Policy issues

[Gamtat 1]

Managed to mostly upgrade from version 5 to version 6.5 over the last few days.  Instead of applying the migrated v5 policies I'm going to start fresh with v6 policies.  My only problem is there is no documentation that I can see that tells me what the various policy settings actually do.

I created a new policy for ESET Endpoint for Windows and on the first page, Real-time file system protection, there's an option "Scan on Computer shutdown".  Ok, that's kind of vague.  When I shutdown the computer something is going to be scanned.  Memory? Opened files? Local Drives? The entire network?  Who knows because it's not documented anywhere that I can find.

Ok, move onto the next section, Threatsense parameters.  "Scan boot sectors" is enabled but "Scan runtime packers" is disabled by default.  Why?  The little help icon tells me what a runtime packer is but not why I might not want to scan one.  Likewise in the next section Heuristics is enabled but Advanced Heuristics - a unique heuristic algorithm developed by ESET - is disabled.  Why?  Massive performance hit?  Compatibility issues?  Who knows.  No documentation.

The kicker is that by the time I've searched this forum and maybe found a thread that explains what a policy might do I go back to make the changes and the web interface has timed out.  When I log back in all my changes are gone.

Edited May 23, 2017 by Gamtat
subject changed

[Marcos 5,071]

2 minutes ago, Gamtat said:

I created a new policy for ESET Endpoint for Windows and on the first page, Real-time file system protection, there's an option "Scan on Computer shutdown".  Ok, that's kind of vague.  When I shutdown the computer something is going to be scanned.  Memory? Opened files? Local Drives? The entire network?  Who knows because it's not documented anywhere that I can find.

Ok, move onto the next section, Threatsense parameters.  "Scan boot sectors" is enabled but "Scan runtime packers" is disabled by default.  Why?  The little help icon tells me what a runtime packer is but not why I might not want to scan one.  Likewise in the next section Heuristics is enabled but Advanced Heuristics - a unique heuristic algorithm developed by ESET - is disabled.  Why?  Massive performance hit?  Compatibility issues?  Who knows.  No documentation.

The kicker is that by the time I've searched this forum and maybe found a thread that explains what a policy might do I go back to make the changes and the web interface has timed out.  When I log back in all my changes are gone.

Normally users should not change any of the default settings. They were chosen by ESET experts for best balance between protection and performance. Settings related to scanning, such as runtime packers or adv. heur. on access may have adverse effect on performance. However, nobody on Earth can tell you how much enabling them will affect performance as the impact may vary across environments and depends on files that are present on systems and operations that are frequently performed with files in particular environments.

As for the policy editor, it is basically a copy of what the advanced setup in Endpoint looks like; the settings have the same label (a big improvement compared to ERAv5) and are virtually self-explanatory. The functionality of particular settings (such as Removable media access) may vary between old and newer versions and some settings may be even hidden or removed in newer versions to prevent users from accidentally disabling them. A good example is "Scan on" events; I've seen cases when users disabled scanning of local disks or scanning on file open/create/execute and then complained that they got infected. It is possible that we will hide them (at least in home products) as they should be used only for troubleshooting purposes.

To sum it up, the basic rule is - keep default settings and configure only what you really need (e.g. trusted zone in firewall, rules, detection of potentially unsafe or unwanted applications, etc.). If you want to play with settings, enable a particular option (such as advanced heuristics or runtime packers on file access) and, if you notice impact on performance, disable them.

[foneil 342]

Exactly what marcos said.

From my understanding with what our Technical Support advise new ERA users, use the "Built-in Policies" and only modify as-needed for your specific environment (how marcos recommends to go about that). To see what is included in each policy, click the gear icon > Edit and you can view the default settings for each built-in policy.

 

[Gamtat 1]

I'm imagining Microsoft having no documentation on group policy objects and when people ask what certain GPO settings do the response is "No idea, turn it on and see what happens, you can always turn it off if you don't like it."  Like, this isn't directed at you guys but to ESET as a company - how is a complete lack of documentation for your product even remotely acceptable?

Ok, a question instead of a rant:

I have a Windows 7 client that had ESET Endpoint Antivirus 5.0.2265 installed.  After I pushed out the agent I created a task to Install ESET Endpoint Antivirus 6.5.2094.  This completed, the client rebooted and all looks fine.  It has the 6 default policies assigned (5 x HTTP Proxy Usage and 1 x Antivirus Balanced) only.

If I remote to this desktop I can "pause protection" and I'm asked for a password.  I put in the password that we used for version 5 and it's accepted.  I haven't configured that yet, did it just remember it from the previous install?  I assume that setting is in "User Interface / Access Setup".  That option is disabled in the default Balanced policy so where did it come from?

