Web Control User List Populates SIDs?

[whitelistCMD 1]

Hi All,

 

We're currently on ERA v6.4 and starting to roll out the Web Control feature in one of our policies. During the creation of a rule, I click to edit the "user" list and it asks for user SID. I click the link to search for SID, and navigate to the correct user by name. However, once the user is selected, the user is again listed as the SID. Here's the problem: If I want to go back into the rule to remove a user or make any sort of a change to a user, I have to know their SID. Is something configured incorrectly or is this by design? Is my User Sync Task configured incorrectly? The very very odd twist to all of this is, I cannot get a custom report for web control logs to produce any information, but the Endpoint install is logging all blocks as they should (I have tried using each logging severity level, and still the same result). The one thing that is working correctly, is the blocking of websites. No problems there at all. Anyone have any input on this? Thanks in advance.

[MichalJ 434]

Hello, there are basically two things in your post, that needs to be addressed:

• We will change the webcontrol configuration dialogs in the version 6.5 in a way, that it will be able to select also security groups from AD (not only users) and that after confirming, you won´t see "SID" but instead a user name. Till version 6.4 it was by design, but we are going to change it soon (6.5 is scheduled to be released in late January 2017).
• Concerning getting the WebControl reports into ERA, you can create a webcontrol report, however in order to show any data, the logging verbosity of your rules needs to be configured to "warning" severity, so ERA agent will overtake the logs from the Endpoint, and report it back to ERA.

Just out of curiosity, what is problem you are trying to solve, by getting the webcontrol logs / reports in your ERA console?

[whitelistCMD 1]

Thank you for your prompt response. In regards to your first reply, that is great news and I'm looking forward to the change being implemented. In regards to your second reply, I have tried changing the log verbosity to "warning" and every other verbosity option on the rule set itself. I've also tried changing the verbosity on the ERA itself to match the rule, or set to be one tier above. Again, to no avail. I had an online support session with a member of your ESET Staff, and then a follow up with the next tier of support over the phone. Neither of them had any luck. They said a dev ticket would need to be opened, but I don't have any information on that. Are you able to look into that for me and provide some sort of tracking info? How long do development issues normally take to resolve? The goal we are trying to reach is for us to be able to run a report showing the individual URL's that were blocked for any specific user. I followed the KB article found here: hxxp://support.eset.com/kb6043/?viewlocale=en_US 

Thanks again for all your help and insight. 

[MichalJ 434]

Maybe one important thing to add is, that ERA agent will start reporting the rule hits after rules were created (as mentioned in the KB article), and corresponding report template was created on ERA server and replicated to agents (agents have connected to ERA server at least once since template creations). Entries logged on Endpoint before this won't be transferred to ERA. Steps described in the KB article should be working (they worked for me before), so there might be a specific isdue in your setup / configuration. When opening ticket, please report your ERA version (console / server, as located in "about"), together with ERA agent and Endpoint Security version (as shownd in client details / installed applications).

Ticket needs to be first handled over by your local distributor & office to HQ support and then to devs. This usually takes up to couple of days.

[whitelistCMD 1]

Thanks. I was aware that the blocks needed to occur after the rule was in place and the logging verbosity set accordingly. We still could not get it to generate any information, and neither could your support staff. I was informed that THEY would be submitting a development ticket, but I never received any info on them about this (I normally receive an e-mail after a support issue with a ticket number for the issue, and I did not receive that either).

[MichalJ 434]

Can you let us know here your versions (endpoint, agent, webconsole & server)? We will try to replicate the issue in-house. Thank you.

[whitelistCMD 1]

Sure. Sorry, I misunderstood what you were saying. 

ESET Remote Administrator (Server), Version 6.4.304.0
ESET Remote Administrator (Web Console), Version 6.4.280.0

 

 

ESET Endpoint Security ESET, spol. s r.o. 6.4.2014.0 282 yes 6.4.2014.0  Up-to-date version

ESET Remote Administrator Agent ESET, spol. s r.o. 6.4.283.0 232 yes 6.4.283.0  Up-to-date version

 

 

Thanks for all your help so far.

[whitelistCMD 1]

Hello ESET Staff,

 

I'm just curious if you've successfully replicated this issue in your environment? I've continued testing with this, and have ruled out a lot of things, but still no success. The changes to the policy are successfully making it to the Endpoint, the webcontrol logs are successfully generating, I can even see the time-stamp change on the webcontrol log file (local on the desktop the webcontrol policy is applied to) when I visit a blocked site. However, when I run the webcontrol report, I still do not receive any data. I've tried everything from different computer, different user, different logging verbosity, different rules, different policies, different data in the web control report, and any combination of them. It seems as though the logs are either not reaching the ERA, or the ERA is not calling to the agent to pull the logs (not sure how this is designed to work?) Is there anything else we can try? Does the agent or ERA use port 2222 to send/receive logs? I'm at a loss at this point, and we would like to implement the webcontrol feature as soon as possible. Thank you for any help you can provide. If we can't get this to work, what are my next options? I've tried customer support (phone and live chat), and forums thus far. Is there some other form of support in cases like this if they're not able to be resolved using the traditional methods?

[MichalJ 434]

Can you export the not-working report template? I was trying to replicate it, but i my case it worked as expected. Also please export the endpoint and agent policies that are applied on the machines. You can send me them via private message. Also, what are your ERA server settings? Is everything else working OK? Are endpoints communicating with server?

[whitelistCMD 1]

The problem has been fixed. Something was broken on the ERA virtual appliance itself. ESET Staff ran a repair for the ERA components on the virtual appliance, and when the appliance came back up, we generated the report and everything is logging correctly. Thank you for your time and efforts on this. Your information lead us down the right path, which is exactly what we needed.