sdnian
-
Posts
185 -
Joined
-
Last visited
-
Days Won
1
Posts posted by sdnian
-
-
On computers with EEA installed, the window appears a few seconds after executing cmd, and then the window closes automatically.
If I disable Deep Behavioral Inspection or add c:\windows\system32\cmd.exe to the exclusion list, cmd will run normally.
Tried pre-releases update, still the same situation.What can I do to solve this problem?
Windows 10 22H2 x64, EEA 11.0.2044 (Deep behavioral inspection support module 1150)
-
Thanks @jia_yang reply.
I mentioned AnyDesk just as an example. Using a firewall to block network connections or blocking hash-based file are among the methods. However, personally, I don't consider these good approaches for users of ESET Inspect.
Given that using ESET Inspect allows us to detect when a client executes certain programs and ESET Inspect also has the capability to block files, why are there limitations on functionalities like KillProcess?
For instance, within ESET Inspect's built-in rule: "AnyDesk Remote Desktop Silent Installation [D0443]", this rule can detect silent installations of AnyDesk, and it's set to perform actions like KillProcess. However, when this event is triggered, it doesn't block the installation or execution of AnyDesk. Shouldn't it be blocked immediately if someone unauthorized attempts this?
-
Is it possible to prohibit the execution of a particular program? Depending on specific conditions such as file name, digital signature, company name.... etc. instead of a hash value.
Example: I want to disable the use of anydesk on my company's computers, is there a way to do this?
-
On 7/28/2023 at 4:43 PM, Marcos said:
Since this will require further investigation and logs, please raise a support ticket.
For sure we'll need the following for a start: 1, ESET Log Collector logs from the machine, 2, a Procmon log from time when the issue occurs created with Self-defense disabled. Anyways, colleagues from technical support will provide exact instructions and help you troubleshoot the issue.
I submitted a support ticket last Friday, but no any response so far. The logs you mentioned is below, can you see what the problem is? Or pass it on to the appropriate person? Thanks!
-
I'm trying to install VC_redist 2008 sp1, and I'm getting the following error message.
If I disable real-time file system protection, the installation will be successful.
I tried installing VC_redist 2022 and did not encounter this problem.
The system is Windows 11 22H2 x64 , EEA 10.1.2046.0.
How to fix this issue?
-
Sorry... The problem is fixed. It's the primary dns server in the ESET PROTECT server don't work.
-
I've an ESET PROTECT v10.0.1128 and ESET Bridge 1.0.37. All clients use this proxy server.
After the antivirus software been installed, it can't been activation. I found some logs..
Access.log:
172.1.3.51 - - [04/Feb/2023:15:19:19 +0800] "CONNECT edf.eset.com:443 HTTP/1.1" 502 150 "-" "-"
Error.log:
2023/02/04 16:03:24 [error] 6892#7452: *954 proxy_connect: edf.eset.com could not be resolved (2: Server failure), client: 172.1.3.211, server: , request: "CONNECT edf.eset.com:443 HTTP/1.1", host: "edf.eset.com:443"
2023/02/04 16:03:24 [error] 6892#7452: unexpected DNS response for edf.eset.comI run a test in the ESET PROTECT server.. Get 502 error.
> curl.exe --proxy hxxp://172.1.3.105:3127/ https://edf.eset.com/edf
curl: (56) Received HTTP code 502 from proxy after CONNECTBut if don't use proxy.. the connection is fine.
> curl.exe https://edf.eset.com/edf
<?xml version="1.0" encoding="utf-8"?><ecp:message xmlns:ecp="hxxp://www.eset.com/2012/02/ecp"><ecp:response><code>20101001</code><message>invalid http method</message></ecp:response></ecp:message>So.. how to fix the Bridge DNS resolved problem?
Thank you!
-
Hello,
Over the past two days, different customers have been responding that after installing EEA/EFSW, the product activation failed with the error code: ACT.0. I tried to connect to https://edf.eset.com/edf and it looked fine, and I got the following content:
<?xml version="1.0" encoding="utf-8"? ><ecp:message xmlns:ecp="hxxp://www.eset.com/2012/02/ecp"><ecp:response><code>20101001</code><message>invalid http method</message></ ecp:response></ecp:message>
How to solve this problem? Thanks!
-
On 5/20/2022 at 8:04 PM, Peter Randziak said:
Hello @sdnian
does the issue persist?
If yes please check the Configuration support module version on the agent if it is up to date.
Which version is used on it, when it fails?Can you provide us with the full log from the agent to see the whole picture?
Peter
@Peter Randziak The issue persists. I've collect logs, please take a look if what kind of wrong?
-
53 minutes ago, Marcos said:
Is the ESET Management Agent service running in the local system account in the machine?
Yes
-
I have a Windows 7 SP1 been installed Agent 9.0.1144 and EEA 9.0.2046. After the installation, it can connect to ESET Protect, and I can see the successfully applied policies on the console, everything are normal so far.
However, when I check the settings from the client, there is no policies settings been applied.
Uninstall and reinstall Agent and EEA, the issue is still exist.
There is an error in the trace.log:
Error: CEssConnectorModule [Thread 103c]: Set policy failed: CNodcommChannel: Send request failed with 14, Command failed - Make sure that Agent runs with Administrator privileges.
How to fix it?
-
I've installed EFSW 6.5.12018 in windows server 2003, but can't activated the product, the error code is ECP.20006.
I've testing 6.5.2132.6 in XP, it's the same issue.In the same environment, I installed EFSW 9.0.12012 in Windows Server 2019 and it can be activated.
