Future changes to ESET PROTECT (formerly ESET Security Management Center / ESET Remote Administrator)

[pps 4]

23 minutes ago, MichalJ said:

@pps Can you please adjust the settings from "block" to "warn", whether the behavior of the page will be changed? I will check with the teams responsible, where could be the issue. 

I do it but category is not appeared.

 

I reset also all the settings of web control in the endpoint 

Edited June 27, 2018 by pps

[wreckitralph 2]

Hello @pps, I would say the catch is in the fact that you are using customized message to be shown to the user ("Blocked webpage message"), which replaces the original wording including the categorization hint. On the other side, resetting the setting should instantly start showing the original wording, which seems not to work for you, so can you please double-check for me, if the blocking rule is category-based and not (overruled by) URL-based type? Maybe a screenshot from the "Edit rule" dialog? Thanks.

[pps 4]

@wreckitralph that worked!

PS:In the next versions should be able to add the categorization hint into a customized message?

[wreckitralph 2]

Hello @pps, I don't like to overpromise in general, but we've added this to the backlog and will try to look for some UX-friendly way, how to allow a mixture of custom and predefined warnings. Always appreciate your feedback, thanks.

[SysEPr 4]

Description: Policies - make "Antivirus--Real-time file system protection--Scan on" settings individually controllable for ESET Endpoint for macOS (OS X) and Linux

Detail: The  "Antivirus--Real-time file system protection--Scan on" setting is individually controllable on ESET Endpoint for Windows. This means that you can individually enforce the File open, File creation, File execution settings one by one with a policy. Meanwhile, in an ESET Endpoint for macOS (OS X) and Linux policy, if one of them is set, all of them will be enforced with the given settings.

[SysEPr 4]

Description: ESET Secure Authentication should support fingerprint and push notifications

Detail: I think there should be alternative 2FA options available, but if it's not an option, the ESET Secure Authentication app should support push notifications (something like Steam does), and fingerprint authentication as well to the PIN. It would be also nice if you could approve it with one touch instead of typing a code in, something what Authy or OneLogin does with their native solution.

Edited June 29, 2018 by SysEPr

[Florian87 2]

On 20.3.2018 at 8:28 AM, MichalJ said:

@Florian87 Can you please elaborate more? What is the use-case you want to achieve? Would you like to use ESET ecosystem to also roll-out other, 3rd party applications, or are you just talking about the the way ESET installers are handled?

@MichalJ

Yes - I would like to use the ESET ecosystem to roll-out 3rd party applications - for me as a MSP this would be great.

[Society 3]

On 6/7/2018 at 11:32 AM, MichalJ said:

@Society Thank you for your feedback. We are already tracking the improvement for such functionality, so I have added your "vote" to it. Just out of curiosity, how frequently are you generating reports? Don´t you use the e-mail delivery method, or on-demand download of the report output using web-console? Or you more have some scheduled regular tasks, that are placed into the (currently) default directory?

@MichalJ Mmm. In fact, some of ours costumers asked for this feature. This feature also was present in some reference terms from public agencies. 

[ludolf 6]

Description: more granulate audit log filter 

Detail: Reports/Audit log. If I would like to search for a specific setting ("who changed it"), I have to scroll down from page to page, or use CTRL-F

Please add possiblity to filter string in "Action detail" column. 

[ludolf 6]

Description: more details in audit log

Detail: Reports/Audit log. If somebody modifies a policy, only one event added to the Audit log: "Modifying policy xxx"

it would be nice to know more. What settings have been modified and before and after values.

[ludolf 6]

Description: possibility to export webcontrol/url groups/addresses

Detail: possibility to export webcontrol/url groups/addresses. Usage example: ERA/ESMC used for more groups (more admin teams), with similar policies, and a group needs an existing url group in a separate policy . Export/import would the elegant way to migrate url addresses.

[MichalJ 434]

@ludolf Thanks for your feedback. Point 2 (second post) is already in the backlog. With regards to export / import of webcontrol groups, I will report improvement for the Endpoint team, as in general ESMC / ERA only visualizes entries from Endpoint configuration. I have however a follow-up question about the audit log filter - do you mean, that audit log, will have by default active / visible filter for "username" ? Or you want to filter by action detail (this is currently not possible, I will have to check with developers whether it would be possible). 

