Issues with Big Sur and 6.10.460.1

[j-gray 35]

For those OS X clients running 6.10.460.1 and latest agent, we're finding that most if not all report the following in ERA console:

System extension required for Web and Email protection was not configured because of error. Try to restart macOS or reinstall the product.

This is after upgrading to Big Sur when already on 6.10.460.1 What's more puzzling is that we do not enable Web and Email protection by policy.

Also, the user is presented with these errors frequently enough to be annoyed.

Is this expected behavior, and what is the recommended workaround?

TIA

[j-gray 35]

On two systems showing this error, I uninstalled the AV and then reinstalled it. I still get the same error messages in the console for each client.

Any suggestions on how to clear this error status?

[Matus 21]

Hi J-Gray,

Thank you for contacting us. Unfortunately this message is most likely caused by a bug causing error message in ESMC even though there is not an actual problem. This will be fixed in upcoming version available in March. To verify that, please check in Endpoint directly (in Endpoint GUI) there there is any error message or it's green. If it's green then it's a mentioned bug. 

You can also check via terminal command: "systemextensionsctl list" and you should see:

* * <somenumber> com.eset.network (6.10.800/6.10.800) ESET Web and Email Protection [activated enabled]

You can also verify WEP module by visiting http phishing site, ideally on some testing environment as it's real phishing site (not not enter or click on anything), eg. http://<.>gilbaneco-validate<.>com/ (first you probably get Browser antiphishing message. if you proceed then you get ESET blocking message). 

If you however see something wrong with WEP in GUI or terminal command, please check if:

SEXT was approved: System Preferences > Security & Privacy > General

Network Proxy was allowed: https://help.eset.com/ees_mac/6.10/en-US/?ud_install_typical.html Big Sur part, point 3. You can see it running in System Preferences > Network (see attachment)

 

[j-gray 35]

1 hour ago, Matus said:

If you however see something wrong with WEP in GUI or terminal command, please check if:

SEXT was approved: System Preferences > Security & Privacy > General

@Matus is there a way to approve this via terminal command?

On the client, the GUI shows 'Security Risk'; "Web and Email protection is non-functional"

Of course, we do not enable these two components, so we wouldn't expect to see the error. Nonetheless, users see the error status and error messages.

[Matus 21]

Accepting of SEXT is possible (learn more or here), but so far we haven't figured out how to approve "Proxy Configuration".

We've contacted Apple about 1-2 month ago and we've received information that it's not possible to do remotely... But we're still looking into a way how to do it (so far without any results)...

"Of course, we do not enable these two components..." - could you please elaborate a little more? Which components and how did you not enabled them. I'm not sure what is goal you're trying to achieve by not enabling them. 

Thank you

[j-gray 35]

10 hours ago, Matus said:

Accepting of SEXT is possible (learn more or here), but so far we haven't figured out how to approve "Proxy Configuration".

We've contacted Apple about 1-2 month ago and we've received information that it's not possible to do remotely... But we're still looking into a way how to do it (so far without any results)...

"Of course, we do not enable these two components..." - could you please elaborate a little more? Which components and how did you not enabled them. I'm not sure what is goal you're trying to achieve by not enabling them. 

Thank you

@Matus If I understand correctly, the only way to allow system extensions and full disk access is via MDM? It's not possible via ssh/terminal?

Regarding components, we disable all 'Web and Email' components via policy. In the GUI they show as disabled/grayed out, so should not be causing errors or warnings. We do this for several reasons.

[Matus 21]

@Matus If I understand correctly, the only way to allow system extensions and full disk access is via MDM? It's not possible via ssh/terminal? -

Yes. that's how Apple designed it. You need https://support.apple.com/en-us/HT204142 and then use with some MDM (JAMF, simpleMDM...) to control things remotely. As far as I know, it's not possible via ssh/terminal.

I got it. It's normal that user sees error messages. It's a warning that protection which SHOULD be enabled, is disabled and is risk for security. If you do not want to show those messages, you've to also disable showing of application statuses:

ESET application preferences > alerts and notifications > Protection statuses:

or in ESET management console

[j-gray 35]

6 hours ago, Matus said:

I got it. It's normal that user sees error messages. It's a warning that protection which SHOULD be enabled, is disabled and is risk for security. If you do not want to show those messages, you've to also disable showing of application statuses:

Yes, statuses are disabled by policy for these components. Clients do not see a warning about them being disabled.

It's in the case of the Big Sur clients where they see the error state pertaining to the system extension for Web and Email protection.

From what I gather, even though web and email protection are not enabled by policy, the web and email system extension  still needs to be allowed. This is unfortunate, as it appears the only way to resolve this is with a third-party application (MDM).

[Matus 21]

Hi, 

OK I really got it now (I think:D)... Yes it works in a way that Disable policy is applied after product works fine... Disable is in a meaning like "Pause". So everything has to work, be integrated and then it can be "Paused" via policy (so you can enable/disable as you wish)...

What you want to do is to not even install it & integrate with system. This is possible, and it has to be done via "custom installation": https://help.eset.com/ees_mac/6.10/en-US/?ud_install_custom.html

where you can choose which components should not be installed - disabled for eternity... Please note, that you've to uninstall the product and then install it to see those options. Not just execute Installation on top of currently installed product. 

Now it'll not even try to integrate into a system. However you then can't "enable" them. They're not installed.

Is that what you're looking for? If you're looking for some hybrid where disabling = un-integrating from system and enabling is integrating, this is not possible and not even on a roadmap as integrating on big sur is quite complicated process...

 

[j-gray 35]

On 3/17/2021 at 4:25 AM, Matus said:

Is that what you're looking for? If you're looking for some hybrid where disabling = un-integrating from system and enabling is integrating, this is not possible and not even on a roadmap as integrating on big sur is quite complicated process...

Yes, ideally we would like to build a package that excludes the components that we don't use (e.g. Media Control, Device Control, Personal Firewall) and have a leaner client.

I doesn't look like there's a way to do this en-masse, only when performing a local/manual installation.

[Matus 21]

Hi, You can create a "remote installation" .pkg and install scripti file where you're able to choose which components should be installed exactly same as in "custom installation". With this I think you can achieve leaner agent as you want. You can install it using ssh, apple tools or any other way...