Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by drewd

  1. It appears that IIS is using a port that the ERA Dashboard is configured to use.


    • You can try changing the port that the ERA Dashboard uses, by performing the following steps:
    1. Open the ESET Remote Administrator Console (ERAC) by clicking Start > All Programs > ESET > ESET Remote Administrator Console > ESET Remote Administrator Console.
    2. Click Tools > Server Options.
    3. Click the Advanced tab > Edit Advanced Settings.
    4. Expand ESET Remote Administrator > ERA Server > Settings > Dashboards.
    5. Click HTTP Server Port, and HTTPS Server Port, (one at a time), and enter values for your chosen (available) ports.
    6. Click Console then Yes to save your changes.
    7. Restart the ESET Remote Administrator Server service: hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN743
    8. Restart the ESET RA HTTP Server service.


    NOTE: You can use Netstat  to verify whether a given port is available or not:




  2. I see that you would like to automatically initiate deployment of the ESET antivirus client, to machines where it is not yet installed.


    You can accomplish this via a Windows Login Script.


    A Windows logon script will allow you to assign tasks that will be performed when a user logs on to a particular



    Since a login script is essentially a text file, you can just use a simple text editor to insert a line into the

    script that will call the file einstaller.exe from a predefined network share.


    This will initiate the remote push installation of the ESET antivirus client, from the ERA Server on the network, to

    the intended endpoint client machine.


    Here are the instructions regarding how to deploy the ESET antivirus client via login script:


    I. You will need to set the Default Logon for Email and Login Installations.


    The Default Logon window  lets you set the user credentials and domain  information required to access your client

    computer on the network and manage the ESET product installed:


    1) Open ERAC, select the Remote Install tab, right-click any entry within the Computers tab pane, select Set the

    Default Logon for Email and Login Installations from the context-menu, and then enter the required data:


    User name




    2) After you enter the data, press the Set Logon button to save the information on the server.





    The account under which the installation of the package is to be performed must be an account with administrator

    rights or, preferably, a domain administrator account, and this logon information will only remain stored until the

    next server restart.




    II.  You will need to create an install package.


    How to create an installation package






    III. You will need to edit the login script to add the line calling einstaller.exe from the predefined network share, and export the einstaller.exe file that is associated with the package that you intend to deploy, to a network share:


    1) Right-click an entry on the Remote Install tab, click Export to Folder or Logon Script and select the Type and

    name of the Package to be automatically installed.


    2) Click next to Folder to select the directory where the einstaller.exe file will be located and available within a network share, and then click OK.


    3) In the Share field, make sure that the path is correct or edit it if necessary.


    4) Click Export to Folder to export the einstaller.exe agent to the shared folder.


    5) Click … next to Script Folder to select the folder where the script is located and modify the mask if necessary.


    6) In the Files section, select the file into which the line calling einstaller.exe will be inserted.


    7) Click Export to Logon Script to insert the line.


    8) Location of the line can be modified by clicking Edit >> and saved by clicking Save.





    Here is some additional information from Microsoft, regarding how to create and use a logon script:


    Creating logon scripts





    Assign user logon scripts via GPO







    Immediately after the agent successfully completes the remote installation process, it marks the remote client with

    a flag prohibiting repeated installations of the same installation package. The flag is written to the following registry key:


    HKEY_LOCAL_MACHINE\Software\ESET\ESET Remote Installer


    If the Type and Name of the package defined in the einstaller.exe agent match the data in the registry, the installation will not be performed. This prevents repeated installations from targeting the same workstations.

  3. I see that you are asking about using text strings to identify non legitimate email as SPAM.


    EMSX allows you to setup User-defined rules from within the EMSX GUI, that can filter SPAM and malware based on many different variables:


    You can specify conditions, such as text strings, that when detected will result in certain actions being performed, such as the email being placed into the system quarantine, or certain types of attachments being deleted.


    Here is some additional information regarding creating, and using User-defined rules to filter SPAM and malware, from the documentation that you referenced previously:




    1.4.3     Application of user-defined rules

    Protection based on user-defined rules is available for scanning with both the VSAPI and the transport agent. You
    can use the ESET Mail Security user interface to create individual rules that may also be combined. If one rule uses
    multiple conditions, the conditions will be linked using the logical operator AND. Consequently, the rule will be
    executed only if all its conditions are fullfilled. If multiple rules are created, the logical operator OR will be applied,
    meaning the program will run the first rule for which the conditions are met.
    In the scanning sequence, the first technique used is greylisting - if it is enabled. Consequent procedures will always
    execute the following techniques: protection based on user-defined rules, followed by an antivirus scan and, lastly,
    an antispam scan


    3.1.2     Rules

    The Rules menu item allows administrators to manually define email filtering conditions and actions to take with
    filtered emails. The rules are applied according to a set of combined conditions. Multiple conditions are combined
    with the logical operator AND, applying the rule only if all the conditions are met. The Number column (next to
    each rule name) displays the number of times the rule was successfully applied.

    Add... - adds a new rule
    Edit... - modifies an existing rule
    Remove - removes selected rule
    Clear - clears the rule counter (the Hits column)
    Move up - moves selected rule up in the list
    Move down - moves selected rule down in the list
    Unchecking a check box (to the left of each rule name) deactivates current rule. This allows for the rule to be
    reactivated again if needed.

    NOTE: You can also use system variables (e.g., %PATHEXT%) when configuring Rules.

