already or not, but we would like to know if there is a way to populate the "User" and "Detection name" fields in the notifications that we receive via email? See the attached screenshot.

Hi Marcos, Thanks for the quick response. It appears that there is also a free version of the aforementioned VPN - https://www.opera.com/features/free-vpn. We will raise a support ticket for that matter.

Hi, We recently discovered that when Opera's built in VPN is switched on, ESET is not blocking the websites that we have blocked in the ESET Protect Console. If the browser VPN is switched off, the Web control is working as expected. Do you have any suggestions what might be the cause for this behavior, since it's quite risky to allow the users to visit most of the blocked websites?

Hi Marcos, Thank you for the quick response. As for your question - I will send you a private message to explain the situation.

Hello, We would like to know what is the location of the log files, containing the output from the Run command task, and are they kept in our ESET Protect On-prem server. We need to examine the output in those logs for about 100 computers, and its not quite convenient to go into Computers and click on Computer > Logs > Log collector > Download Log collector log.

Hi all, Not sure if it's already discussed before, as I can't find anything in the forums, nor in the KB. So, is there a way to update the Agent on endpoint devices with Puppet when the peer certificate has expired, instead of using the GPO method, which is explained here? I am asking since the GPO method requires (at least with us) couple of gpudate /force runs and couple of restarts of the client machines.

Thanks, the second method also worked, when we've added "zip" in the list of blocked websites in Web control.

Thank you! I guess it needed some time to apply on the client hosts. One more thing - is there a way to customize the message, which the user sees when the website is blocked?

Hello, The last few days the subject for the new .zip, .mov, etc. domains is getting more and more noisier, and we would like to know if its possible to block those kinds of domains, especially .zip in ESET Protect. We tried to follow the instructions, which were given in this topic, but without success.

Hello, We have enabled several notifications in our ESET Protect console, like ERA Alert for Firewall events, ERA Alert for Antivirus events, etc... The question is that when we receive a notification from the type "ERA Alert for Firewall events", the user field is empty, but the user is present in other notifications, such as "Malicious file detected". We've checked the configuration on several of the notification types and they seem identical. Could this be some kind of a bug? I will attach screenshots, which better describe the issue.

Hi! We have updated our endpoints to v10.2034, but as the days are passing by, we are getting more and more complains from employees about Outlook freezing/lagging. Is there going to be another update/fix?

Do you have an approximate ETA when this plugin will be generally available?