Future changes to ESET Endpoint programs

[schuetzdentalCB 8]

Include BadUSB Prevention like G Data's USB Keyboard Guard. That would be cool. It scans all connected devices and after that, every other/new connected usb device will need to be allowed manually. user interaction or by eset protect backend.

[schuetzdentalCB 8]

On 10/18/2020 at 2:57 PM, Benjamin82 said:

Is Application Control/Whitelisting still on the product roadmap?  It's becoming commonplace in most endpoint products.  Currently I typically use the now deprecated (but still working) Software Restriction Policies built into Windows, in conjunction with ESET.  Kaspersky in particular has made their whitelisting very configurable in their Endpoint Security for Windows product (https://support.kaspersky.com/KESWin/11/en-US/165718.htm), and can handle whitelisting based on hash, file path, certificate, etc. (similar to SRP and Applocker).  There are some dedicated third party solutions for handling application whitelisting as well, such as Airlock Digital (https://www.airlockdigital.com/), and even ManageEngine recently launched a new offering (https://www.manageengine.com/application-control/?pos=Allprod&cat=ITS&loc=links&prev=AB2).  But it would be very handy to have this sort of control available in ESET Endpoint products.

What i'm doing atm is: HIPS Rules which are denying any execution from explorer.exe and then an additional rule which allows explorer.exe to start mspaint.exe, winword.exe, and so on. (not 100% bulletproof, but a good way to restrict the normal user) - you can use this for any kind of applications and executions. restrict starting executables out of an winrar archive, - maybe this helps you.

[INDUS_MH 1]

Description: Add preconfigured rules for HIPS / Exploit Blocker

Detail:  Eset does not have alternatives to the full set of rules from Microsoft Defenter Attack Surface Reduction (hxxps://docs.microsoft.com/de-de/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) but has a KB for adding HIPS Rules for some exploits (KB6119).

Request: My suggestion is to take the rules form KB6119, add the missing features from Attack Surface Reduction and add them as preconfigured options to HIPS or Exploit Guard.

[me myself and i 0]

Description: use of Webcontrol depending on location

 

Detail: we dont wnat that the users access specific sites if they are in the office (like shopping, gaming,...)
but we don't care if they do it in their leisure time at home. Therefore a networkbased policy would be great!

[Marcos 5,231]

1 hour ago, me myself and i said:

Description: use of Webcontrol depending on location

You can accomplish this leveraging time slots:

[me myself and i 0]

3 hours ago, Marcos said:

You can accomplish this leveraging time slots:

Yes, thank you for the hint, but we need it location based, not time based.

[Nightowl 206]

Description : MATE Desktop support for Linux Endpoint GUI

Detail : MATE is being used by several distributions including Ubuntu , if it's possible to have support for that Desktop for the GUI.

 

Thanks.

Edited June 7, 2021 by Nightowl

[MatthiasU 0]

Description: make modules updates on Linux possible using a local directory

 

Detail: when using ESET products in an offline environment I am able to update the antivirus modules from a local drive or directory on Windows machines, but I can't seem to find the way to do that on Linux machines. The only way I managed to do it is to use a http server on the machine and then use hxxp://localhost/<path>/<to>/<repo> as the update server, but I would prefer to use a simple path without having to setup a http server on each machine. 

[Marcos 5,231]

9 minutes ago, MatthiasU said:

Description: make modules updates on Linux possible using a local directory

It should work. In case of problems, please open a support ticket with your local ESET distributor.

[MatthiasU 0]

19 minutes ago, Marcos said:

It should work. In case of problems, please open a support ticket with your local ESET distributor.

How do you configure it then ? I can't find the field in the UI (using either CentOS 8 or openSUSE 15) and using the CLI there's a --server option but nothing related to local directory..

Hope I don't interfere with the topic asking that here.. Thanks in advance for your response.

[Marcos 5,231]

2 hours ago, MatthiasU said:

How do you configure it then ?

https://help.eset.com/efs/8.1/en-US/update-mirror.html

[MatthiasU 0]

28 minutes ago, Marcos said:

https://help.eset.com/efs/8.1/en-US/update-mirror.html

Well thanks for your help
I didn't go deep enough in the documentation I guess, sorry for bothering you !

[ShaneDT 13]

Can we please have an option in "Web and Email / Web Control" to create rules to block websites based on keyword.

For example, for an unproductive student, we don't want to block youtube completely as this is sometimes required for their school work, but we do want to block youtube videos on for example Minecraft. 

Now admittedly we are assuming every youtube page with a Minecraft video will have the word 'minecraft' on that page, but most probable will, so at least this rule would block most of these videos.

This is just one example of many that we could come up with to block content that is not currently covered under the set categories, and where blocking based on url is not practical.

[schuetzdentalCB 8]

Would be very cool if it could be possible to show a Desktop Message when something is sent to Dynamic Thread Defense even if ESET Gui is running in Terminal/Hidden Mode.

So that the User knows the reason for not beeing able to open e.g. a PDF File (when Document scanning is enabled).

