How to view client logs for HIPS and Firewall in ERA

[vbu 0]

I have applied the ESET recommendations for the HIPS and Firewall module to help prevent ransomware infection as per: hxxp://support.eset.nl/kb6119/

In the client on my PC i can see that logs are created for some false positives because of these additional rules. I can then proceed to whitelist those in the policy. However, i can't seem to find how to view these log for all the other clients in the ERA console. I need to inspect these because they might create other false positives i need to act upon.

I would expect to find them under "Threats" and then filter for HIPS or Firewall threat types, but this list is empty and only shows regular AV trojan/virus threats.

Can you explain me how to view these log entries in the ERA console? I'm running 6.5 on both the server and the clients.

[Marcos 5,072]

This is planned to be supported by ERA v7.

[vbu 0]

Thanks, i thought this would be a basic functionality and if i'm not mistaken it was always included in ERA v5.

Any rough idea when we can expect v7?

[MichalJ 434]

You can create report for HIPS events, using the reporting framework in ERA V6.

Basically create a new report, with "HIPS" symbols (symbol = mapped database column, created from a particular log column on the computer). In the report, you will be able to see, particular HIPS rule hits. It is not collected by default (as HIPS could create excessive loads of data), but it is possible to collect it as of now.  You can play with the columns per your need.

Concerning the firewall, only high severity firewall events, are collected. Not the "custom rule" triggered ones. This is planned to be adjusted into ERA V7. ERA V7 release date is not scheduled, but won´t happen sooner than by Q4/2017 (but this is preliminary information, and is still a subject of a possible change).

[vbu 0]

Thanks, i have created a report for HIPS and Firewall. Both seem to work, but as you described i do see less data than is logged on the clients. But for now this will have to do i guess ;-)

[V2TW 3]

On 2017-3-24 at 11:35 PM, MichalJ said:

You can create report for HIPS events, using the reporting framework in ERA V6.

Basically create a new report, with "HIPS" symbols (symbol = mapped database column, created from a particular log column on the computer). In the report, you will be able to see, particular HIPS rule hits. It is not collected by default (as HIPS could create excessive loads of data), but it is possible to collect it as of now.  You can play with the columns per your need.

Concerning the firewall, only high severity firewall events, are collected. Not the "custom rule" triggered ones. This is planned to be adjusted into ERA V7. ERA V7 release date is not scheduled, but won´t happen sooner than by Q4/2017 (but this is preliminary information, and is still a subject of a possible change).

Both of my ERA and clients are on 6.5 now, it seems HIPS client logs aren't reported to the server no matter what. Basically I have set some generic HIPS rules with logging on the client, and I can see the logs on the client. But the custom HIPS report is always empty. Is there anything I'm missing here? 

[MichalJ 434]

Hello, there will be an improvement coming in Endpoint 6.6, that will add the option to define the logging severity for HIPS events / rules. As of now, only events with severity Warning & above are collected to ESET Remote Administrator.

[V2TW 3]

57 minutes ago, MichalJ said:

Hello, there will be an improvement coming in Endpoint 6.6, that will add the option to define the logging severity for HIPS events / rules. As of now, only events with severity Warning & above are collected to ESET Remote Administrator.

Thanks for clarification MichalJ.