[Ransomware]

8 minutes ago, Marcos said:

It doesn't matter. Some malware can run even without admin rights. The main problem here is that an "attacker" remoted in and that should be solved in the first place. Even without admin privileges it's possible to escalate them.

So this is not a problem with ESET? Then I should make this video public, reminding ESET customers to pay attention to this problem.

[Ransomware]

5 minutes ago, Marcos said:

This scenario assumes that an attacker successfully connected via RDP with admin rights. If that happens, the user has a much bigger problem than not detecting files from an RDP share under these specific circumstances when the network speed is limited. With admin rights, a user can do virtually anything. Actual attackers would attempt to kill or remove an AV that would enable him or her to run any malware regardless of the size and type of malicious files.

That said, the problem that should be solved in the first place is securing RDP (e.g. by limiting it only to connections from LAN and using VPN or 2FA on an RDP gateway).

 

No. this don't need Admin rights. It just a user account in that video.

[Ransomware]

I reported to sample@eset.com on January 17th that ESET could not block ransomware, but I have not received any response at the moment. I just tested it again, this ransomware still successfully encrypts the file. Can someone handle it?

See the video for details - ESET can't stop the ransomware in this situation

[Wrong latest application version]

3 hours ago, MichalJ said:

Machine is most probably Windows XP, for which the latest officially supported version is EP 6.5. V7 is installable, but not recommended for usage on XP. 

Okay, I see. Thanks for your reply.

[Wrong latest application version]

Hello,

This client has been installed ESET Endpoint Antivirus v7.0.2073.1. But why the version of "LATEST APPLICATION VERSION" is 6.5.2132.1 ? Most of clients are correct, only few clients have this kind of issue. How to fix it?

[Warning <resource-not-found> After Upgrade]

On 9/5/2018 at 11:40 PM, maorgr said:

Hi Guys,

I have upgraded from ERA 6.5 to the latest version 7 and the process was pretty smooth, however - 
I am getting multiple computers with the following warning message: <resource-not-found-0x1211002d> 

Is it the same issue with https://forum.eset.com/topic/16536-resource-not-found-after-upgrade-esmc-v7/ ?

 

[No scan file saving from Windows to Linux]

I've a Linux Server, OS: SLES 11 SP4 + OES 2005 SP1. I installed ESET File Security for Linux Server 4.5.11 and setting PAC to scan /

Everything is okay. I try to download eicar.com from Internet to save any folders. It can be detected and deleted by EFS. But if I copy eicar.com from Windows to this server volume (It's Novell NSS volume). It can't be detected.

If I miss something? How to resolve it?

[resource-not-found after upgrade ESMC v7]

You are right. Thanks!

[resource-not-found after upgrade ESMC v7]

@Peter Randziak

[resource-not-found after upgrade ESMC v7]

After upgrade to ESMC 7. There are many items named '<resource-not-found-........>', how to fix it?

[Apache HTTP Proxy settings for replication]

Finally, I found where is the problem. It works now. Thank you for your help.

[Apache HTTP Proxy settings for replication]

@Pinni3 Thank you for your reply. But at the first post, I used no credentials settings in the Apache HTTP Proxy. Okay, I removed the it, go back to the settings without authentication. But still don't work. Do you have other suggestions?

[Apache HTTP Proxy settings for replication]

@MichalJ I've setup username/password for Apache HTTP Proxy, but still don't work. I have confirm the username/password are right.

The username is eset, password is 123

curl --proxy hxxp://192.168.1.2:3128/ -U eset:xxx https://edf.eset.com/edf
curl: (56) Received HTTP code 407 from proxy after CONNECT

The password of this command is wrong. So I get error code 407.

curl --proxy hxxp://192.168.1.2:3128/ -U eset:123 https://edf.eset.com/edf
<?xml version="1.0" encoding="UTF-8"?><ecp:message xmlns:ecp="hxxp://www.eset.com/2012/02/ecp"><ecp:response><code>20101003</code><message>Unsupported Content-type: unknown</message></ecp:response></ecp:message>

This command work well.

Now, ESMC Agent error message is..

ERROR: InitializeConnection: Initiating replication connection to 'host: "192.168.1.1" port: 2222' failed with: Request: Era.Common.Services.Replication.CheckReplicationConsistencyRequest on connection: host: "192.168.1.1" port: 2222 with proxy set as: Proxy: Connection: 192.168.1.2:3128, Credentials: Name: eset, Password: ******, Enabled:1, EnabledFallback:1, failed with error code: 14, error message: Connect Failed, and error details: Replication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: 10.11.3.247:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 5df4b312-4e4b-4aa4-b4ea-be3d56defcf0, Sent logs: 0, Cached static objects: 69, Cached static object groups: 10, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0] All replication attempts: 215

Could you please tell me more detail information how to fix it? Thank you!

