Jump to content

Future changes to ESET Endpoint programs


Aryeh Goretsky
 Share

Recommended Posts

Include BadUSB Prevention like G Data's USB Keyboard Guard. That would be cool. It scans all connected devices and after that, every other/new connected usb device will need to be allowed manually. user interaction or by eset protect backend.

Link to comment
Share on other sites

On 10/18/2020 at 2:57 PM, Benjamin82 said:

Is Application Control/Whitelisting still on the product roadmap?  It's becoming commonplace in most endpoint products.  Currently I typically use the now deprecated (but still working) Software Restriction Policies built into Windows, in conjunction with ESET.  Kaspersky in particular has made their whitelisting very configurable in their Endpoint Security for Windows product (https://support.kaspersky.com/KESWin/11/en-US/165718.htm), and can handle whitelisting based on hash, file path, certificate, etc. (similar to SRP and Applocker).  There are some dedicated third party solutions for handling application whitelisting as well, such as Airlock Digital (https://www.airlockdigital.com/), and even ManageEngine recently launched a new offering (https://www.manageengine.com/application-control/?pos=Allprod&cat=ITS&loc=links&prev=AB2).  But it would be very handy to have this sort of control available in ESET Endpoint products.

What i'm doing atm is: HIPS Rules which are denying any execution from explorer.exe and then an additional rule which allows explorer.exe to start mspaint.exe, winword.exe, and so on. (not 100% bulletproof, but a good way to restrict the normal user) - you can use this for any kind of applications and executions. restrict starting executables out of an winrar archive, - maybe this helps you.

Link to comment
Share on other sites

Description: Add preconfigured rules for HIPS / Exploit Blocker

Detail:  Eset does not have alternatives to the full set of rules from Microsoft Defenter Attack Surface Reduction (hxxps://docs.microsoft.com/de-de/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) but has a KB for adding HIPS Rules for some exploits (KB6119).

Request: My suggestion is to take the rules form KB6119, add the missing features from Attack Surface Reduction and add them as preconfigured options to HIPS or Exploit Guard.

Link to comment
Share on other sites

Description: use of Webcontrol depending on location

 

Detail: we dont wnat that the users access specific sites if they are in the office (like shopping, gaming,...)
but we don't care if they do it in their leisure time at home. Therefore a networkbased policy would be great!

Link to comment
Share on other sites

  • 4 months later...
  • Most Valued Members

Description : MATE Desktop support for Linux Endpoint GUI

Detail : MATE is being used by several distributions including Ubuntu , if it's possible to have support for that Desktop for the GUI.

 

Thanks.

Edited by Nightowl
Link to comment
Share on other sites

  • 1 month later...

Description: make modules updates on Linux possible using a local directory

 

Detail: when using ESET products in an offline environment I am able to update the antivirus modules from a local drive or directory on Windows machines, but I can't seem to find the way to do that on Linux machines. The only way I managed to do it is to use a http server on the machine and then use hxxp://localhost/<path>/<to>/<repo> as the update server, but I would prefer to use a simple path without having to setup a http server on each machine. 

Link to comment
Share on other sites

  • Administrators
9 minutes ago, MatthiasU said:

Description: make modules updates on Linux possible using a local directory

It should work. In case of problems, please open a support ticket with your local ESET distributor.

Link to comment
Share on other sites

19 minutes ago, Marcos said:

It should work. In case of problems, please open a support ticket with your local ESET distributor.

How do you configure it then ? I can't find the field in the UI (using either CentOS 8 or openSUSE 15) and using the CLI there's a --server option but nothing related to local directory..

Hope I don't interfere with the topic asking that here.. Thanks in advance for your response.

Link to comment
Share on other sites

  • 1 month later...

Can we please have an option in "Web and Email / Web Control" to create rules to block websites based on keyword.

For example, for an unproductive student, we don't want to block youtube completely as this is sometimes required for their school work, but we do want to block youtube videos on for example Minecraft. 

Now admittedly we are assuming every youtube page with a Minecraft video will have the word 'minecraft' on that page, but most probable will, so at least this rule would block most of these videos.

This is just one example of many that we could come up with to block content that is not currently covered under the set categories, and where blocking based on url is not practical.

Link to comment
Share on other sites

  • 5 months later...

Would be very cool if it could be possible to show a Desktop Message when something is sent to Dynamic Thread Defense even if ESET Gui is running in Terminal/Hidden Mode.

So that the User knows the reason for not beeing able to open e.g. a PDF File (when Document scanning is enabled).

I mean you can show it in Gui "Full"-Mode but i dont want the users to be able to show the Gui, Logs and stuff..

Link to comment
Share on other sites

  • 3 weeks later...

Description: Test fuction for firewall

 

Detail: To my knowledge, the only way to see if you policy's will work. Is to turn on the firewall, and stop all traffic if its not working correctly. It would be nice to have a report only mode. So that you can see if the traffic is blocked or not, without interfering with production.

 
Link to comment
Share on other sites

  • 4 weeks later...

Description: Users can send request to allow a device

Details: When users plug in a blocked USB device, a pop up is shown to send an e-mail to the administrators for a request to allow this device. The Manufacturer, Model and Serial Number should be in this e-mail.

This was possible in our last Endpoint product, but in ESET it's kinda complicated. You have to enable diagnostics log, so that we can see all the device control info of a PC on the ESET server and the devices are marked with warnings, because that's enabled.

Link to comment
Share on other sites

  • 3 weeks later...

Description: Enable more advanced configuration and control scenarios for administrators via the command line.

