vbu 0 Posted March 24, 2017 Share Posted March 24, 2017 I have applied the ESET recommendations for the HIPS and Firewall module to help prevent ransomware infection as per: hxxp://support.eset.nl/kb6119/ In the client on my PC i can see that logs are created for some false positives because of these additional rules. I can then proceed to whitelist those in the policy. However, i can't seem to find how to view these log for all the other clients in the ERA console. I need to inspect these because they might create other false positives i need to act upon. I would expect to find them under "Threats" and then filter for HIPS or Firewall threat types, but this list is empty and only shows regular AV trojan/virus threats. Can you explain me how to view these log entries in the ERA console? I'm running 6.5 on both the server and the clients. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,243 Posted March 24, 2017 Administrators Share Posted March 24, 2017 This is planned to be supported by ERA v7. Link to comment Share on other sites More sharing options...
vbu 0 Posted March 24, 2017 Author Share Posted March 24, 2017 Thanks, i thought this would be a basic functionality and if i'm not mistaken it was always included in ERA v5. Any rough idea when we can expect v7? Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted March 24, 2017 ESET Staff Share Posted March 24, 2017 You can create report for HIPS events, using the reporting framework in ERA V6. Basically create a new report, with "HIPS" symbols (symbol = mapped database column, created from a particular log column on the computer). In the report, you will be able to see, particular HIPS rule hits. It is not collected by default (as HIPS could create excessive loads of data), but it is possible to collect it as of now. You can play with the columns per your need. Concerning the firewall, only high severity firewall events, are collected. Not the "custom rule" triggered ones. This is planned to be adjusted into ERA V7. ERA V7 release date is not scheduled, but won´t happen sooner than by Q4/2017 (but this is preliminary information, and is still a subject of a possible change). Link to comment Share on other sites More sharing options...
vbu 0 Posted March 24, 2017 Author Share Posted March 24, 2017 Thanks, i have created a report for HIPS and Firewall. Both seem to work, but as you described i do see less data than is logged on the clients. But for now this will have to do i guess ;-) Link to comment Share on other sites More sharing options...
V2TW 3 Posted June 16, 2017 Share Posted June 16, 2017 On 2017-3-24 at 11:35 PM, MichalJ said: You can create report for HIPS events, using the reporting framework in ERA V6. Basically create a new report, with "HIPS" symbols (symbol = mapped database column, created from a particular log column on the computer). In the report, you will be able to see, particular HIPS rule hits. It is not collected by default (as HIPS could create excessive loads of data), but it is possible to collect it as of now. You can play with the columns per your need. Concerning the firewall, only high severity firewall events, are collected. Not the "custom rule" triggered ones. This is planned to be adjusted into ERA V7. ERA V7 release date is not scheduled, but won´t happen sooner than by Q4/2017 (but this is preliminary information, and is still a subject of a possible change). Both of my ERA and clients are on 6.5 now, it seems HIPS client logs aren't reported to the server no matter what. Basically I have set some generic HIPS rules with logging on the client, and I can see the logs on the client. But the custom HIPS report is always empty. Is there anything I'm missing here? Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted June 16, 2017 ESET Staff Share Posted June 16, 2017 Hello, there will be an improvement coming in Endpoint 6.6, that will add the option to define the logging severity for HIPS events / rules. As of now, only events with severity Warning & above are collected to ESET Remote Administrator. Link to comment Share on other sites More sharing options...
V2TW 3 Posted June 16, 2017 Share Posted June 16, 2017 57 minutes ago, MichalJ said: Hello, there will be an improvement coming in Endpoint 6.6, that will add the option to define the logging severity for HIPS events / rules. As of now, only events with severity Warning & above are collected to ESET Remote Administrator. Thanks for clarification MichalJ. Link to comment Share on other sites More sharing options...
Recommended Posts