[Apache HTTP Proxy settings for replication]

I'd like to settings ESMC agent v7 to connect ESMC Server through Apache HTTP proxy. But it's don't work.

For example, I've these three computers.

ESMC Server: 192.168.1.1

Apache HTTP Proxy: 192.168.1.2

ESMC Agent: 192.168.1.10

If let ESMC agent connect to EMSC server, port 2222. It works! 

But I setup to use proxy server, host: 192.168.1.2, port 3128 in ESMC agent. And I block source 192.168.1.10 in ESMC server. But it connect failed. 

If I change the httpd.conf. Remark the line 'deny from all' between <Proxy *> </Proxy>. It could connect again.

Next, I read the document - https://support.eset.com/kb6920/. So I've enable 'deny from all' back, but I add below contents:

<ProxyMatch ^192.168.1.1$>

Allow from all

</ProxyMatch>

It can't connect again. (I've restart Apache HTTP Proxy)

The error message:

ERROR: InitializeConnection: Initiating replication connection to 'host: "192.168.1.1" port: 2222' failed with: Request: Era.Common.Services.Replication.CheckReplicationConsistencyRequest on connection: host: "192.168.1.1" port: 2222 with proxy set as: Proxy: Connection: 192.1.1.2:3128, Credentials: Name: , Password: ******, Enabled:1, EnabledFallback:1, failed with error code: 14, error message: Connect Failed, and error details: Replication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: 192.1.1.1:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 5df4b312-4e4b-4aa4-b4ea-be3d56defcf0, Sent logs: 0, Cached static objects: 69, Cached static object groups: 10, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0] All replication attempts: 91

  What do I wrong?  

[ESMC agent proxy settings]

It works. Thank you!

[ESMC agent proxy settings]

3 hours ago, MartinK said:

Could you specify what kind of installer are you actually using?

I use Agent live installer to create ESMCAgentInstaller.bat. Then run it in clients.

[Creating Dynamic Group - help needed (ERA 6.5)]

Try this settings

[ESMC agent proxy settings]

ESMC Agent v7 could connect to server through http proxy. It's a good improve. But could I assign proxy settings when install it? (I know how to give setting from policy. I don't ask this. Because sometimes clients can't connect server directly. So it can't get policy settings from ESMC server. That is why it need proxy.)

[Cannot Upgrade Agents after Upgrade to ESMC 7]

You can't use "ESMC Component upgrade Task" to upgrade ERA agent 6.x to ESMC agent 7. Read this document, it show how to do it.

https://support.eset.com/KB6819/

 

[Self-Defense don't work]

I found there is a free tool on the internet, it could delete ESET files immediate. Don't need to reboot or do it in safe mode. Please fix it.

 

[Excluded IP address for Web Protection don't work in version 6.6.2078.5]

@Marcos PM sent, please check it.

[Excluded IP address for Web Protection don't work in version 6.6.2078.5]

4 hours ago, Marcos said:

We have tested it on 2 machines and it indeed works.

Please try the following:
1, Add 213.211.198.62 to the list of IP addresses excluded from protocol filtering
2, Download Eicar from hxxp://www.eicar.org/download/eicar.com

Is Eicar really detected by Web and email protection?

I've test the same settings in version 6.6.2072.4. There is no such issue.

[Excluded IP address for Web Protection don't work in version 6.6.2078.5]

1 hour ago, Marcos said:

We have tested it on 2 machines and it indeed works.

Please try the following:
1, Add 213.211.198.62 to the list of IP addresses excluded from protocol filtering
2, Download Eicar from hxxp://www.eicar.org/download/eicar.com

Is Eicar really detected by Web and email protection?

Okay.. I try it by your steps. Yes, it really scan by HTTP filter.

 

[Excluded IP address for Web Protection don't work in version 6.6.2078.5]

7 minutes ago, MichalJ said:

Hello @sdnian

Can you share a bit more details about what is not working?
Especially the address you want to exclude and the actual exclusion. We need more data for analysis. 

For example.. I'd like to exclude IP address 192.168.1.10 by web protection scanning. So I setup '192.168.1.10' in the 'Excluded IP addresses' list. Then I try to download eicar.com from 192.168.1.10. It should be detected by real-time protection. Right? But this file be detected by HTTP scanner in version 6.6.2078.5.

[Excluded IP address for Web Protection don't work in version 6.6.2078.5]

I setup an IP address for excluded web protection scanning, but it doesn't work in the version 6.6.2078.5. Could someone check it? The older version work well with the same settings.