Jump to content
Marcos

Future changes to ESET Security Management Center / ESET Remote Administrator

Recommended Posts

Description: Remote Administrator Console Login accept username in UPN format.

Detail: When logging into the ESET Remote Administrator console, if using an AD login, you need to specify the username as "DOMAIN\username", however if you try to use the UPN format (common due to increased cloud usage) "username@fully.qualified.domain" then it's not recognised. Also, if you don't include a domain then it's also not recognised.

Please support the UPN format and have the server default to a domain (if ERA installed on Windows, default to the domain the server is joined to), or allow an option to specify a default domain in ERA settings.

Share this post


Link to post
Share on other sites
On 4/19/2018 at 12:49 PM, Bedders said:

We've been using ESET for years here at my organisation, long before I started, and I have overseen the upgrade from ESET v4 running NOD32 up to ESET v6.6 running Endpoint Antivirus. 

Once I got my head around the fact that it required an Agent first, then the antivirus, it's been a breeze.

However I feel that the reporting is somewhat lacking in terms of filters. For example - when I go to 'Threats', then click on 'Add Filter', I expected to be able to filter by the visible 'Action' column - so I could only select everything that had been Cleaned by Deleting and Mark as Resolved. Unfortunately there is no option to add a filter for that 'Action' column. Some columns that are visible in that report seemed to be inexplicably missing as Filter options.

I was also trying to filter the 'Installed ESET Applications' dashboard report so that it excluded both the ESET Remote Administrator Server and the ESET Rogue Detection Sensor. I discovered that it is only possible to add one entry in that field, and each field can only be added once.

It's likely that there is a reason for such limitations on reporting but it is annoying.

Hello, thank you for the feedback.  I have positive news for you - we are continuously improving the ways how reports are built & are adding further filtering options in the soon to be released version.

So the filter by action is added in the upcoming version & you are also able to filter out some entries from the "installed applications" report, by choosing condition "is not one of" (screenshots attached).

 

report filter.png

action filter.png

Share this post


Link to post
Share on other sites

Description: Export list of computers from Dynamic or Static Group / Additional reporting filter options

Detail: Rather than having to create a report, it would be useful to just be able to export a Group's (Static or Dynamic) list of computers out to CSV, TSV, PDF, etc.

Especially as Reporting filtering is more limited than Dynamic Group filtering. Would be nice to have additional reporting filter options, such as "does not contain", "does not equal regex", "not in", "not prefix/postfix", etc. etc.

As well as being able to set two (or more) criteria for a single field, e.g. "OS name has prefix" "Microsoft" AND "OS name has not postfix" "R2".

Also the option of "OR" rather than just "AND".

And being able to group multiple ANDs or ORs.

 

Hopefully some or all of this is included in the new changes in the next version as highlighted in previous post by MichalJ.

Other posts:

 

 

 

Edited by AStevens.SHG

Share this post


Link to post
Share on other sites

@AStevens.SHG Hello,

Concerning the more options in the reports, some of the changes are going to be introduced, but not all of them. However, we are planning a bigger redesign for the future version, which might make it simpler. 

Other requests are tracked in the feature backlog (authentication screen changes, AD sync changes, and export of data from "computers screen") and I believe that some of them will be done in the future versions (not in the 7.0, but into the future releases). I can´t comment now about details, as we are still scoping, and setting up the road-map plans. But your votes will be added to already tracked backlog items. 

Share this post


Link to post
Share on other sites
On 4/23/2018 at 1:35 PM, AStevens.SHG said:

Description: Static Group Synchronization using "Objects to Synchronize" set to "Computers Only" will sync all computers from AD Domain.

Detail: After creating a Server Task of Static Group Synchronization for a Active Directory domain, the "Objects to Synchronize" was set to "Computers Only" (we do not require the entire AD OU structure synchronized to ESET Remote Administrator, we use Dynamic Groups and assign policies there), and the "Distinguished Name" under Synchronization settings is black or set to the highest level "DC=test,DC=domain,DC=com", no computers are synchronized or existing computer objects moved, even though "Computer Creation Collision Handling" is set to "Move".