1. Add eShell to Endpoint software.

Details: Adding the text based interface to the Endpoint client software will allow administrators to script the product and remotely access and configure the product without interrupting end user activities.

2. Add WMI classes for interacting (reading/writing settings and configurations) to security products.

Details: Expand upon the existing WMI support by allowing clients to configure security products using WMI/CIM interfaces.

3. Add a powershell module to security products.

Details: Tools that would further allow for configuring, testing, troubleshooting and working with the security products.  A powershell module would complement the existing eshell tool and would further enable advanced administration with the tools administrators are using. WMI tooling would allow for other tools to work with security products outside of the small handful of RMM integrations.

----------

Description: Make ecmd more useful.

  1. Add a list/help parameter to ecmd. Something to list all the available commands. For example: -h --help /? /help /list /listcmds
  2. Add a reset configuration parameter. ecmd /resetcfg to reset the product to it's default configuration.
  3. Maybe add a parameter to get the default config as an xml file. Something like ecmd /getdefaultcfg <filename.xml>.

----------

Description: Add profile selection to ecls or add a new command line scanner that uses profiles and outputs to the application's log.

Details: If adding eShell doesn't get added to Endpoint, add a "profile" parameter to the ESET command line scanner program so that users don't have to try to configure the command line scanner to emulate a predefined scanning profile.
Alternatively a new command line scanner that simplifies the ecls experience but also fits nicely with remote management would be nice.  Currently ecls has options for specifying where to quarantine/log/load modules which is all very advanced and most people don't need. I think a scanner that uses the same profiles and logs as the main application would be a lot more friendly to end users and administrators. 
Example:

> eclods.exe
ESET Command Line On-Demand Scanner
Usage: eclods [SCAN PROFILE] [OPTIONS..] FILES.. [/exclude] FILES..

Scan Profiles: 
Profile names should be quoted. Alternatively spaces can be replaced with underscores ( _ ) or dashes ( - ).
	Smart scan				The Smart scan profile uses Smart Optimization caching, which excludes files that were previously found to be clean.
    Context-Menu scan		You can start an on-demand scan of any file from the context menu. The Context menu scan profile allows you to define a scan configuration that will be used when you trigger the scan this way. (default)
    In-depth scan			The In-depth scan profile does not use Smart optimization by default, so no files are excluded from scanning using this profile.
    Computer scan			This is the default profile used in the standard computer scan in eGUI.

Custom scan profile names can also be specified. Create custom scan profiles in the product graphical user interface.

Options:
	/subdir					scan subfolders (default)
    /no-subdir				do not scan subfolders
    /log-file=FILE			log output to FILE
    /log-rewrite			overwrite output file (default - append)
    /log-console			log output to console (default)
    /quiet					do not output to console
    
Files:
If no files are specified the profile's predefined targets will be used.

 

Link to comment
Share on other sites

Description: Global overrides and better config management for Endpoint/Server Security products.

Details:

The typical power user/administrator when setting up the protection products starts with the advanced configuration at the top level in Detection Engine and you're presented with Real-Time & Machine Learning protection settings. These act as a sort of global configuration for the rest of the product.

After configuring the base product (or is it the real-time configuration in Detection Engine?), the next item is to configure the Real-time file system protection, then Malware scans (skipping cloud protection). In the Malware scans setup we're presented with On-Demand scanning profiles, Idle-state profile, Startup Scan profile and the Document protection profile.

Currently, any On-Demand scan profile's first real setting is whether to use the Real-time file system protection settings. This is very close to a global setting or default configuration that I'm certain pleases many users. My feature request is to extract that setting concept (a reference/pointer), and then combine that with an added base on-demand/event scan profile that every other profile references. The base config concept could also be combined with the Policies concept from the management server, with each option becoming ignored, set as default, or forced. The base scan profile would include all the protection categories, threat sense parameters, scanner limits, and the system's Other ( scan ADS, preserve timestamp, etc. ) settings. 

Rationale:

  • Consolidates the 3 to 7 to X number of places to change settings when deploying or configuring the product.
  • Doesn't lock users in via policy (not always the desired effect).
  • Potential to protect user's from bad ESET settings (automatically modifying the last accessed timestamp for example).

Description: Add a configurable scanning profile for AMSI scanning.

Details: If Document Protection, an API based scanning integration, gets to have it's own scanning profile then shouldn't AMSI scanning get the same treatment as well?

Link to comment
Share on other sites

  • 2 weeks later...

Application Control/Whitelisting.  I've inquired before about this, but I view it as a core capability that ESET still lacks.  Microsoft's tools for application control are varied and cumbersome to manage.  SRP is dated, Applocker only works on Enterprise versions of Windows 10 and 11, and Windows Defender Application Control is probably the most cumbersome yet of their application control tools.  So my suggestion would be some manner to whitelist authorized applications (via hash, publisher, etc.) and effectively block execution from user writeable directories within ESET.  Basically similar to how SRP and Applocker works.  

Link to comment
Share on other sites

  • 1 month later...

I have an idea for potentially thwarting phishing type emails to a degree with Eset endpoint email plugin. What if Eset looked at the originating email address of an inbound email and compared it to previous source emails an individual had received. If it was a new email address never seen before the user would be alerted via tag on the subject line something to degree of  "beware: unknown email address". 
This conceivably could be expanded to look other factors within the email header (location of source email, etc) as well to provide some level of warning to the user. we are seeing a lot more attempted attacks on clients these days and I think anything that provides some level of alerting would help.

Just a thought.

Thanks,

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...