[ludolf 6]

MichalJ, thanks for the answer.
Audit log filter: for example somebody changed a server setting and broke a feature by doing this. I know what has been changed, but currently I cannot filter to it. If I could to filter, I would know who changed it, and ask him why did it. 

[ludolf 6]

Description: don't send notifications to all configured recipients

Detail: we have 3 static groups: group1, group2, group3

All of them are maintained by different admin teams. For this reason we configured 3 notifications:

Access group: group1 -> "threat notification" -> send email to group1@domain.com
Access group: group2 -> "threat notification" -> send email to group2@domain.com
Access group: group3 -> "threat notification" -> send email to group3@domain.com

If an alert triggered in a group, all 3 groups receive an email about it.
Only the affected group should to receive the email.

[MichalJ 434]

@ludolf In ESMC V7 you can configure "monitored static group" as a part of the notification. So if the alert happens in the Group1 and Group1 is configured as monitored, only the recipients set in this notification will get it.  Concerning the auditlog issue, we are tracking improvement for a more granular filtering (it was actually existent before). 

[ludolf 6]

ah, didn't notice that option, it works, thanks

[bbahes 29]

Description: Update First steps and best practices

Detail: May I suggest that you update your help documentation or somehow automate this step, that when ESMC server is first launched, Update Operating System Task is one of first things to do? This is mainly because Alerts are shown "Operating system is not up to date". Also, I'm guessing, it's best security practice, since it's security product. Would you agree?

Also while on this subject:

Description: Task executions - more details would be welcome

Detail: I have started Update Operating System task via context menu. However, I don't see any detailed status as to what is being updated or possibly status of any error. It would be nice to have console log (virtual appliance) presented while this task is executing.

After long wait and many errors, ESMC says "Everything is OK".

 

[bbahes 29]

Description: Consistent licensing/display with regards to renaming endpoint

Detail: I'm testing ESMC v7 and Endpoint v7 and I see different results when:

1. Rename client (hostname) on client itself

We use All-in-one installer for clients. They are installed when computer has generic name (in case of Windows 10 that is something like DESKTOP-0LALO37).
The Endpoint and agent install and report back to ESMC successfully. If we then rename client (technical staff, by either on site or via remote support VNC) to something else we only see change in FQDN property. However in list it lists old "Computer name".

 

2. Active Directory Sync task.

Which brings me to Active Directory sync task. Since we are transitioning from workgroup to active directory we would like to sync list of computers and servers from different OU in Active Directory do different static groups and maintain that list.

We have in place task that syncs Lost and Found static group with test Active Directory OU for Computers.

But when task runs it "syncs" list in a way that in only adds "new objects" to ESMC list of computers. So now we have PC's with old "computer name" and PC's with new "computer name" in list.

Would it be possible to have Active Directory maintain authoritative list of computer object? If this is possible in current product I have not found way to do it. Please advise.
Also, if for some reason we rename endpoint it would be very nice for that name to be truly synced in ESMC list with Active Directory for security team to have complete list of workstations.

 

3. Rename client (Description Name?) on ESMC

Which brings me to client rename task. I don't see purpose of adding task that, as far as I am aware of only purpose is to rename object inside ESMC database. I consider it handy in case you have true sync between domain and ESMC.

Also, naming convention should be consistent with selected object. In Lost & found you list COMPUTER NAME, yet in Actions (when "object" is selected) you display "Rename multiple items". If "Computer name" is select it would be sensible to write "Rename computer name list" or something more meaningful.

Correct me if I'm wrong I see that you use ESMC "Computer name" throughout ESMC (tasks, etc..)?
For us, desirable result would be to have single name for object inside ESMC which is FQDN that is synced either with client (workgroup) or Active Directory.

 

If for some reason you find this is not feature request or rather candidate for support, feel free to move post to correct forum.

 

Kind regards!

[MichalJ 434]

@bbahes

Concerning the first point, with regards the OS update. I will let our documentation team know, that we should recommend running OS update after an appliance deployment. Concerning the various errors - those are most probably related to the fact, that underlying components of the ESMC were updated, meaning either DB / or some component needed for server to run was not running (those types of errors are happening when the DB does not respond) - so for example the ODBC driver, or MySQL could have been patched on the backend during the OS run. If you want to know / see what is being updated, In case of appliance I would recommend to enable the webmin interface, and then execute updates of a sensitive system via webmin, there details concerning the installed packages are available.