If we set the "Distinguished Name" under Synchronization settings to "OU=Domain Controllers,DC=test,DC=domain,DC=com" then we see the domains DCs, their computer accounts which exist in that OU (just that OU of course), get moved to the Static Group for the domain.

This seems odd, given you can set a top level synchronisation using Distinguished Name (or "leave empty to synchronize the whole tree", the tooltip says), and below that you can enter multiple Distinguished Name(s) you wish to exclude from the synchronization. Therefore this actually seems like an unnoticed (or maybe it has been noticed) bug in this function implementation.

Obviously, our end goal here is to have a single static group per Active Directory domain and all computers for the relevant domain be synchronized into that static group away from the Lost & Found static group, however we do not want all OUs from the domain synchronised under the static group, it's not necessary.

Last tested on ERA 6.5.522

I have checked this with the developers, and we are going to change the behavior in V7. If you select "only computers", all of the computers under "DN" will be synced, not only direct parent ones. So it should behave according to your expectations.

With regards to the "users", what is the usecase for you? For what do you use the? Do you manually create linking between users & devices, or use the user variables in policies for Endpoint or MDM?

Share this post


Link to post
Share on other sites
30 minutes ago, MichalJ said:

I have checked this with the developers, and we are going to change the behavior in V7. If you select "only computers", all of the computers under "DN" will be synced, not only direct parent ones. So it should behave according to your expectations.

With regards to the "users", what is the usecase for you? For what do you use the? Do you manually create linking between users & devices, or use the user variables in policies for Endpoint or MDM?

Excellent, pity it can't be hot-fixed in the current 6.5 release, but glad to know it will be corrected in V7.

 

We don't currently use "users", but have noticed it there and intrigued for the possibilities you mention, user variables in policies sounds interesting.

Two issues we have that I wondered if this would help with, is a desire to include the current/last logon user detail from AD (username, Full Name/Display name, email, telephone, etc.) in reports, the Service Desk/Deskside support want user information as presumably they track down the user, and then from there the computer. Currently we have to do some look up using other products (KBOX, SCCM).

User variables in policies for Endpoint sound interesting, would it be possible to have an application path in a firewall rule to allow C:\Users\%username%\AppData\Roaming\Application\Application.exe or %userprofile%\AppData\Roaming\Application\Application.exe ?

Or would it be more of a user scope under a Local tab, so this rule only applies to these domain users logged onto the machine? Or a whole policy applying to a specific domain user or users whatever PC they are on? Also interesting, though... that would probably require the syncing of AD Groups (Domain Local, Global Group) and ESET understand Group Inheritance, as you'd likely want to assign it based on groups of users, than one or two specific users (though that would come in handy for IT/Testing).

Share this post


Link to post
Share on other sites

Hello. The "user variables" are currently used in two areas (closest to your latest paragraph):

- policies for webcontrol & device control, where you can basically sync users from the AD, and then use their SID for the user condition evaluation in the particular webcontol or device control rule.

- iOS MDM policies, where you can configure user variables, like mail account details, into the device profile.

In general, our policies are "device centric", however, some of the features do work with the "logged in user" context, so feature behaves differently when a specific user is logged in.

Your first request - to include last logged in user is being tracked already. For some of the functionalities it should be available, for some it is not yet, as the user context is not always provided.

User variables in for example application paths, in the way as you have requested are being considered, I will have to check with the Endpoint team about what is the status of those desired changes.

Share this post


Link to post
Share on other sites

Description: Export list of firewall rules (zones, exclusions and any other configurable lists)

Detail: IT Security would like to regularly review the list of firewall rules, zones, exclusions, basically any configurable list within ESET on a regular basis.

There doesn't appear to be an easy way of doing this, from an ESET client you can export settings to an XML file, but this isn't readable for management staff.

Share this post


Link to post
Share on other sites

Description: See Endpoint client logs within ERA.

Detail: We would like to be able to see the logs from a client (Detected threats, Events, Computer scan, Blocked files, HIPS, Firewall, Filtered websites, Antispam protection, Web control and Device control) within the client entry in ESET Remote Administrator. While some threats and problems are highlighted in ERA, not everything is. A Filtered website blocked by Anti-Phising blacklist for example doesn't seem to appear in ERA, can only view it on the client's log.

