Future changes to ESET INSPECT

[Marcos 5,074]

Hello,

The goal of this message thread is to provide ESET with specific feedback on changes and new features you would like to see in future versions of ESET INSPECT. Please use the following format when providing feedback:

 

 

Description: A very specific one line description of your feedback.

Detail: A more detailed explanation of your feedback. Please feel free to make this any length, but be sure to use terms everyone can understand. If your suggestion is an extension or update to an existing discussion, please include a link to it in your message.

Here is an example:

 

Description: Linux version

Detail: We use a Linux-based server to minimize costs and I think ESET should make a version of ESET Enterprise Inspector for Linux.

You are welcome to discuss the merits of each and every suggestion, but keep your comments on topic, concise and thoughtful. There are other parts of the forum to discuss issues.

NOTE: When making your requests do not make general statements such as "better gui". If you have a specific feature or functionality you would like to see added (or improved) please post it here, but general requests to "make things better" are not helpful because they do not give ESET detailed enough information. Thank you for your understanding.

Regards,

Marcos

[bbahes 29]

Description: Linux version

Detail: We use a Linux-based server to minimize costs and I think ESET should make a version of ESET Enterprise Inspector for Linux.

Detail 2: Also, we don't want to pay Windows Server licenses for security products.

 

Description: Cloud version

Detail: Managing on premise equipment, patching and monitoring on premise software is costly and time consuming.

 

At minimum you should have Linux version, at best Cloud version.

[vanroy 0]

Hey in the installation of EEi  certificates

step 2 . Select Enterprise inspector Console in the product selector is correct?

step 3 . DNS name of the server is necessary? 

 

or  instructions https://help.eset.com/eei/1/en-US/gui_server_installation.html   what is correct? 

 IMPORTANT

In ESMC Server Settings enable Advanced security in the Connection section before creating a certificate.

By default certificates created by ESMC use * (an asterisk) as a hostname (wildcard certificate). EEI does not support such certificates. The user needs to use the real hostname of EEI Server.

Mandatory parameters for creating Peer Certificate are:

•Product: "Enterprise Inspector Server"

•Host: Use a real IP Address of the EEI Server

Best

 

 

 

[Peter Randziak 1,130]

Hello @vanroy 

you do not need to force the advanced security in ESMC, you would have to regenerate the certs then.

Just create a new certificate for product "Enterprise Inspector Server" and specify IP address AND / OR host name of your server to it.

Then export this certificate (and CA as well) and use it during the installation of EEI server. You can use this certificate for both EEI console and server.

Regards, P.R.

[Tita314 0]

Good Day, Marcos!

 

Do you know smth about developing Automated Response in EEI?

Maybe you know some other future changes?

[Marcos 5,074]

35 minutes ago, Tita314 said:

Do you know smth about developing Automated Response in EEI?

What do you mean for instance? Action in rules can be already configured:

 

[Tita314 0]

Marcos, 

Thanks for a quick answer!

I mean, do you plan to organize automatic actions according to the broken rules?

 

Edited October 23, 2020 by Tita314

[MichalJ 434]

Hello @Tita314, Yes, similar functionality is in planned for the upcoming releases. 

[Tita314 0]

Michalj, thank you for your answer/

It is a very good news!

 

Maybe you can declassify a little bit more features that are in development?  We miss the news about improvement!

[Lockbits 10]

Hello guys,

The ability to add other type of hashes like SHA256 in order to block them and not only SHA1.

 

Thanks.

[igi008 19]

16 minutes ago, Lockbits said:

Hello guys,

The ability to add other type of hashes like SHA256 in order to block them and not only SHA1.

 

Thanks.

Many thanks for your suggestion. Now we are working on extending hashes in all our products. We plan to support also SHA256 as well. Of course, it completely makes sense to support it also in this feature (block by hash).

[Lockbits 10]

Hello guys,

I've two suggestions:

1) The option to apply exclusions for web control detections or "Detected by ESET Endpoint Security product" alerts. We've a customer that is using web control and we configured the product so all blocked websites are logged in EPC console setting the verbosity accordingly. The problem is that this information is also sent to EEI console and this add a ton of unnecessary data and difficult the detection of valuable data. We can disable the verbose level but this will also affect the blocked website being logged and reported to ESMC.

I mean this:

2) The possibility to add granular exclusions for some rules like MS Office application has saved executable [D0806]. We get about 5 daily alerts of this type and all are benign. Apparently Office creates a lot of temporal with .com extension like this:

Currently I can create an exclusion to this rule but I prefer to don't do this because in case a real malware creates a .com or .exe I'll miss this alert. Maybe an option to exclude per folder? So I can exclude the path that always start with the same pattern. Of course that if I do this in this folder I can miss a real malware being written to such path but the possibility is quite less that creating an entire exclusion for this rule or modifying the rule to not include .com extension.

Thanks.

[dmaasland 2]

On 2/8/2021 at 10:16 PM, Lockbits said:

 

2) The possibility to add granular exclusions for some rules like MS Office application has saved executable [D0806]. We get about 5 daily alerts of this type and all are benign. Apparently Office creates a lot of temporal with .com extension like this:

Currently I can create an exclusion to this rule but I prefer to don't do this because in case a real malware creates a .com or .exe I'll miss this alert. Maybe an option to exclude per folder? So I can exclude the path that always start with the same pattern. Of course that if I do this in this folder I can miss a real malware being written to such path but the possibility is quite less that creating an entire exclusion for this rule or modifying the rule to not include .com extension.

Thanks.

 

Sorry for the late reply, but, you can actually already do this. If you create an "Advanced" exclusion you can use all conditions that are available to the rule engine. So something like:

 

<definition>
    <process>
        <operator type="OR">
            <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="OUTLOOK"/>
            <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="EXCEL"/>
            <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="WINWORD"/>
            <condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="POWERPNT"/>
        </operator>
    </process>
    <operations>
    	<operation type="WriteFile">
    		<operator type="AND">
    			<condition component="FileItem" property="Path" condition="starts" value="%LOCALAPPDATA%\microsoft\windows\inetcache\content.mso" />
    			<operator type="OR">
    				<condition component="FileItem" property="Extension" condition="is" value="com" />
    				<condition component="FileItem" property="Extension" condition="is" value="exe" />
    			</operator>
    		</operator>
    	</operation>
    </operations>
</definition>

I've not tested it but something like that should probably work. Alternatively you can use the "ModuleDrop" operation instead of "WriteFile" if you're only interested in executables. Makes the rule a bit faster.

Edited June 22, 2021 by dmaasland

[wrigley 0]

On 12/17/2020 at 11:08 PM, igi008 said:

Many thanks for your suggestion. Now we are working on extending hashes in all our products. We plan to support also SHA256 as well. Of course, it completely makes sense to support it also in this feature (block by hash).

We do also have some similar plans

[j-gray 35]

It would be great to see a product roadmap here.

I'd like to see the EEI agent bundled with the EP agent or AV client, since the AV component is required for the agent to work.

Having to install/upgrade/manage three separate components is a bit of a pain.

[ab77 0]

Description: Dynamic groups in EI

Detail: We would like the capability to add assets to dynamic groups so we can use those as targets for rule exclusions instead of having to manually add all laptops in targets. 

[Arko 1]

Description: Log which Exclusion was used

Detail: Expand the alarm description in Inspect Server logs to include which particular exclusion was used to resolve given detection as it would help to eleminate too broad exclusions that are not identifiable by hit counts alone or decide which exclusions work more reliably.