Concerning the next points:

1. Computer name entry in ESMC database is created based on the computer name during the first connection. If the value changes on the client, it´s not updated. This is by design, as the previous behavior that you know from ERA  was criticized by some admins, that they were loosing traces of some machines, after a rename (machine simple "disappeared" as it was renamed, so it was a bit "messy" after some time). What you can easily do, if you want to, is to create a regular "rename computers" task, point it towards a specific group (for example "newly deployed computers" (where the AIO will point towards). So they will then get the correct name, based on the locally reported FQDN.
2. This is possible. You can have multiple OUs synced into multiple groups. What should be done, is to first rename the computers to correct FQDN (step ) and then configure AD sync task computer collision handling to "move" instead of "skip" or "duplicate". That would resolve your problem.
3. Consistency issue will be reported to the development team, for adjustment towards the future version of the product.

[bbahes 29]

22 hours ago, MichalJ said:

@bbahes

Concerning the first point, with regards the OS update. I will let our documentation team know, that we should recommend running OS update after an appliance deployment. Concerning the various errors - those are most probably related to the fact, that underlying components of the ESMC were updated, meaning either DB / or some component needed for server to run was not running (those types of errors are happening when the DB does not respond) - so for example the ODBC driver, or MySQL could have been patched on the backend during the OS run. If you want to know / see what is being updated, In case of appliance I would recommend to enable the webmin interface, and then execute updates of a sensitive system via webmin, there details concerning the installed packages are available.

Concerning the next points:

1. Computer name entry in ESMC database is created based on the computer name during the first connection. If the value changes on the client, it´s not updated. This is by design, as the previous behavior that you know from ERA  was criticized by some admins, that they were loosing traces of some machines, after a rename (machine simple "disappeared" as it was renamed, so it was a bit "messy" after some time). What you can easily do, if you want to, is to create a regular "rename computers" task, point it towards a specific group (for example "newly deployed computers" (where the AIO will point towards). So they will then get the correct name, based on the locally reported FQDN.
2. This is possible. You can have multiple OUs synced into multiple groups. What should be done, is to first rename the computers to correct FQDN (step ) and then configure AD sync task computer collision handling to "move" instead of "skip" or "duplicate". That would resolve your problem.
3. Consistency issue will be reported to the development team, for adjustment towards the future version of the product.

This is big flaw in design and you should revert back to old one. If some organizations have problems with endpoint control, internal organization it should not have been reason to fix these problems with product philosophy. If for some reason endpoint is gone from ERA, than this is mayor security incident inside organization, that should be addressed in other way with internal policies or procedures.

This design leads to many potential confusions in reports and management if situation would arise that endpoint was renamed and rename task fails.

[karlisi 26]

47 minutes ago, bbahes said:

This is big flaw in design and you should revert back to old one. If some organizations have problems with endpoint control, internal organization it should not have been reason to fix these problems with product philosophy. If for some reason endpoint is gone from ERA, than this is mayor security incident inside organization, that should be addressed in other way with internal policies or procedures.

This design leads to many potential confusions in reports and management if situation would arise that endpoint was renamed and rename task fails.

I object. In our environment, where endpoint renaming was very frequent, new design never caused any problems for us, rename task never failed. Old design was painful, even when endpoints were identified by network card's id.

[bbahes 29]

9 minutes ago, karlisi said:

I object. In our environment, where endpoint renaming was very frequent, new design never caused any problems for us, rename task never failed. Old design was painful, even when endpoints were identified by network card's id. 

I would prefer if in future releases they automate this internally.

I know about this problem in old releases but we have policy about who does what and when so we did not have this problems with v5.

[katycomputersystems 1]

In our environment, it is rare that an endpoint is renamed, however I wouldn't want that to initiate a name change in ESMC.

[karlisi 26]

For this I have server task running once a day. No problems at all.

[bbahes 29]

On 8/29/2018 at 2:50 PM, karlisi said:

For this I have server task running once a day. No problems at all.

I've noticed they have this task out of the box: