6.6 Application Statuses

[ronmanp 2]

Using Endpoint Antivirus 6.6.2046.0 with ERA 6.5.522.0.

We disable Protocol Filtering by policy so we also disable the application statuses that relate to it. Just after upgrading to 6.6.2046.0 from 6.5 I started having warnings about it again.

After checking I see that Endpoint Antivirus 6.6.2046.0 added two new application protocol filtering statuses that can't be changed by policy yet. Please see screenshot comparing the options I have from the server vs what I have locally. I assume we'll need to wait for ERA 6.6 to fully support Endpoint Antivirus 6.6.2046.0?

As a side note, I suggest that when you disable a functionality by policy the client should automatically stop sending alerts about it.

Edited August 24, 2017 by ronmanp

[Marcos 5,074]

Could you please clarify why you need to keep protocol filtering off? It will make computers with Internet connection vulnerable to threats coming from the Internet. It also affects Advanced memory scanner detections.

[ronmanp 2]

We have other products in place for that.

[Marcos 5,074]

25 minutes ago, ronmanp said:

We have other products in place for that.

But why not to use additional protection? ESET's modules are interconnected and disabling protocol filtering also affect behavior in-memory detection by Advanced memory scanner. What issues do you run into if protocol filtering is enabled?

[ronmanp 2]

Thanks for the advice, I'll keep that in mind but it will take time for us to evaluate the feature and roll it out to all of our endpoints.

So with that said, how can I disable these two alerts like I used to be able with previous builds?

[Marcos 5,074]

In the web console, navigate to Help -> About and make sure that the version of the Configuration module is 1526.2.

It's currently only available on pre-release update servers so you'd need to go to Admin -> Server settings -> Updates and select "Pre-release".

[ronmanp 2]

Thanks Marcos, I'd rather wait a bit as I found this in the documentation. Do you have an ETA for the new configuration module to make it into the regular release?

We do not recommend that you select Pre-release updates for production systems as this is a risk.

[Marcos 5,074]

It will be staggered release so not all users will update at once. Some users might receive it next week and the rest of users afterwards.

Also thank you for pointing out this scary warning. We'll likely replace it with the description from Endpoint help:

Pre-release updates are updates that have gone through thorough internal testing and will be available to the general public soon. You can benefit from enabling pre-release updates by having access to the most recent detection methods and fixes. However, pre-release updates might not be stable enough at all times and SHOULD NOT be used on production servers and workstations where maximum availability and stability is required.

[ronmanp 2]

Fyi, I now have the latest configuration module but I still can't disable these two statuses from ERA. 

ESET Support Case 69797 has been opened. No ETA yet...

[e3z 3]

Just an Fyi; we are experiencing the exact same issue as ronmanp on the v. 6.6.2046.0 client upgrade. Like OP stated, we are also on Configuration module 1526.2 and have other products in place to handle "Web access protection". Extensive testing would be necessary to enable this feature as this change would affect many users.

Thank you & no response needed

[Marcos 5,074]

1 hour ago, e3z said:

Just an Fyi; we are experiencing the exact same issue as ronmanp on the v. 6.6.2046.0 client upgrade. Like OP stated, we are also on Configuration module 1526.2 and have other products in place to handle "Web access protection". Extensive testing would be necessary to enable this feature as this change would affect many users.

Thank you & no response needed

Check also the version of the Translation support module. What type of update do you have selected in the Server setup?

With "regular update", I have the following modules:

Update module    1069 (20161122)
Translation support module    1630 (20170922)
Configuration module    1526.2 (20170811)
SysInspector module    1269 (20170321)

Regarding disabled Web access protection, if would like I could provide you with some very fresh phishing/scam/malicious links that would be blocked by ESET. You could try them on an isolated system to find out if your current solution would block them or not. Nevertheless, it's also important to take into account that ESET's protection modules are interconnected and information from the firewall or Web access protection could be used by other protection modules while evaluating the suspiciousness of an object.

[e3z 3]

Hi Marcos, we are also set to Regular update. Our Transition support module is v. 1611 instead of 1630 as you are displaying. Could it be that we have yet to receive an update that would correct the issue?

Thank you for a further explanation of Web access protection and how it interacts with other ESET modules. I can revisit the possibility of enabling this feature as time & tide will allow.   

[ronmanp 2]

Same here. 

I've been told by ESET support that ERA 7 is coming out and it should support all the 6.6 configurations out of the box.

Also been suggested to locally configure a client, click on request configuration from ERA and then create a new policy with the imported configuration. I didn't try that as I'll just be sticking to 6.5 until there's a proper solution.

[e3z 3]

Thank you for your input ronmanp. Your post has been extremely helpful in troubleshooting this issue.