    NOTE: If a new rule has been added or an existing rule has been modified, a message rescan will automatically start
    using the new/modified rules.
      Adding new rules

    This wizard guides you through adding user-specified rules with combined conditions.
    NOTE: Not all of the conditions are applicable when the message is scanned by the transport agent.
    By target mailbox applies to the name of a mailbox (VSAPI)
    By message recipient applies to a message sent to a specified recipient (VSAPI + TA)
    By message sender applies to a message sent by a specified sender (VSAPI + TA)
    By message subject applies to a message with a specified subject line (VSAPI + TA)
    By message body applies to a message with specific text in the message body (VSAPI)
    By attachment name applies to a message with a specific attachment name (VSAPI + TA)
    By attachment size applies to a message with an attachment exceeding a defined size (VSAPI in Exchange 2000
    and 2003, VSAPI + TA in Exchange 2007 and 2010)
    By frequency of occurrence applies to objects (email body or attachment) where the number of occurrences
    within the specified time interval exceeds the specified number (TA with VSAPI disabled). This is particularly
    useful if you are constantly spammed with emails with the same email body or the same attachment
    By attachment type applies to a message with an attachment of specified file type (actual file type is detected
    by its contents, regardless of file extension) (VSAPI)
    When specifying the conditions above (except the By attachment size condition), it is sufficient to fill in only part
    of a phrase as long as the Match whole words option is not selected. Values are not case-sensitive, unless the
    Match case option is selected. If you are using values other than alphanumerical characters, use parentheses and
    quotes. You can also create conditions using the logical operators AND, OR and NOT.

    NOTE: The list of available rules depends on installed version of Microsoft Exchange Server.

    NOTE: Microsoft Exchange Server 2000 (VSAPI 2.0) only evaluates displayed sender/recipient name and not the
    email address. Email addresses are evaluated starting with Microsoft Exchange Server 2003 (VSAPI 2.5) and higher.

    Examples of entering conditions:
    By target mailbox: smith
    By email sender:  smith@mail.com
    By email recipient: “J.Smith” or “smith@mail.com
    By email subject: “ ”
    By attachment name: “.com” OR “.exe”
    By email body: (“free” OR “lottery”) AND (“win” OR “buy”)     Actions taken when applying rules
    This section allows you to select actions to take with messages and/or attachments matching conditions defined in
    rules. You can take no action, mark the message as if it contained a threat/spam or delete the whole message.
    When a message or its attachment matches the rule conditions, it is not scanned by the antivirus or antispam
    modules by default, unless scanning is enabled explicitly by selecting the respective check boxes at the bottom (the
    action taken then depends on the antivirus/antispam settings).
    No action – no action will be taken with the message
    Take action for uncleaned threat - the message will be marked as if it contained an uncleaned threat
    (regardless of whether it contained the threat or not)
    Take action for unsolicited email - the message will be marked as if it were spam (regardless of whether it is
    spam or not). This option will only work if antispam protection  is enabled and the action is being performed
    on transport agent level. Otherwise this action will not be performed
    Delete message – removes the entire message with content that meets the conditions, however this action only
    works on VSAPI 2.5 and newer (VSAPI 2.0 and older cannot perform this action)
    Quarantine file - attached file(s) that meet the rules criteria will be put into file quarantine of ESET Mail Security,
    do not confuse this with the mail quarantine (for more information about mail quarantine see  Message
    quarantine )
    Submit file for analysis - sends suspicious attachments to the ESET lab for analysis
    Send event notification - sends a notification to the administrator (based on settings in Tools > Alerts and
    Log - writes information about the applied rule to the program log
    Evaluate other rules - allows the evaluation of other rules, enabling the user to define multiple sets of conditions
    and multiple actions to take, given the conditions
    Scan by antivirus and antispyware protection - scans the message and its attachments for threats
    Scan by antispam protection - scans the message for spam

    NOTE: This option is available only in Microsoft Exchange Server 2000 and later with the transport agent turned

    The last step in the new rule creation wizard is to name each created rule. You can also add a Rule comment. This
    information will be stored in the Microsoft Exchange Server log.





  4. It is difficult to say what exactly happened, based on the information provided, but you can do the following in the future:

    Ensure that you are using ESET RA version 5.0.511.0 or higher, and EMSX version 4.5.10011.0 or higher.

    It is always a good idea to have backups of all of your current configurations.

    If you want to create a XML file that can be imported directly into the EMSX client then be sure to use the "Export Marked to" option from ESET Configuration Editor, which should only export the options that you specifically edited.

    If you want to deliver the configuration settings to a number of machines you can use either an ERA Configuration Task, or you can edit an ERA policy directly as well.

    You can also create backups of all of your policies, globally, and individually as well.

  5. The ApprovedSenders file is now managed from within the EMSX GUI Antispam engine parameters setup, as the Allowed Senders/Domains whitelist.


    You can access this functionality via the EMSX GUI to enter the email addresses and domains that you want to whitelist, one-by-one, or you can also use the ESET Configuration Editor to add a comma-delimited list:


    You also have the option of entering the email addresses, and domains that you would like to add to the EMSX Allowed Senders, as a comma-delimited list, from within the ESET Configuration Editor:


    Windows Server v4.5 > Mail Security 4.5 for MS Exchange Server > Server protection > General mail server protection settings > Antispam protection > Antispam engine setup > Filtering > Allowed senders list (Whitelist):


    Once you compile the coma-delimited list, and then enter it into ESET Configuration Editor, you can then export the entire configuration as a XML file to be imported directly into EMSX, or pushed out from ERAC via policy or configuration task.

  • Create New...