I mean you can show it in Gui "Full"-Mode but i dont want the users to be able to show the Gui, Logs and stuff..

[Bennie Strous 0]

Description: Test fuction for firewall

 

Detail: To my knowledge, the only way to see if you policy's will work. Is to turn on the firewall, and stop all traffic if its not working correctly. It would be nice to have a report only mode. So that you can see if the traffic is blocked or not, without interfering with production.

 

[thae 12]

Description: Users can send request to allow a device

Details: When users plug in a blocked USB device, a pop up is shown to send an e-mail to the administrators for a request to allow this device. The Manufacturer, Model and Serial Number should be in this e-mail.

This was possible in our last Endpoint product, but in ESET it's kinda complicated. You have to enable diagnostics log, so that we can see all the device control info of a PC on the ESET server and the devices are marked with warnings, because that's enabled.

[dylanm 2]

Description: Enable more advanced configuration and control scenarios for administrators via the command line.

1. Add eShell to Endpoint software.

Details: Adding the text based interface to the Endpoint client software will allow administrators to script the product and remotely access and configure the product without interrupting end user activities.

2. Add WMI classes for interacting (reading/writing settings and configurations) to security products.

Details: Expand upon the existing WMI support by allowing clients to configure security products using WMI/CIM interfaces.

3. Add a powershell module to security products.

Details: Tools that would further allow for configuring, testing, troubleshooting and working with the security products.  A powershell module would complement the existing eshell tool and would further enable advanced administration with the tools administrators are using. WMI tooling would allow for other tools to work with security products outside of the small handful of RMM integrations.

----------

Description: Make ecmd more useful.

1. Add a list/help parameter to ecmd. Something to list all the available commands. For example: -h --help /? /help /list /listcmds
2. Add a reset configuration parameter. ecmd /resetcfg to reset the product to it's default configuration.
3. Maybe add a parameter to get the default config as an xml file. Something like ecmd /getdefaultcfg <filename.xml>.

----------

Description: Add profile selection to ecls or add a new command line scanner that uses profiles and outputs to the application's log.

Details: If adding eShell doesn't get added to Endpoint, add a "profile" parameter to the ESET command line scanner program so that users don't have to try to configure the command line scanner to emulate a predefined scanning profile.
Alternatively a new command line scanner that simplifies the ecls experience but also fits nicely with remote management would be nice.  Currently ecls has options for specifying where to quarantine/log/load modules which is all very advanced and most people don't need. I think a scanner that uses the same profiles and logs as the main application would be a lot more friendly to end users and administrators. 
Example:

> eclods.exe
ESET Command Line On-Demand Scanner
Usage: eclods [SCAN PROFILE] [OPTIONS..] FILES.. [/exclude] FILES..

Scan Profiles: 
Profile names should be quoted. Alternatively spaces can be replaced with underscores ( _ ) or dashes ( - ).
	Smart scan				The Smart scan profile uses Smart Optimization caching, which excludes files that were previously found to be clean.
    Context-Menu scan		You can start an on-demand scan of any file from the context menu. The Context menu scan profile allows you to define a scan configuration that will be used when you trigger the scan this way. (default)
    In-depth scan			The In-depth scan profile does not use Smart optimization by default, so no files are excluded from scanning using this profile.
    Computer scan			This is the default profile used in the standard computer scan in eGUI.

Custom scan profile names can also be specified. Create custom scan profiles in the product graphical user interface.

Options:
	/subdir					scan subfolders (default)
    /no-subdir				do not scan subfolders
    /log-file=FILE			log output to FILE
    /log-rewrite			overwrite output file (default - append)
    /log-console			log output to console (default)
    /quiet					do not output to console
    
Files:
If no files are specified the profile's predefined targets will be used.

 

[dylanm 2]

Description: Global overrides and better config management for Endpoint/Server Security products.

Details:

The typical power user/administrator when setting up the protection products starts with the advanced configuration at the top level in Detection Engine and you're presented with Real-Time & Machine Learning protection settings. These act as a sort of global configuration for the rest of the product.

After configuring the base product (or is it the real-time configuration in Detection Engine?), the next item is to configure the Real-time file system protection, then Malware scans (skipping cloud protection). In the Malware scans setup we're presented with On-Demand scanning profiles, Idle-state profile, Startup Scan profile and the Document protection profile.

Currently, any On-Demand scan profile's first real setting is whether to use the Real-time file system protection settings. This is very close to a global setting or default configuration that I'm certain pleases many users. My feature request is to extract that setting concept (a reference/pointer), and then combine that with an added base on-demand/event scan profile that every other profile references. The base config concept could also be combined with the Policies concept from the management server, with each option becoming ignored, set as default, or forced. The base scan profile would include all the protection categories, threat sense parameters, scanner limits, and the system's Other ( scan ADS, preserve timestamp, etc. ) settings. 

Rationale:

• Consolidates the 3 to 7 to X number of places to change settings when deploying or configuring the product.
• Doesn't lock users in via policy (not always the desired effect).
• Potential to protect user's from bad ESET settings (automatically modifying the last accessed timestamp for example).