Similarly, if I remote into this same client and open up the settings I can see the following items in the ANTIVIRUS / BASIC page:

Enable detection of potentially unwanted applications    DISABLED
Enable detection of potentially unsafe applications        ENABLED
Enable detection of suspicious applications                    ENABLED

However, when I go to the Antivirus Balanced policy in the Remote Administrator web interface here are those settings:

Enable detection of potentially unwanted applications    DISABLED
Enable detection of potentially unsafe applications        DISABLED
Enable detection of suspicious applications                    ENABLED

These aren't the only discrepancies.  Is there a way to figure out why some policy items aren't being applied?  The client has a green tick "Maximum Protection", nothing in the event log, are policy updates logged anywhere?

[bbahes 29]

38 minutes ago, Gamtat said:

I'm imagining Microsoft having no documentation on group policy objects and when people ask what certain GPO settings do the response is "No idea, turn it on and see what happens, you can always turn it off if you don't like it."  Like, this isn't directed at you guys but to ESET as a company - how is a complete lack of documentation for your product even remotely acceptable?

Ok, a question instead of a rant:

I have a Windows 7 client that had ESET Endpoint Antivirus 5.0.2265 installed.  After I pushed out the agent I created a task to Install ESET Endpoint Antivirus 6.5.2094.  This completed, the client rebooted and all looks fine.  It has the 6 default policies assigned (5 x HTTP Proxy Usage and 1 x Antivirus Balanced) only.

If I remote to this desktop I can "pause protection" and I'm asked for a password.  I put in the password that we used for version 5 and it's accepted.  I haven't configured that yet, did it just remember it from the previous install?  I assume that setting is in "User Interface / Access Setup".  That option is disabled in the default Balanced policy so where did it come from?

Similarly, if I remote into this same client and open up the settings I can see the following items in the ANTIVIRUS / BASIC page:

Enable detection of potentially unwanted applications    DISABLED
Enable detection of potentially unsafe applications        ENABLED
Enable detection of suspicious applications                    ENABLED

However, when I go to the Antivirus Balanced policy in the Remote Administrator web interface here are those settings:

Enable detection of potentially unwanted applications    DISABLED
Enable detection of potentially unsafe applications        DISABLED
Enable detection of suspicious applications                    ENABLED

These aren't the only discrepancies.  Is there a way to figure out why some policy items aren't being applied?  The client has a green tick "Maximum Protection", nothing in the event log, are policy updates logged anywhere?

Only 4 post and you could get kudos from me 

Lack of good documentation has always been ESET problem. They've promised to improve. Let's see.

 

[MichalJ 434]

When performing an upgrade from V 5 to V6, previous settings are kept. If you assign a policy, only the settings with "apply" flag are applied (you would notice policy enforced setting on the local client by seeing a tiny "lock" next to the setting. Final configuration of the Endpoint, could be requested by a corresponding task. It is a result, of all applied policies, respecting policy inheritance / application order + settings applied locally on the client (not set by any policy, but still in local configuration). I would recommend checking documentation related to this topic: http://help.eset.com/era_admin/65/en-US/index.html?admin_pol.htm

Related to your feedback abou lack of explanation for various settings, I will send them to our documentation team. 

 

[Gamtat 1]

Is there a way to find out which policy items are applied to which clients?

I'd like to go through the default policy item by item and make changes when necessary.  However, I always find it bad form to edit default policies and accounts, preferring to leave them in place and disable them if necessary.  I could start a new policy from scratch but then I'm going to be duplicating much of what's in the default policy and I may even miss something.

Is there a way to compare policies or do I open multiple pllicy windows side by side and go through them that way?  Can I export them to diff them somehow?

Essentially I want to be sure which policy items are set on which computers.  The only way I can see to do that with this web tool is to create a policy for which every single setting is locked with the solid circle icon.  Is that true?

Edited May 22, 2017 by Gamtat

[Gamtat 1]

So, I guess more policy questions.

I'm trying to build up policies bit by bit by applying the default balanced policy and making changes in custom targeted policies.  I don't want users to have the option to take no action when a threat is detected so the first change is to enable Strict Cleaning across all scans.  My problem is that it doesn't seem to be possible to do only that.  When I change the cleaning level option from Normal to Strict it also locks policy items for the entire category so, by the time I've enabled Strict cleaning for the four scan types, my small, targeted policy has made 76 policy item changes.
 

Should I not be trying to make minimal, targeted policy changes and instead just make one massive policy that covers everything?  Which is the recommended route?

[Peter Fitzsimons 0]

Is there a website to download original policies for ERA v.6?

While trying to delete a task for the antivirus balanced policy,  I mistakenly deleted the policy.

I imagine a repair/reinstall will not change my policy settings.  And I don't want to restore the ERA to an earlier time, as I have made other settings changes