BDeep

This has come up before but I am bringing it up again because it is an important topic. Is there a way to exclude detected hashes in endpoint products either directly in the endpoint or via remote administrator? We have some code and programs being popped as malware that does not live in one specific directory. ERA detects all of the hits as the same hash. We would like to exclude the hash as a false positive.

I am excluding and restoring from quarantine via ERA and the local ESET client (6.4.2014.0) tftpd32.exe but as soon as it is restored and excluded either via ERA or the local client, ESET pops it again and sends it back to quarantine. This is also happening on ESET File Security for Windows Servers.

Just as an FYI: ERA does push the business license to the endpoint using a license task! But still don't know why the product is disconnected. I uninstalled/reinstalled and it worked on one machine but not the others. Note that the one machine that it did work on ESET was previously installed on but it stopped running after about a month. Update: So it looks like a remote install with remote license does everything that it is supposed to do but it doesn't start the product. A system reboot doesn't start it either. Manually launching "service esets start" from the command line after a reinstall of the product on the machines that were not working starts the product. A reboot after manually starting the service auto-launches the "esets" service after reboot. Seems that the product needs a kick-start to get it running after install if done automatically? I know in the manual installation documentation you have to start it manually using init.d but was hoping for something automatic seeing as ERA is pushing the software.Tried ERA "command line" tasks to no avail.

Okay, it is licensed but ERA shows "product disconnected" and the client is reporting status to ERA so it is not an agent thing. [root@Azure-US-3556-VPEPX02 eset]# service esets status ● esets.service - ESET Scanner Daemon Loaded: loaded (/usr/lib/systemd/system/esets.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Tue 2016-08-02 13:28:56 UTC; 6 days ago Aug 02 13:28:41 Azure-US-3556-VPEPX02 systemd[1]: Starting ESET Scanner Daemon... Aug 02 13:28:56 Azure-US-3556-VPEPX02 esets_daemon[870]: error[03660000]: Cannot initialize scanner: Modu...nit Aug 02 13:28:56 Azure-US-3556-VPEPX02 systemd[1]: esets.service: control process exited, code=exited status=69 Aug 02 13:28:56 Azure-US-3556-VPEPX02 systemd[1]: Failed to start ESET Scanner Daemon. Aug 02 13:28:56 Azure-US-3556-VPEPX02 systemd[1]: Unit esets.service entered failed state. Aug 02 13:28:56 Azure-US-3556-VPEPX02 systemd[1]: esets.service failed. Hint: Some lines were ellipsized, use -l to show in full. [root@Azure-US-3556-VPEPX02 eset]#

I think the activation is what is jamming me up. Those columns are populated. Works fine on individual server install but is there a way to provide license via ERA deployment or am I going to have to manually touch about 90 Linux servers???

I see everything from the Agent on these Linux boxes: OS, installed products, ESET products, computer status, etc. for these Linux agents running on default "2222". Here is the security product: ESET Server Security ESET, spol. s r.o. 4.5.3.0 151 yes 4.5.3.0 Up-to-date version Here is the Agent product: ESET Remote Administrator Agent ESET, spol. s r.o. 6.4.293.0 114 yes 6.4.293.0 Up-to-date version Are you saying change the port in the Agent policy settings for older products to "2222" from "2225"?

I see this regardless whether I install ESET manually or deploy via ERA to Linux servers: "Product is not connected. No connection attempt occurred." What does this mean?

Looking for a release date for ESET Sharepoint 6. Looks like 4.5 is the latest but I have a 6 policy in ERA. Any updates?

This will update only specific modules but not installation itself. In case of AGENT it is mostly only support for configuring new products. In order to upgrade you may use Component upgrade task. There should be no problem reporting all installed applications, especially in case it worked until now. I am not sure, but it seems something went wrong during database cleanups (they are performed at 00:00 of SERVER's local time -> seems it may be time it started spiking). I would suggest to check what happens after restart and if it won't help - try to stop SERVER and manually erase content of previously mentioned table tbl_log_apps_installed_status, especially in case it's size will be this huge. You will loose installed applications data for some time (it should fully recover in no more than 24 hours for connecting AGENTs). 1: ERA components upgrade task will update ERA Agents on client OS' like Windows 8, Macintosh El Capitan, and Linux OS? 2: That is not a problem. How do I erase the content (not a DBA)? Drop table or something else?

All of our agents should be 6.2 or newer as that is when we started down the road with ESET. As of this email, a little less than half (about 600 clients) have agents that are below 6.4 How can I have the agents update? I have set auto-update program components for agents in the agents policies but, to date, I have never seen agents on clients update automatically. Yes on intentionally reporting installed applications from agents for Macintosh and Windows. We routinely audit installed software using the findings of ESET Agents and take actions appropriately. It also helps us identify clients running near zero-day exploitable software. How can we keep reporting applications in the current method without crashing the database? As of this posting, I have disabled application reporting on Windows and Macintosh via agent policy as a temporary measure. Finally, additional information uploaded on case #1441554.

Additional attachments. The MySQL memory, and related, errors have been plaguing me for months. This is the first ERAServer error message I've seen in the console. Most of it has been MySQL>

CentOS 6 appliance with MySQL. No stats from previous days unless you have access to case notes and uploads, otherwise see the uploads on Case #1441554. Straight from Terminal. Copy/pasted see attached. Opens properly in Notepad++. TBL.txt

I'm getting this after day three of running ERA 6.4. MOD note: I'm already working with support on this. Just reaching out to the community to see if these are severe problems carrying over from 6.3. Performance details 2016-Jul-22 19:11:00 Detailed performance statistics: I/O reads: 413 KB/s I/O writes: 1193 KB/s I/O others: 0 KB/s Logs latency: 8 s Pending logs: 5563 Received logs 2016-Jul-22 19:05:37 Received logs statistics: Received in last minute: 1445 (24 /s) Received in last hour: 42392 (12 /s) Server performance 2016-Jul-22 19:11:00 ERROR: Overal performance status is LIMITED Server can be overloaded due to large amount of received data Static objects 2016-Jul-22 19:01:18 Cached static objects statistics: Total number of cached objects is 9992 (+ removed 13239) Computers count is 1451 (+ removed 5621) Client tasks count is 54 (+ removed 210) Client triggers count is 8236 (+ removed 6943) Policies count is 65 (+ removed 15) Policy relations count is 52 (+ removed 94) Users count is 0 (+ removed 0) Users relations count is 0 (+ removed 0)

I had this issue. Try upgrading to ERA 6.4 and see if that resolves it.

Wow! Updated to ERA 6.4 today as well as my fleet of global ESET servers .What a difference. Night and day from the issues I was having. Just a note: Local Cache Servers seem to not like the update. Everything else is smooth sailing.

Marcos: Any update on whether or not this is going to be an integrated feature?

What do you see in the logs? I am curious because we are QA and engineering heavy as well. We still have WAP disabled globally because not all of our Macintosh 6.1.16.x clients have checked in yet.

Just following up: any update on when enterprise customers will get the additions to ERA? Does anything need to be manually updated on ERA for the 6.2 version to be reflected?

We have a custom inline script that obscures a mail to address but ESET and some other endpoint products are knocking it down. The code is: <script type="text/javascript"> <!-- var s=" =b!ujumf>#Fnbjm!Tbsbi#!isfg>#nbjmup;tbsbiAtbsbitjohjoh/dpn#?Tbsbi=0b?"; m=""; for (i=0; i<s.length; i++) m+=String.fromCharCode(s.charCodeAt(i)-1); document.write(m); //--> </script> Because we are purposely trying to utilize this javascript, how can we whitelist this? Machine details of the threat are below: [redacted] COMPUTER DESCRIPTION John Ball THREAT NAME JS/Kryptik.AD THREAT TYPE trojan SEVERITY Warning OCCURRED 2016 Jun 2 08:30:18 THREAT HANDLED Yes RESTART NEEDED No ACTION TAKEN cleaned by deleting ACTION ERROR OBJECT TYPE file OBJECT URI [redacted]/test.html CIRCUMSTANCES Event occurred on a newly created file. SCANNER Real-time file system protection ENGINE VERSION 13585 (20160602) PROCESS NAME C:\Windows\notepad.exe USER NAME [redacted]

Anything I need to do manually to upgrade or will the components upgrade themselves?

In preparation for the Macintosh 6.2 release, I set my ERA 6.3 server to pre-release updates then ran a task "Remote Administrator Components Upgrade". In doing so, my modules were downgraded. Changing back to regular updates and re-running the task does not upgrade. ESET Remote Administrator (Server), Version 6.3.148.0 ESET Remote Administrator (Web Console), Version 6.3.114.0 Pre-task run: Installed Components: Update module 1062 (20151228) Translation support module 1479 (20160422) Configuration module 1277.6 (20160413) SysInspector module 1257 (20151113) Post-task run: Installed Components: Update module 1060 (20150617) Translation support module 1434 (20151203) Configuration module 1238B (20151204) SysInspector module 1257 (20151113)

It appears that Internet Protection Module 1226.29 with a build date of 07 April 2016 has been installed. After this program update, the websites mentioned above as well as many others with TLS 1.2 only on Windows 7 and Windows 8.1, are loading correctly. I see the ESET certificate, previously using TLS 1.0 and causing errors, now using TLS 1.2 and loading fine.

Can you post a link to the full release notes?

You still on Windows 10 with that screenshot? This is a 5000+ Windows enterprise with 7 and 8.1 Enterprise editions. Can't just refresh to Windows 10 overnight. Yes on the remote session. Can you PM me or work with me via email to set something up?

Hmmm. Crickets. Any updates?