Jump to content

ESET Endpoint Security 9 & ESET Endpoint Antivirus 9 BETA


Recommended Posts

  • ESET Moderators

Hello ESET Endpoint Security / Antivirus users,

 

We are pleased to announce the availability of ESET Endpoint Security / Antivirus 9 BETA for public testing.

 

The new generation of ESET Endpoint products for Windows brings new features and improvements, let us briefly describe the most visible ones.

  • Auto-update – This feature improves the upgrade experience for administrators and makes keeping ESET products on latest version easier. It is enabled by default and works  out of the box. Technology was present in Windows Endpoint version already 8.0, EULA approval was replaced with EULA notifications.
  • Brute-force attack protection - Evolution of reputation and blacklist-based password-guessing defense technology, providing further protection for RDP and SMB protocols in business networks.
  • Official ARM64 support for both EES and EEA for Windows on ARM ( Secure Browser, Machine learning protection and Deep behavioral inspection features are not available for ARM64 platform in this version)

The new features mentioned are not manageable by ESET PROTECT management console as of now.

 

Please check also the list of Known issues for the first public BETA build, we believe the severity of those is very low so they should not affect your user experience much

  • Device Control: Printing task stays in printing queue when printer is blocked
  • Audit logs contain strings "FeatureId", "OldState", "NewState"
  • Web control: Warn action does not work properly for some websites
  • Secure Browser: Ask me option available for websites in list
  • Secure Browser: Some websites are not loaded correctly in secured browser instance
  • Device Control: Some bluetooth devices are not listed in Populate of Device control

 

The ESET Endpoint Security 9 BETA and ESET Endpoint Antivirus 9 BETA builds are available for download at https://forum.eset.com/files/category/4-ees-eea-9-beta/

Both .msi and .exe installers are available and the ARM64 version for Windows on ARM too.

 

We are looking forward to hearing your feedback and experience with the 9th generation of ESET Endpoint products.

For your questions and issue reports, please use this forum directly.

 

As usually the build is in BETA quality so by downloading and using it, you agree with our BETA program agreement, which is available at https://forum.eset.com/files/file/31-eset-beta-program-agreement/

After a week or so of BETA testing, please fill out this short survey for us https://survey.eset.com/index.php?r=survey/index&sid=798153&lang=en so we can evaluate the BETA program and make our offering even better for you. Thank you in advance.

 

Peter Randziak on behalf of teams involved

Link to comment
Share on other sites

When editing the brute-force attack protection rules the thresholds are grayed out, disabling/enabling the rule makes these fields editable. see screen capture below:AkqnkkGcda.gif

Link to comment
Share on other sites

Hi, after installing the v9 beta I noticed the following error in the event log of the software

Time;Component;Event;User
2021-10-19 11:38:23;Firewall;An error occurred during installation of the epfwwfp driver.;SYSTEM
 

Link to comment
Share on other sites

  • ESET Moderators
30 minutes ago, Robc said:

Thank you Rob, I'm checking it with the dev team (P_EESW-7831).

I will keep you posted.

Peter

Link to comment
Share on other sites

  • ESET Moderators

Hello @Robc,

can you please check the endpoint now, it seems that the driver was installed successfully later.

"inf: Driver Store Path: C:\WINDOWS\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_7f5b5fa2211d9c06\epfwwfp.inf
inf: Published Inf Path: C:\WINDOWS\INF\oem31.inf
<<< Section end 2021/10/19 11:38:23.532
<<< [Exit status: SUCCESS]"

Thank you, Peter

Link to comment
Share on other sites

Hello, after installing and updating EES, the icon in the lower right corner of the ESET desktop prompts that the scan is starting, but it did not actually happen

微信图片_20211021092424.png

Link to comment
Share on other sites

  • ESET Moderators

Hello @cyh,

I guess it is a Automatic startup file check, scheduled after successful modules update.

The scan should be very quick and is not visible in the Computer scan tab.

Peter

Link to comment
Share on other sites

Hello, we are very interested in Brute-force attack protection. as we see too much ransom ware attack delivered by RDP brute force. so we tried the EES V9 on Win 7 and 2008r2, here is the result:

1. On win 7 64 bits, the EES V9 detects SMB brute force but failed to detect RDP brute force, the test is made via hydra 8.1.

2. On 2008 R2,  both the RDP and SMB brute force attacked is unabled to be detected.the test is made via hydra 8.1.

we are very value this function, so please look into this problems, as the hydra is one of the most common used hack tool.

Regards.

Johnson

 

 

 

Link to comment
Share on other sites

I was checking the event log for some changes and saw the following audit failure (windows 10 21h1 security eventlog)

Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:    \Device\HarddiskVolume4\Program Files\ESET\ESET Security\eamsi.dll

This is with the v9.0 beta installed.

