How to temporarily disable cloud protection on one work station for trouble shooting

[beethoven 0]

I am not sure what the best procedure is to disable temporarily protection on a workstation controlled via the cloud?  If this is not possible, can this be disable locally by the user? It seems to me that locally the options are greyed out. 

Using Endpoint Sec 7.3.2044 and ESET PROTECT Cloud (version: 2.1.24.0 and ESET Management Agent 8.0.1238.0 

I clicked on deactivate the product in the console but I cannot see what this did or how I would revert this now?

[Marcos 5,070]

What do you mean by cloud protection? Cloud protection is LiveGrid/EDTD but it's not clear what issue you are trying to troubleshoot. Are you getting a file incorrectly detected or url blocked that you want to try to disable it?

[beethoven 0]

Sorry Marcos, I had intended to post this under the Eset Protect Cloud Forum and somehow ended up in this forum, Perhaps you can move it . 

We are using Cloud Protection with 25 pc and I am monitoring these via the Administrator Function. What I am looking for is a way to temporarily suspend Eset on a specific workstation.  In this particular case the colleague tried to install some legit software and the installation failed several times. While I could not see any indication that Eset had interfered or quarantined from the console, we wanted to rule out that the failure was due to the AV.  I posted the relevant software numbers being used in my original post. 

Normally in a stand-alone AV you can rightclick the icon and temporarily suspend the protection, until reboot or for a number of minutes. It seemed to me that this was not possible on the workstation and I suspect that this is intended to prevent "anyone" to do this, so I was hoping to do this as administrator from my console. How?  

As mentioned I thought perhaps "deactivate the product" for this workstation in the console would be the way, but I can't see any effect. Obviously I would need to know what I deactivated and how to reverse this as our testing is over.

[MichalJ 434]

@beethoven what you can do, is you can do this via "run command task". and use the command line options, to pause protection on the client. 

Here are the respective commands: https://help.eset.com/ees/8/en-US/?idh_config_ecmd.html 

[Marcos 5,070]

Or you can completely disable firewall and real-time protection (Windows Defender will activate on Win10 instead) via a policy.

[beethoven 0]

Michalj and Marcos, thanks for that. I will need to study this, to see whether this is within my abilities. I had hoped there was a way to select the workstation within the cloud console and rightclick  disable or similar or perhaps run a task to disable protection.   Can you please also confirm that my understanding is correct that at the workstation you cannot disable protection?

[Marcos 5,070]

If settings are not locked by a policy, it's possible to pause or completely disable particular protection features if you mean this. Moreover, it's also possible to set a password to protect settings and thus prevent unauthorized users from tampering.

As a preventive measure against attackers disabling protection we recommend locking default real-time and HIPS settings by a policy.

[MichalJ 434]

@beethoven Local pausing of the protection requires administrator privileges. Meaning a standard user won´t be able to pause the product. However, pausing is really simple, just click on the machine in ESET PROTECT, choose "new task", and then in the options choose a "run command" option . Over there, just copy the command line from the linked help article (for example to pause the AV "ecmd /setfeature onaccess pause"), and click execute.  Paused protection will trigger a red computer status. Corrective action (re-enabling) can be done by one click over the reported problem. 

Edited March 8, 2021 by MichalJ

[beethoven 0]

Michalj,  thanks for that - that worked well for me in testing. 

Marcos, how would I set up a preventative policy for locking default real-time and Hips? If I did so, would I still be able to use the command as described by Michalj?