Unprotected computers in eset remote administrator 6.5

[Alex Vaida 0]

Hi everyone, is there a way to view computers that don't have the antivirus installed? i did this, but the list is empty, i know for a fact that we have computers without antivirus installed.

[Marcos 5,074]

Do all computers report to ERAS? Ie. do all of them have ERA Agent already installed?

[Alex Vaida 0]

nope, those without antivirus don't have the agent either.

[Marcos 5,074]

Since it's agent that reports to ERAS, you must deploy it first. We recommend using GPO for deploying it. Agent can be installed even if another AV is still on your endpoints.

[Alex Vaida 0]

ok, but isn't there a way to detect the computers with missing agent? we use active directory.

[Marcos 5,074]

Use RD Sensor to find agentless computers and add them to ERA as described in

https://help.eset.com/era_admin/65/en-US/fs_using_rd_sensor.htm

[j-gray 35]

4 hours ago, Alex Vaida said:

ok, but isn't there a way to detect the computers with missing agent? we use active directory.

If you're syncing with AD, you should see those systems without the Remote Agent installed. If you don't use GP to deploy the agent, you will have to deploy it manually via the ERA Console.

Regarding RD Sensor; it only works on the subnet where it is installed, so you will need to deploy an RD Sensor on every subnet where you want to detect rogue clients.  It's worth mentioning that RD Sensor Windows install relies on WinPcap, which is an abandoned project that has not been patched or updated in over 4 years.

[Alex Vaida 0]

we are syncing with AD, if i run a static group sync, they show up but i get a lot of false positives, computers that ERA reports are umanaged but in fact they have agent and antivirus installed, i am curently testing on my own pc, uninstalled agent and antivirus and ERA still reports that i have the agent installed.

[MichalJ 434]

@Alex Vaida

If you remove the Endpoint first, and agent is still connected, upon next replication it should inform the server, that the Endpoint is no longer present, and it will indicate only agent being installed. If you remove also the agent, this information is not delivered back to server, as there is nothing that could inform the server, that agent is not there. I will check with the devs, whether this information is "cleaned up" after some interval and computer would actually appear as "unmanaged" again.

[Alex Vaida 0]

@MichalJ

So i found 3 laptops that were reported as unmanaged but had agent and antivirus installed, i deployed the entire package(agent+antivirus)with the remote deplyment tool, on 2 of them the agent was updated and they communicated with the server and on one only the antivirus was updated and no communication.

If i try using the webconsole the rate of success for any operation is very low, the install tasks mostly don't work, the activation task hasn't worked in 8 months, 0% succes with the stop managing task.

[j-gray 35]

8 hours ago, Alex Vaida said:

@MichalJ

So i found 3 laptops that were reported as unmanaged but had agent and antivirus installed, i deployed the entire package(agent+antivirus)with the remote deplyment tool, on 2 of them the agent was updated and they communicated with the server and on one only the antivirus was updated and no communication.

If i try using the webconsole the rate of success for any operation is very low, the install tasks mostly don't work, the activation task hasn't worked in 8 months, 0% succes with the stop managing task.

The agent seems prone to corruption. There are a more than a few threads with similar findings/experience on both Windows and OS X.

Assuming the issue is not firewall, the only fix we've found is to uninstall the agent via msi. You have to use a third-party product, as once the agent is broken ERA tasks are useless. Once the agent is uninstalled, you can redeploy using ERA console.

Activation and AV install both rely on Internet connection, so verify that your endpoints have connectivity and aren't blocked.

[Alex Vaida 0]

I have a laptop that the ERA console says it's unmanaged.

If I search that laptop by IP in the ERA console it finds another computer, not the original one. And it reports that is managed, not unmanaged. And also the user reported to be logged on the managed laptop actually uses the unmanaged laptop.

Edited June 5, 2018 by Alex Vaida

[MichalJ 434]

Hello,

Based on the symptoms you have mentioned, you either has incorrectly handled DNS name resolving of the computers / de-synced names between your directory server or on the computer, or you are cloning machines. Please compare the FQDN reported in computer details, with the actual name of the computer.

[j-gray 35]

I'd recommend first making sure your DNS is working flawlessly and rule out it as the cause of the mismatches.

Then verify you have the 'Rename Computers' server task configured to run periodically.

Also, if computers are frequently renamed in AD, or happen to get disjoined and rejoined, this can cause issues, as well