ESET Disabling PC

[Senathon1 0]

If a PC has multiple issues with virus and/or Trojans, is there any way that ESET can disable the device?  My management wants a PC to be disabled if no one is monitoring the ESET console.

 

 

[Marcos 5,189]

What do you mean by disabling the device?

[MichalJ 434]

You can trigger a computer shutdown, or network isolation, if you are using V6 together with ERA 6, so you can take advantage of ERA 6 automation framework.

[HSW 9]

On ‎18‎.‎05‎.‎2017 at 7:12 AM, MichalJ said:

You can trigger a computer shutdown, or network isolation, if you are using V6 together with ERA 6, so you can take advantage of ERA 6 automation framework.

Hi MichaelJ, can you more explain "network Isolation" sounds realy interesting, there are exsist some documentation?

[MichalJ 434]

In general, you can create a dynamic group for computers with unresolved infections.

"computers with active threats (choose corresponding conditions, active threat, threat handned = no)

On top of such group, you can assign a firewall policy, that would block all network traffic, with the exception of the ERA agent, so in fact the computer is isolated from the network, and would prevent the infection from spreading.

 

[HSW 9]

Ah ok you mean with EES ok, i thought there is a posibility for EEA too. Iam testing with EES actualy (if i have time ^^) but its a nice idea! I will notice it  thx!

[Marcos 5,189]

With EEA you can only apply a policy that will block access to all http(s) websites but you can't block communications via other protocols.

Also please let us know what made you choose EEA over EES which provides additional protection against network attacks like EternalBlue exploited by the recent WannaCryptor.

[HSW 9]

2 hours ago, Marcos said:

With EEA you can only apply a policy that will block access to all http(s) websites but you can't block communications via other protocols.

Also please let us know what made you choose EEA over EES which provides additional protection against network attacks like EternalBlue exploited by the recent WannaCryptor.

We actual use EEA because we have a addional hardwarefirewall from Sophos. And there where to much problems with EES 6.3

But i test if we can save some money with EES

Its hard to setup the correct Firewall and webprotection setups, so many possible exclusions. And your documentation of settings are not realy business like ("to small, more examples and possible mistakes FAQ") if i want to protect our Network standard setup is not enough in my eyes.

 

edit: I see you renew some docus, i will try again to read it

Edited May 22, 2017 by HSW

[Marcos 5,189]

We are definitely interested in learning what issues administrators encounter with ESET Endpoint Security in their network compared to competitive solutions and what makes them go for ESET Endpoint Antivirus because of that and thus losing one important protection layer. According to a test carried out by MRG Effitas, ESET Endpoint Security v6 was one of 3 security products to successfully protect unpatched systems from the EternalBlue exploit exploited by the recent WannaCry ransomware and other malware too.

If you would like to try out ESET Endpoint Security, we can issue a temporary license for your so that you can deploy it on a handful of machines and report us your findings. We will welcome any constructive feedback as our goal is to make security products that not only provide maximum protection but also fulfill your expectations and work flawlessly in your environment.

[HSW 9]

First at all we have license for EES  thx

A problem for me / in my eyes are the servers. You dont provide scanner for server with firewall.

Its a cost factor. actual we have a big sophos with webprotection, proxy and more. When i want to replace this complett i have a problem with the server protection. The managing directors want to save money for the "expensive IT"

For the Clients i test it actual but its not easy for our company because we have 1000+ individual software product (some are realy old) and in the past there where many problems with the EES (HTTPS scanning, and category filter) the new Version looks fine, so i will try more and setup policy for some tester.

So i must think on many exclusions or how i can find them quick, if the empoyee cant work i get Problems ^^

[HSW 9]

22 hours ago, MichalJ said:

In general, you can create a dynamic group for computers with unresolved infections.

"computers with active threats (choose corresponding conditions, active threat, threat handned = no)

On top of such group, you can assign a firewall policy, that would block all network traffic, with the exception of the ERA agent, so in fact the computer is isolated from the network, and would prevent the infection from spreading.

 

Hi MichaelJ, i try this but ist not correct working (in my eyes)! You can filter with "Active threats.Threat handled" = no  // but if i setup a thread manual as resolved this is still mark as "active thread" so i cant setup exceptions (false alarm etc. or when ESET did not notice that the thread is not more active. Any solution for this?

 

Additional example are also confusing -> Thread is handeled = yes but resolved = no why?

Edited May 23, 2017 by HSW

[MichalJ 434]

Hello, this is one of the confusions in the current ERA that needs a bit of an explanation. 

"Active threat" does not equal "unresolved threat" (in the user interface of ERA).

"Active threat" = is evaluated on ERA agent, as soon as reported by Endpoint (threat handled = no) and the only way how to remove it, is by running in-depth scan with cleaning enabled. If such scan does not confirm the infection still present on the computer, the "count" is cleared.

"Unresolved threat" = is reported to ERA server (shown by ERA UI). Every new threat reported, is marked as "unresolved" when it arrives to ERA. Only way how to resolve it, is to do it manually by user-action. 

Resolving the "Unresolved thereat" does not remove "active threat".

For the next version of ERA (towards the end of the year) we are planning changes of the behavior, that handled threat, would be automatically marked as resolved. 

Hope that this makes a bit more clear. 

[HSW 9]

Hm not realy good  but thx for info

I would prefer also a solution for marking a treath as resolved -> handeled thread = yes

Or more filter options for dynamic Groups, like resolved = yes/no

[Marcos 5,189]

I'd prefer having both "active threat" and "unresolved threat" statuses. A concrete example: Malware has managed to run and changed local system policies (e.g. disabled task manager). Although the malware was then cleaned and no longer was deemed active threat, some of the modified local policies might have remained misconfigured. Ie. something that might not be obvious immediately but what an admin might want to look into when users report it.