Chkdsk came back clean

Edited by Robc
Link to comment
Share on other sites

  • ESET Moderators

Hello @johnson.yuan,

3 hours ago, johnson.yuan said:

thanks for your reply, attached is the wireshark log, is captured on win 10 64bit.

the original report was for Win 7 and 2008R2 by Hydra 8.1, can you please provide with the captures for the original report as well?

 

Anyway the research team had a look and found out following:

RDP - hydra 8.1 does not speak TLS or NLA for that matter. For this attack to work the server must be configured with NLA off. Turning NLA on makes the problem to go away.

SMB - probably SMB1 has been disabled on that server. Now, Hydra 8.1 speaks SMB1 only, but it fails to notice the reply from the server or the lack of it, effectively no brute forcing taking place. If we turn SMB1 on, detection seems to work as expected.

 

Peter

Link to comment
Share on other sites

  • ESET Moderators

Hello @Robc,

3 hours ago, Robc said:

I was checking the event log for some changes and saw the following audit failure (windows 10 21h1 security eventlog)

Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:    \Device\HarddiskVolume4\Program Files\ESET\ESET Security\eamsi.dll

This is with the v9.0 beta installed.

Chkdsk came back clean

thank you for your report, this is an ongoing topic see https://forum.eset.com/topic/25035-program-fileseseteset-nod32-antiviruseamsidll/ for example.

It is something we need to address with MS...

Peter

(P_ESSW-13471)

 

Link to comment
Share on other sites

Hello, I installed the simplified Chinese version of the test. In the advanced settings, the detection engine--malware scan--after the removable disk is opened, there is no content

111.png

Link to comment
Share on other sites

5 hours ago, cyh said:

Hello, I installed the simplified Chinese version of the test. In the advanced settings, the detection engine--malware scan--after the removable disk is opened, there is no content

111.png

seems to be the same for the english version:

image.png.39ca84facb75639a0c8372f0e4bf108a.png

Link to comment
Share on other sites

On 10/29/2021 at 7:24 PM, Peter Randziak said:

Hello @johnson.yuan,

the original report was for Win 7 and 2008R2 by Hydra 8.1, can you please provide with the captures for the original report as well?

 

Anyway the research team had a look and found out following:

RDP - hydra 8.1 does not speak TLS or NLA for that matter. For this attack to work the server must be configured with NLA off. Turning NLA on makes the problem to go away.

SMB - probably SMB1 has been disabled on that server. Now, Hydra 8.1 speaks SMB1 only, but it fails to notice the reply from the server or the lack of it, effectively no brute forcing taking place. If we turn SMB1 on, detection seems to work as expected.

 

Peter

Hi Peter

thanks for your reply, I forget to mention, when test on this win 10, I'm using Hydra V9.0, and it succfully find out my password, and EES V9 detectd nothing.  I have checked the Retmote Desktop settings of the  win 10. the NLA is off.

 

Regards

Johnson

 

Link to comment
Share on other sites

  • ESET Moderators

Hello @johnson.yuan,

We tested the above systems with hydra 8.1 (2014)

RDP - hydra 8.1 does not speak TLS or NLA for that matter. For this attack to work the server must be configured with NLA off. Turning NLA on makes the problem to go away.

 

The provided pcap was not from a platform in question, but there we seem to detect the individual failed logins correctly.

 

We tested the behavior with Hydra 9.0 - it uses TLS with NLA, so turning off NLA on the server has no effect this time. Checked the initial Windows version 10 build 10240 and it shipped with NLA on by default and by Win10 20H2 the NLA setting has been moved to advanced options.

So why turn it off (unless you want to connect from win XP or some old Linux or old 3rd party client)?
We do detect the individual failed logins correctly. We also tested the above mentioned with two win10 versions with the product. Everything seems to work fine. The only exception found was when EES was not activated - then it would give the detection a pass.
So are you using the correct and activated version of the product?

Peter

Link to comment
Share on other sites

  • ESET Moderators

We’ve prepared an auto-update for BETA testers with new EULA version, so you can see in action the notification about changed version, even there is no real change in text.

You can experiment with several states of the Auto-updates setting to see how we inform about availability of new version.

Peter on behalf of the teams involved.

Link to comment
Share on other sites

On 11/4/2021 at 4:55 AM, Peter Randziak said:

We’ve prepared an auto-update for BETA testers with new EULA version, so you can see in action the notification about changed version, even there is no real change in text.

You can experiment with several states of the Auto-updates setting to see how we inform about availability of new version.

Peter on behalf of the teams involved.

Hi Peter,

Had this been rolled out yet?  If so, I have not noticed anything on my end.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...