Jump to content

"Scan With Cleaning" Not Working As Expected


GDI
 Share

Recommended Posts

Right now, we are still at the "setting up" stage of ESET. We have most of our policies setup at "Balanced" or "Cautious" because, at this point, we want ESET to report to items but we want to manually clean them (or make an exception if necessary) after we review them.

The problem is, when something is detected, I'll go to the detection, select "Scan Path", and make sure "Scan with Cleaning" is selected. I run the task, and I know it runs on the workstation, but nothing happens. It just reports on the infection again but does not clean it.

What am I doing wrong?

Link to comment
Share on other sites

  • Administrators

Please provide logs collected with ESET Log Collector from such machine. We need to know what was detected and how cleaning is set up. Also include information about the detection that you attempted to clean, just in case.

Link to comment
Share on other sites

Posted (edited)
2 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector from such machine. We need to know what was detected and how cleaning is set up. Also include information about the detection that you attempted to clean, just in case.

Just out of curiosity, is there a way to collect logs from a workstation remotely rather than being logged directly onto the computer? It may be a while before I can get into the machine in question.

The file in question in this instance was one particular Chrome cache file that came up with "Potentially unwanted application". Name is "MSIL/DotSetupIo.A"

Edited by GDI
Link to comment
Share on other sites

  • Administrators

You can generate and retrieve ELC logs via client details -> Logs -> Log Collector -> Run Log Collector:

image.png

Link to comment
Share on other sites

  • Administrators

Yes, you can share them via pm or upload the file here. Attachments are available only to ESET staff.

Link to comment
Share on other sites

  • 2 weeks later...
On 10/8/2021 at 12:24 PM, Marcos said:

Yes, you can share them via pm or upload the file here. Attachments are available only to ESET staff.

Hello, just wanted to let you know I PM'd the files to you on Oct 8th.

Link to comment
Share on other sites

  • Administrators

I think I know what you would like to achieve but I'm afraid it's not possible. The thing is you now have all on-demand scan profiles configured to use real-time protection reporting and detection settings, ie. reporting is set to Balanced for pot. unwanted applications and suspicious applications and protection is set to Off. That means cleaning is not possible because of the protection level set to Off. What you need to do is create a new on-demand scan profile or use an existing one (e.g. Context menu scan), configure it to use individual reporting and protection setting and set same reporting and protection levels. Using this profile to clean detections should work. The problem is that it would not be possible to prevent users from using this scan profile.

I have created an improvement task so that a particular on-demand scan profile can be hidden for users but admins could use it for a remote scan from ESET PROTECT.

Link to comment
Share on other sites

49 minutes ago, Marcos said:

I think I know what you would like to achieve but I'm afraid it's not possible. The thing is you now have all on-demand scan profiles configured to use real-time protection reporting and detection settings, ie. reporting is set to Balanced for pot. unwanted applications and suspicious applications and protection is set to Off. That means cleaning is not possible because of the protection level set to Off. What you need to do is create a new on-demand scan profile or use an existing one (e.g. Context menu scan), configure it to use individual reporting and protection setting and set same reporting and protection levels. Using this profile to clean detections should work. The problem is that it would not be possible to prevent users from using this scan profile.

I have created an improvement task so that a particular on-demand scan profile can be hidden for users but admins could use it for a remote scan from ESET PROTECT.

Thanks for the advice. I'll give this a shot.

 

By "prevent users from using this scan profile" are you referring to if they go into Endpoint > Computer Scan > Custom Scan > Settings? If so, yeah it would be great to be able to "hide" it but, for us, it shouldn't be a big deal. Just as long as that profile isn't used for automatic/scheduled scans, we are OK setting it up this way.

Link to comment
Share on other sites

  • Administrators
6 hours ago, GDI said:

By "prevent users from using this scan profile" are you referring to if they go into Endpoint > Computer Scan > Custom Scan > Settings? If so, yeah it would be great to be able to "hide" it but, for us, it shouldn't be a big deal. Just as long as that profile isn't used for automatic/scheduled scans, we are OK setting it up this way.

Correct. If it's ok for you that users could select a profile that will be able to clean suspicious apps and PUAs then the above should work for you. I'd also recommend enabling detection of potentially unsafe applications which cover legitimate tools that can be misused in the wrong hands, e.g. to disable or uninstall antivirus.

Link to comment
Share on other sites

  • 4 weeks later...
On 10/18/2021 at 6:40 PM, Marcos said:

Correct. If it's ok for you that users could select a profile that will be able to clean suspicious apps and PUAs then the above should work for you. I'd also recommend enabling detection of potentially unsafe applications which cover legitimate tools that can be misused in the wrong hands, e.g. to disable or uninstall antivirus.

Sorry to bring up an old thread. But, I'm a bit confused. I've finally had an instance where I need to do a scan with cleaning.

I have setup a custom scan profile called "In-depth scan (with deleted)". I've created a task with the task "In depth scan". Under scan profile, the profile I've created wasn't listed so I selected "Custom" and manually typed in "In-depth scan (with deleted)" in the custom profile box.

Is that the correct way to do this? I would've thought if I selected "Custom" that all custom profiles would be listed in a dropdown under "Custom". Just took me by surprised that I'd have to manually type in the name.

Link to comment
Share on other sites

  • Administrators

If you want to run a scan remotely from the ESET PROTECT console, you can create a client on-demand scan task and check the appropriate check-box to enable cleaning regardless of the scan profile selected:

image.png

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...