Jump to content

Report to show who disabled Endpoint Protection


Recommended Posts

Is it possible to create a report that will show what specific windows user login was used to PAUSE Protection or Pause Firewall locally on Endpoint? 

I know Audit Report will show you what User/Native user for ESMC performed any action but can you show what windows user or domain admin account was logged into when Pausing protection for ESET?

Link to comment
Share on other sites

  • Administrators

Currently it seems it's not possible to generate client audit reports. I assume this is because audit log records are not sent to ESMC. I'll check with developers if it will be possible in the future.

Link to comment
Share on other sites

  • ESET Staff

@tmuster2k In Endpoint 7.1, there was a functionality implemented call "Audit logs", that you will find in the local interface of the endpoint. Currently this data is not being collected by ESMC, so the only way how to troubleshoot this is locally on the client. 

What is your current setup? Do your users have admin privileges, so they can alter local endpoint settings? 

Link to comment
Share on other sites

You could just try this:

A blanket active directory login script that writes the username (or login ID) to a network directory (filename wold be username) and a logoff script that writes the same info. Thus you would have a timestamp entry (and workstation entry) for when a user logged on and off. Any changes can then be narrowed to whichever user was logged on to whichever workstation at a specific time.

 

SImply ordering the files by date would show which users and which times.

Edited by Hpoonis
Link to comment
Share on other sites

On 12/19/2019 at 11:37 PM, MichalJ said:

@tmuster2k In Endpoint 7.1, there was a functionality implemented call "Audit logs", that you will find in the local interface of the endpoint. Currently this data is not being collected by ESMC, so the only way how to troubleshoot this is locally on the client. 

What is your current setup? Do your users have admin privileges, so they can alter local endpoint settings? 

Users only have standard rights. UAC prompt appears if you try to alter endpoint settings. 

Link to comment
Share on other sites

1 hour ago, tmuster2k said:

Users only have standard rights. UAC prompt appears if you try to alter endpoint settings. 

If these individuals are setup under Win standard user account, no UAC prompt should appear since they are not allowed to elevate privileges. However if they are set up as Win limited admin users, then the UAC prompt will appear for activity requiring full admin privileges. Note that limited admin account users run as standard users with the ability to escalate to full admin privileges as dictated by the system activity being performed.

The setting that controls whether limited admin account can access Eset GUI settings under admin privileges is shown below:

Eset_Settings.thumb.png.2d23846ecee7cd552fd7a67a9c42d271.png

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...