j-gray 37 Posted March 10, 2021 Share Posted March 10, 2021 For those OS X clients running 6.10.460.1 and latest agent, we're finding that most if not all report the following in ERA console: System extension required for Web and Email protection was not configured because of error. Try to restart macOS or reinstall the product. This is after upgrading to Big Sur when already on 6.10.460.1 What's more puzzling is that we do not enable Web and Email protection by policy. Also, the user is presented with these errors frequently enough to be annoyed. Is this expected behavior, and what is the recommended workaround? TIA Link to comment Share on other sites More sharing options...
j-gray 37 Posted March 11, 2021 Author Share Posted March 11, 2021 On two systems showing this error, I uninstalled the AV and then reinstalled it. I still get the same error messages in the console for each client. Any suggestions on how to clear this error status? Link to comment Share on other sites More sharing options...
Former ESET Employees Matus 21 Posted March 12, 2021 Former ESET Employees Share Posted March 12, 2021 Hi J-Gray, Thank you for contacting us. Unfortunately this message is most likely caused by a bug causing error message in ESMC even though there is not an actual problem. This will be fixed in upcoming version available in March. To verify that, please check in Endpoint directly (in Endpoint GUI) there there is any error message or it's green. If it's green then it's a mentioned bug. You can also check via terminal command: "systemextensionsctl list" and you should see: * * <somenumber> com.eset.network (6.10.800/6.10.800) ESET Web and Email Protection [activated enabled] You can also verify WEP module by visiting http phishing site, ideally on some testing environment as it's real phishing site (not not enter or click on anything), eg. http://<.>gilbaneco-validate<.>com/ (first you probably get Browser antiphishing message. if you proceed then you get ESET blocking message). If you however see something wrong with WEP in GUI or terminal command, please check if: SEXT was approved: System Preferences > Security & Privacy > General Network Proxy was allowed: https://help.eset.com/ees_mac/6.10/en-US/?ud_install_typical.html Big Sur part, point 3. You can see it running in System Preferences > Network (see attachment) Link to comment Share on other sites More sharing options...
j-gray 37 Posted March 12, 2021 Author Share Posted March 12, 2021 1 hour ago, Matus said: If you however see something wrong with WEP in GUI or terminal command, please check if: SEXT was approved: System Preferences > Security & Privacy > General @Matus is there a way to approve this via terminal command? On the client, the GUI shows 'Security Risk'; "Web and Email protection is non-functional" Of course, we do not enable these two components, so we wouldn't expect to see the error. Nonetheless, users see the error status and error messages. Link to comment Share on other sites More sharing options...
Former ESET Employees Matus 21 Posted March 15, 2021 Former ESET Employees Share Posted March 15, 2021 Accepting of SEXT is possible (learn more or here), but so far we haven't figured out how to approve "Proxy Configuration". We've contacted Apple about 1-2 month ago and we've received information that it's not possible to do remotely... But we're still looking into a way how to do it (so far without any results)... "Of course, we do not enable these two components..." - could you please elaborate a little more? Which components and how did you not enabled them. I'm not sure what is goal you're trying to achieve by not enabling them. Thank you Link to comment Share on other sites More sharing options...
j-gray 37 Posted March 16, 2021 Author Share Posted March 16, 2021 10 hours ago, Matus said: Accepting of SEXT is possible (learn more or here), but so far we haven't figured out how to approve "Proxy Configuration". We've contacted Apple about 1-2 month ago and we've received information that it's not possible to do remotely... But we're still looking into a way how to do it (so far without any results)... "Of course, we do not enable these two components..." - could you please elaborate a little more? Which components and how did you not enabled them. I'm not sure what is goal you're trying to achieve by not enabling them. Thank you @Matus If I understand correctly, the only way to allow system extensions and full disk access is via MDM? It's not possible via ssh/terminal? Regarding components, we disable all 'Web and Email' components via policy. In the GUI they show as disabled/grayed out, so should not be causing errors or warnings. We do this for several reasons. Link to comment Share on other sites More sharing options...
Former ESET Employees Matus 21 Posted March 16, 2021 Former ESET Employees Share Posted March 16, 2021 @Matus If I understand correctly, the only way to allow system extensions and full disk access is via MDM? It's not possible via ssh/terminal? - Yes. that's how Apple designed it. You need https://support.apple.com/en-us/HT204142 and then use with some MDM (JAMF, simpleMDM...) to control things remotely. As far as I know, it's not possible via ssh/terminal. I got it. It's normal that user sees error messages. It's a warning that protection which SHOULD be enabled, is disabled and is risk for security. If you do not want to show those messages, you've to also disable showing of application statuses: ESET application preferences > alerts and notifications > Protection statuses: or in ESET management console Link to comment Share on other sites More sharing options...
j-gray 37 Posted March 16, 2021 Author Share Posted March 16, 2021 6 hours ago, Matus said: I got it. It's normal that user sees error messages. It's a warning that protection which SHOULD be enabled, is disabled and is risk for security. If you do not want to show those messages, you've to also disable showing of application statuses: Yes, statuses are disabled by policy for these components. Clients do not see a warning about them being disabled. It's in the case of the Big Sur clients where they see the error state pertaining to the system extension for Web and Email protection. From what I gather, even though web and email protection are not enabled by policy, the web and email system extension still needs to be allowed. This is unfortunate, as it appears the only way to resolve this is with a third-party application (MDM). Link to comment Share on other sites More sharing options...
Former ESET Employees Matus 21 Posted March 17, 2021 Former ESET Employees Share Posted March 17, 2021 Hi, OK I really got it now (I think:D)... Yes it works in a way that Disable policy is applied after product works fine... Disable is in a meaning like "Pause". So everything has to work, be integrated and then it can be "Paused" via policy (so you can enable/disable as you wish)... What you want to do is to not even install it & integrate with system. This is possible, and it has to be done via "custom installation": https://help.eset.com/ees_mac/6.10/en-US/?ud_install_custom.html where you can choose which components should not be installed - disabled for eternity... Please note, that you've to uninstall the product and then install it to see those options. Not just execute Installation on top of currently installed product. Now it'll not even try to integrate into a system. However you then can't "enable" them. They're not installed. Is that what you're looking for? If you're looking for some hybrid where disabling = un-integrating from system and enabling is integrating, this is not possible and not even on a roadmap as integrating on big sur is quite complicated process... Link to comment Share on other sites More sharing options...
j-gray 37 Posted March 18, 2021 Author Share Posted March 18, 2021 On 3/17/2021 at 4:25 AM, Matus said: Is that what you're looking for? If you're looking for some hybrid where disabling = un-integrating from system and enabling is integrating, this is not possible and not even on a roadmap as integrating on big sur is quite complicated process... Yes, ideally we would like to build a package that excludes the components that we don't use (e.g. Media Control, Device Control, Personal Firewall) and have a leaner client. I doesn't look like there's a way to do this en-masse, only when performing a local/manual installation. Link to comment Share on other sites More sharing options...
Former ESET Employees Matus 21 Posted March 22, 2021 Former ESET Employees Share Posted March 22, 2021 Hi, You can create a "remote installation" .pkg and install scripti file where you're able to choose which components should be installed exactly same as in "custom installation". With this I think you can achieve leaner agent as you want. You can install it using ssh, apple tools or any other way... Link to comment Share on other sites More sharing options...
Recommended Posts