Share this post


Link to post
Share on other sites

Description: Individual firewall rule hit count.

Detail: Similar to hardware firewalls, it would be nice to see a hit count, packets matched, kind of information per individual firewall rule in Endpoint protection, also for that information (similar to above requests) to be visible in ERA, and total of the hits across all clients with the same rule. So we can generate reports, this makes it easier to find rules no longer being used and can be removed safely.

Edited by AStevens.SHG

Share this post


Link to post
Share on other sites

@AStevens.SHG Thank you for your feedback.

Point 1 - we will track improvement for that. Basically, you want to export just a sub-section of the policy / configuration. Would a functionality to "print" out policy settings in some readable format (pdf / docx / txt) work for you (such improvement is already tracked).

Point 2 - there are many changes coming in the ESMC V7. First, it will be possible to request full logs for diagnostic purposes for individual computers. It will be also possible for example to create a report / dashboard, where the data from the "filtered websites log" will be present. So I believe, this should be mostly addressed in the upcoming version.

Point 3 - we will track improvement for that.

Share this post


Link to post
Share on other sites

@MichalJ Thank you.

Point 1 - The most urgent requirement is to print Firewall rules in a readable format (CSV / TSV / XLSX / DOCX / PDF) to review, or record for auditing, really need something ASAP for this.

However, I expect this will extend to all "Lists" within ESET, zones, IDS exceptions, app modification web and device control, and other exclusion lists, anything similar. I do see an "Import" option on Exclusions popup, but only when viewing the top level Antivirus, Files and folders to be excluded from scanning, not on real-time, on-demand, etc. file extensions exclusions popup.

Secondly, I would say more for an ERA Administrator, it would also be very useful to be able to export the rules, zones and other "lists" in ESET to CSV / TSV and then be able to import them.

While we are able to Duplicate a whole policy, this would give more flexibility to create and import a previous list, while quickly removing/adding lines in the CSV file before.

Point 2 - Excellent, is there a rough ETA on ESMC V7 yet?

Point 3 - Great, thank you.

Share this post


Link to post
Share on other sites

Description: Firewall rule, Local Application wildcard support

Detail: Currently it's possible to make Firewall rules using a condition based on the local Application, however you must input a full executable file path, such as:

C:\Program Files (x86)\PuTTY\putty.exe

We would like to be able to use wildcards, so we can instead enter either of these:

C:\Program Files (x86)\*putty.exe

*putty.exe

This allows us to open the rule up to either any executable with that name within subfolders of a folder location, or any on the computer.

This would come in handy for such applications to include their version number in their installation path (:rolleyes:):

C:\Program Files (x86)\Program v3.2\program.exe

As well as programs that install into the user profile location:

C:\Users\*\AppData\Roaming\Spotify\Spotify.exe

Although in this case, perhaps a different wildcard to *, as we want to restrict it to only permit only 1 level of folder wildcard, so that C:\Users\folder1\folder2\folder3\AppData\Roaming\Spotify\Spotify.exe doesn't work/match.

The applications I've used as an example here are not representative of the actual applications we would use these rules on necessary, just examples I could immediately think of to give an idea.

Share this post


Link to post
Share on other sites

Hello @AStevens.SHG

I have discussed this with our FW developers. We are planning to add the environment variables for firewall in upcoming months.

User variables are supported as of version 6.5, so for example should work:

%USERprofile%\AppDataRoaming\Psiphon3*
%AppData%\Psiphon3*

 

Share this post


Link to post
Share on other sites

Hi @MichalJ I've tried some variations, and it doesn't appear wildcards (*) are accepted, it's 6.5 and 6.6 versions.

%USERprofile%\Downloads\putty.exe as a test does work, so that's interesting, will see what we can do with that.

Share this post


Link to post
Share on other sites

Description:  unable to efficiently delete/mark as resolve issues that ESET fixes 

 

Detail:  There are things that ESET fixes on its own but it still leaves them in the console with cleaned by deletion etc.  There is no easy way to mark them all as resolved, there should be an option to automatically do this so the console is cleaned and actual issues can be more easily found.

