Quarantine issues

[Gamtat 1]

1. The Admin / Quarantine screen doesn't show which computers the quarantined files came from.  I can't add it to the list of columns either.  I have to click the hash, click show details, view computer name then click back (click click click click click click).  I want to clean up the data so I tried to make a filter to show pre-2017 items because I don't care about those but that's not possible.  I click Add filter, click Last Occured, click OK (so much clicking in this new interface).  I then have a dropdown where my options are <15 minutes to <1 year.  No possible way to see things older than 1 year.  I can't type in a date?  Fine, I'll go back to the main quarantine screen and sort by date.  Now I'll just multi-select the items and...  no multi-select.  Thumbs down for the new web interface.

Also, my quarantine page only has a few hundred items.  Why is it so slow to scroll?  I scroll half way down the list and the scrolling pauses, the items disappear while presumably more items are retrieved from the web server.  Then I scroll back up and the same thing happens.  Scroll back down and it happens again.

 

2. Quarantine screen.  Filter by Threat type.... not possible.

 

3. When I "Restore and Exclude" where exactly is that exclusion configured?  I don't see it in any policies and logging onto the computer in question to search through the local config reveals nothing.  As a test I right clicked the now-restored file and selected "Scan with ESET Endpoint Antivirus".  It was immediately quarantined again, so it doesn't appear to be getting excluded.

[MichalJ 434]

Hello,

1. You can use report "detailed quarantined objects" to display data per computer (basically one line, per one threat, including computer name). In here you can add filters by computer / computer name, static group, or even a mask (endpoint / server). Also define "time of occurrence conditions", from - to. So it provides extensive filtering. You can find this report in reports section of ERA UI, or add it as a custom dashboard element when needed.
2. We will track improvements to filter also by "threat type", for both quarantine reports.
3. Exclusion is configured on the machine, written by Endpoint locally to the list of exclusions. This however does not work, when there any other exclusions set via policies (as the exclusions becomes read-only on the local client). Change is planned for V7 (Q4/2017), where also option to exclude from "threats view" is coming, that will map the exclusion directly into the selected policy.

Maybe last question. Which ERA version are you using? (you can locate the precise version in "About" section of ERA webconsole".

[Marcos 5,074]

As for negating filters, we will consider this for ERA v7 so that filtering objects "older than X" is possible. Currently there's only a filter for objects "newer than X".

[Marcos 5,074]

11 hours ago, Gamtat said:

Also, my quarantine page only has a few hundred items.  Why is it so slow to scroll?  I scroll half way down the list and the scrolling pauses, the items disappear while presumably more items are retrieved from the web server.  Then I scroll back up and the same thing happens.  Scroll back down and it happens again.

You can disable auto-loading in the right-hand lower corner of the window and enable paging:

[Gamtat 1]

7 hours ago, MichalJ said:

Hello,

1. You can use report "detailed quarantined objects" to display data per computer (basically one line, per one threat, including computer name). In here you can add filters by computer / computer name, static group, or even a mask (endpoint / server). Also define "time of occurrence conditions", from - to. So it provides extensive filtering. You can find this report in reports section of ERA UI, or add it as a custom dashboard element when needed.
2. We will track improvements to filter also by "threat type", for both quarantine reports.
3. Exclusion is configured on the machine, written by Endpoint locally to the list of exclusions. This however does not work, when there any other exclusions set via policies (as the exclusions becomes read-only on the local client). Change is planned for V7 (Q4/2017), where also option to exclude from "threats view" is coming, that will map the exclusion directly into the selected policy.

Maybe last question. Which ERA version are you using? (you can locate the precise version in "About" section of ERA webconsole".

1. This solution is.... less than ideal. It shows me the computer name but now I can only perform one operation at a time.  As a feature request, the quarantine page is right there already, just needs another column added to increase its usefulness.

3. I figured something like that might be happening when nothing changed in the client's local configuration.  It would be great if you could mark a threat as "ignore for this location", "ignore for this computer", "ignore system-wide" or some combination.. I guess having a specific exclusions policy sounds good.

We're using this version:

ESET Remote Administrator (Server), Version 6.5 (6.5.522.0), ESET Remote Administrator (Web Console), Version 6.5 (6.5.388.0) with Endpoint Antivirus 6.5.2094 on the clients.

6 hours ago, Marcos said:

As for negating filters, we will consider this for ERA v7 so that filtering objects "older than X" is possible. Currently there's only a filter for objects "newer than X".

Great news!

6 hours ago, Marcos said:

You can disable auto-loading in the right-hand lower corner of the window and enable paging:

I tried this and it made no difference.  I get slow, laggy scrolling with "loading..." popups no matter which option is selected.

Edited May 26, 2017 by Gamtat