Please help to fix this problem, thank you.
-
20 minutes ago, Marcos said:
Please provide ESET Log Collector logs collected with "Threat detection" profile selected:
ESET Log Collector log file - eea_logs.zip
-
-
I have the same situation. After some troubleshooting, I found that it was the "License interval check" setting, originally I set it to limited, but after changing it to Automatic the warning disappeared.
-
41 minutes ago, Marcos said:
Please delete in safe mode:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28CBB79C-CAFE-44EB-8276-8D73BF358244}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{27D70E29-CE41-4102-9013-381FDE9E441A}
EFSW was installed on June 25, the threat was removed or cleaned before but not completely.
Thanks for your help. I'll try to delete them ASAP.
-
I have several Windows Servers that consistently detect PowerShell/TrojanDownloader.Agent trojan. Every time EFSW shows cleaned by deleting, but the same log appears again after a few hours. How to solve this problem?
One of the log collector file. efsw_logs.zip
-
17 minutes ago, itman said:
Verify that you have these two Windows KB's installed:
Of course, KB4474419 and KB4490628 are already installed. If Windows 7 does not support SHA2, EEA 8 cannot be installed.
-
I installed EEA 8.0.2028 in Windows 7 SP1. Everything is fine during the installation. Then I enabled the device control setting and reboot this computer. I saw a warning message "Device control is not fully functional". I try to reboot few times, but the situation is the same.
I also try to uninstall and install, still no luck.
Any suggestion to solve this issue?
-
Computers are controlled by a firewall and only a limited number of specific websites are accessible. After installing EEA 7.3.2039, using a browser to connect to https sites is very slow and may even time out.
If I turn off the SSL/TLS protocol filtering, it will be back to normal.
Does EEA's SSL/TLS protocol filtering feature need to connect to certain IP addresses? Or how can I fix this?
-
12 hours ago, MartinK said:
Thanks for logs. We are currently not sure but most probable reason is that either message is cut-off (there is maximal length) in wrong place and thus rendering string as invalid, or there is a problem with conversion of data as reported by system.
This issue seems to have occurred after I upgraded ESMC 7.2, maybe there is a tweak or something in the new version that is causing this problem.
-
6 hours ago, MartinK said:
Unfortunately it seems to be an issue in ESMC Agent not able to handle trace messages. Any chance full msiexec log from those installations is available (in standard AGENT logs directory) for analysis? There is probably issue with encoding - I guess that installation was performed on operating system with non-latin locale?
This is one of the clients that failed to upgrade, the error message is in Chinese, this kind of message also appeared before, why this is an Invalid utf8 leading byte?
-
I run the Client Task from ESMC for Software Install to Upgrading EEA 7.3, most Clients succeeded in the upgrade, but a few failed and one of them displayed the Trace Message as follows:
What does that mean?
ESMC Server 7.2.1266.0, Agent 7.2.1266.0, Client OS: Windows 7/10
-
1 hour ago, Marcos said:
1, Try disabling the setting "Exclude communication with trusted domains" in the SSL filtering setup.
2, Make sure that QUIC is disabled in Chrome: https://support.eset.com/en/kb6757-disable-quic-protocol-in-google-chrome-browser
3, Clear cache in Chrome.Disable QUIC fix this issue.
Agent for Linux installation failed
in ESET PROTECT On-prem (Remote Management)
Posted
I want to install Agent for Linux, but it detects that the OpenSSL version is old, so the installation fails. How to solve this ?
>./PROTECTAgentInstaller.sh ESET Management Agent live installer script. Copyright © 1992-2023 ESET, spol. s r.o. - All rights reserved. * Hostname: 192.168.1.16 * Port: 2222 * Installer: hxxp://repository.eset.com/v1/com/eset/apps/business/era/agent/v11/11.0.503.0/agent_linux_x86_64.sh Verified local installer was found: './agent_linux_x86_64.sh' Running installer script ./agent_linux_x86_64.sh Initialized log file: /var/log/eset/RemoteAdministrator/EraAgentInstaller.log ESET Management Agent Installer (version: 11.0.503.0), Copyright © 1992-2023 ESET, spol. s r.o. - All rights reserved. Creating directories... Creating 'config' directory path: /etc/opt/eset/RemoteAdministrator/Agent Creating 'data' directory path: /var/opt/eset/RemoteAdministrator/Agent Creating 'Pki Cache' directory path: /var/opt/eset/RemoteAdministrator/Agent/pki.eset.com/ Creating 'logs' directory path: /var/log/eset/RemoteAdministrator/Agent Creating 'libs' directory path: /opt/eset/RemoteAdministrator/Agent Directories created The archive will be extracted to: /opt/eset/RemoteAdministrator/AgentInstallerData Extracting, please wait... The unpacked installer data will be moved to: /opt/eset/RemoteAdministrator/Agent Checking OpenSSL ... done [OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008] Checking installed version ... Status of current installation is: NEW New connection settings are 'hostname': '192.168.1.16', 'port': 2222 Checking server connection... Connection checked successfully. Checking proxy connection... Connection checked successfully. Loading correct GUID... Loading of GUID was successful (new GUID = b90a1f6d-016b-48ca-9e49-2c1afc656031) Checking peer certificate ... failed 1107: Error checking peer certificate: NOT_VALID_PFX Cleaning up setup directoriesOpenSSL Version is:
>openssl version -a OpenSSL 1.0.2k-fips 26 Jan 2017 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic