Task or settings to remove client local rules

[denache 0]

I have ESET Security Management Center (Server), Version 7.0 (7.0.471.0), ESET Endpoint Security 7.1.2045.5 and ESET Management Agent 7.0.577.0

I want to create a task or change some settings to remove/ovveride all the local rules on Endpoint Security Client (like one that appear on Advanced setup - HIPS or Firewall - Rules - Show local rules). This rules are cleanned if I click on Default button on client (but I have lot's of clients so it's a tedious task to remote to windows client and do it manually).

Some of them are duplicates, other are old settings that do not exist anymore on ESET SMC. I have multiple policies and I have set up them in order.

For examples I have Network protection - Firewall - Advanced - Rules - empty rule with replace (should this remove all older rules? including the local one?)

Next I have another policy (not empty this time) for firewall, also with replace (so over the cleaned firewall rule by the previous empty rule, I have add some settings).

Next I have multiple policy, some with append, some with prepend.

So how to clean the old local rules from clients with a task/policy from ESMC or from command line (I can run psexec or powershell, or any other tool).

Here is a example for IDS exceptions:

where the second line is a local rule (was an old rule from ESMC, but I renamed/delete/create new ones over time)

Also, even if the IDS exceptions is locked (blue dot) in the ESMC, on the client appear as editable (open locks).

 

Edited May 30, 2019 by denache

[Marcos 5,074]

If you apply a policy with rules with the default action "replace", all rules on clients will be replaced with the rules set by the policy, however, since you also apply rules by policies with append/prepend action, I understand that this is not a solution for you.

In previous versions of ERA, if a policy was no longer applied, settings set by the policy remained set on the client which allowed for resetting settings to defaults. However, as of ESMC if a policy is no longer applied, previous local settings are used.

I'm afraid there's no way how to remove default rules from clients completely without uninstalling the security product and installing it from scratch.

[denache 0]

I think I have a partial solution.

I have created a New Static Group where I applied only settings for Management Agent. I have moved there a computer and then I have reset the client to Default settings (on windows machine - ESET Client - Advanced setup - Default). After restart all the settings are default ones.

On an elevated command promt I have exported the default settings:

"C:\Program Files\ESET\ESET Security\ecmd.exe" /getcfg C:\temp\def_settings.xml

Signed the xml file (I have advanced setup password on Management Agent) https://help.eset.com/eea/6/en-US/index.html?idh_config_ecmd.htm

C:\temp\xmlsigntool.exe /version 2 c:\temp\def_settings.xml

Moved the computer back on his original static group and import the settings from xml

"C:\Program Files\ESET\ESET Security\ecmd.exe" /setcfg C:\temp\def_settings.xml

Then, on the other computers, without moving them from their static groups, run only the import command

"C:\Program Files\ESET\ESET Security\ecmd.exe" /setcfg C:\temp\def_settings.xml

Unfortunately I have not succed to import the settings with Client Task - Operating System - Run Command. For now I will logon to remote PC and run the command from cmd.

Edited May 31, 2019 by denache