Description: Add a configurable scanning profile for AMSI scanning.

Details: If Document Protection, an API based scanning integration, gets to have it's own scanning profile then shouldn't AMSI scanning get the same treatment as well?

[Benjamin82 2]

Application Control/Whitelisting.  I've inquired before about this, but I view it as a core capability that ESET still lacks.  Microsoft's tools for application control are varied and cumbersome to manage.  SRP is dated, Applocker only works on Enterprise versions of Windows 10 and 11, and Windows Defender Application Control is probably the most cumbersome yet of their application control tools.  So my suggestion would be some manner to whitelist authorized applications (via hash, publisher, etc.) and effectively block execution from user writeable directories within ESET.  Basically similar to how SRP and Applocker works.  

[Brett Duncan 2]

I have an idea for potentially thwarting phishing type emails to a degree with Eset endpoint email plugin. What if Eset looked at the originating email address of an inbound email and compared it to previous source emails an individual had received. If it was a new email address never seen before the user would be alerted via tag on the subject line something to degree of  "beware: unknown email address". 
This conceivably could be expanded to look other factors within the email header (location of source email, etc) as well to provide some level of warning to the user. we are seeing a lot more attempted attacks on clients these days and I think anything that provides some level of alerting would help.

Just a thought.

Thanks,

[Nono 3]

Description: Adding a more fine tuned way of filtering  rules (HIPS, etc)

Detail: Currently on HIPS rules, you can specify only the exact file name at the end of the path for source application.

Wildcard works only for inner path like : C:\Users\\AppData to replace any AppData user's folder.

It would be really useful to have a more fine tuned filtering options like the following :

 

* (single wildcard) permits any sequence of characters between directory terminators. Single wildcards are NOT recursive. For example:
c:\example\* allows anything to run in c:\example.
c:\example*\temp.exe allows a file called temp.exe to run within in a single subdirectory of c:\example
c:\example*\system*.exe allows any file with the extension .exe to run, within two subdirectories of c:\example (with the latter subdirectory called system)

** (double wildcard) permits any sequence of characters for the remainder of a path. Double wildcards ARE recursive. For example:
c:\example** allows any file to run in c:\example and all subdirectories
c:\example**.dll allows any file with the extension .dll to run in c:\example and all subdirectories

? (question mark) permits the replacement of a single character in a path. For example:
c:\example\explore?.exe would allow c:\example\explorer.exe to run but not c:\example\explorer2.exe
c:\??ample\explorer.??? would allow c:\example\explorer.exe, c:\example\explorer.dll and c:\trample\explorer.exe to run
?:\test.exe would allow the file test.exe to run on any drive letter.

[HOverviewIT 0]

Hello,

 

I would like to see a new implementation in the eset endpoint protection to block scammers.

All these scammers are using teamviewer or anydesk to take control of the computer of the victim. As Eset is monitoring network traffic, it should be easy to see if somebody is using anydesk or teamviewer to control a computer. If you open a webpage for a bank, together with open remote session, I would like to see a red warning (or even block the connection using a policy) that people are informed that there are possible hackers on their computer and that they should not enter any codes.

[igi008 23]

2 hours ago, HOverviewIT said:

Hello,

 

I would like to see a new implementation in the eset endpoint protection to block scammers.

All these scammers are using teamviewer or anydesk to take control of the computer of the victim. As Eset is monitoring network traffic, it should be easy to see if somebody is using anydesk or teamviewer to control a computer. If you open a webpage for a bank, together with open remote session, I would like to see a red warning (or even block the connection using a policy) that people are informed that there are possible hackers on their computer and that they should not enter any codes.

Hello, many thanks for this idea.

Actually we have something like you mentioned in our EDR layer (ESET Inspect), which provides better visibility in your network and helps you identify suspicious behavior.

For example, these rules related to this MITRE ATT&CK Technique: https://attack.mitre.org/techniques/T1219/ can be helpful.

However, including other conditions in such rules is a quite interesting idea.

[BrianMorris 15]

On 10/20/2022 at 7:04 AM, igi008 said:

Hello, many thanks for this idea.

Actually we have something like you mentioned in our EDR layer (ESET Inspect), which provides better visibility in your network and helps you identify suspicious behavior.

For example, these rules related to this MITRE ATT&CK Technique: https://attack.mitre.org/techniques/T1219/ can be helpful.

However, including other conditions in such rules is a quite interesting idea.

igi008 -- this is really great, thanks for sharing

[Ryan Dey 6]

In a managed environment, like we're using with ESET Protect, we absolutely need the ability to suppress end of life warnings. It makes no sense to warn users that their fully functional client will have a problem 12 months from now.  They can't do anything about it other than worry and clog our helpdesk support.

Give the IT administrators better insights into upcoming end-of-life dates right in the web console rather than making us proactively track down a website within your support pages.    I'm in the console on a daily basis and there'd be plenty of opportunity to warn me that 9.0.2046.0 needs to be updated before November 30, 2022.