Share this post


Link to post
Share on other sites
8 minutes ago, Palmolive said:

Detail:  There are things that ESET fixes on its own but it still leaves them in the console with cleaned by deletion etc.  There is no easy way to mark them all as resolved, there should be an option to automatically do this so the console is cleaned and actual issues can be more easily found.

This will change as of ESMC (ERA v7) in the way that handled threats will be resolved automatically.

Share this post


Link to post
Share on other sites

Description:  Inside the Advanced Setup  the admin should be able to disable even locked (not editable) options

 

Detail:  If in the policy the web control module Integrate into system is set "Setting won't be set by this policy" then all users  can disable the web control in the other hand if the integrate into system is set to "Setting is set by this policy"  no user can disable the web control but also no admin with access to Advanced setup.  Most times laptops are outside the organization and it's no connection between ERA and them so we can make this settings editable.

 

 

policy.png

advanced_setup.png

Edited by pps
organization name in screenshots

Share this post


Link to post
Share on other sites
5 minutes ago, pps said:

Description:  Inside the Advanced Setup  the admin should be able to disable even locked (not editable) options

It is already supported and the feature is called Override mode.

image.png

Share this post


Link to post
Share on other sites

Description:  customize the colors of warnings & errors depending on the type of the error or warning

 

Detail:  there should be a different color on each type of warning and error. 

For example if the operating system is out of date or the eset endpoint is out of date you get the same orange color.

Users should be able to distinguish by color and also sort by color 

 

 

 eset.thumb.png.2e08a7819c98f5d6a9e89d3369d250fd.png

Share this post


Link to post
Share on other sites

Description: Dynamic Group Filters - Computer Type

Detail: This is a request going back to 2015:

As in that post, we want to be able to create Dynamic groups of Laptops, Desktops and Virtual Machines (and by contrast Physical Machines), some may want to get as granular as the different kinds of Desktops and Laptops, but I doubt anyone needs/wants that level. At the moment we either have to use a name mask, or there is checking for the "Not Presence" of a battery, although I wonder if some UPS setups may skew the results.

As I said back then, please read from the SystemEnclosure and based on some simple logic work out if it's a Desktop, Laptop, or Other/Unknown, this I expect is what other products do.

https://technet.microsoft.com/en-us/library/ee156537.aspx?f=255&MSPPError=-2147217396

In addition, you can also work out if it is a Virtual Machine or not (Physical), some advice here for how to determine it:
https://blogs.technet.microsoft.com/kevinholman/2014/10/16/faq-how-can-i-tell-which-servers-are-physical-or-virtual-in-scom/

It maybe we'll have to create this one, once you enable the multiple nested OR and AND in Dynamic Groups (I hope you're adding that, looks as though you are for Reporting side). We might have to include Model information to correctly identify Microsoft Surface hardware.

Edited by AStevens.SHG

Share this post


Link to post
Share on other sites

Description: Nested OR and AND in Dynamic Groups / Virtual Machines

Detail: Nested OR and AND in Dynamic Groups creation, so you can have two or more sets of OR under an AND, or two or more sets of OR under an AND, or any combination.

Example Virtual Machine or not (Physical) so we can split these two types apart, some advice here for how to determine it, will likely require nested criteria:
https://blogs.technet.microsoft.com/kevinholman/2014/10/16/faq-how-can-i-tell-which-servers-are-physical-or-virtual-in-scom/

PS. What's the rough expected release date for ESMC V7 at the moment?

Share this post


Link to post
Share on other sites

Description: More than one password for Accessing the Advanced setup

Detail: Is it possible to have more than one passwords (one password per admin user) so when someone turns off or pauses some ESET protection module then in the ERA console ALERTS you can identify next of each problem which of the admin users has stopped the protection.

Share this post


Link to post
Share on other sites

@AStevens.SHG Understood. You can currently use "is one of" instead of multiple "AND" conditions in the upcoming ESMC. We anticipate the release next month (although, it might be a subject of a change eventually). 

@pps  I have understood your request in the way, that you want to be able to better see who paused which protection after authenticating using the username / password. Having multiple passwords is a workaround, proper solution would be to track the user, who paused / disables the protection. Is this assumption correct? 

Edited by MichalJ

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...