offbyone 10 Posted July 14 Share Posted July 14 Is there any way to check if ESET is activated properly e.g. via registry? We found "HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\WebActivationState" which seems to be 0x900 on activated nodes and 0x000 otherwise. But as we have no idea what the codes mean we are not sure about it. Any further information is most welcome. THX Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,838 Posted July 14 Administrators Share Posted July 14 I for one am not aware of any official and documented way of determining the activation status programatically. Maybe it'd be possible via ESET PROTECT's API so I'd suggest raising a support ticket. Quote Link to comment Share on other sites More sharing options...
Solution offbyone 10 Posted July 22 Author Solution Share Posted July 22 I found "ermm.exe get license-info" in the docs which delivers what requested, but the interface is deactivated by default, so I have no idea if it is a good idea to enable it. I think ESET hat good reasons to disable it by default. Quote Link to comment Share on other sites More sharing options...
offbyone 10 Posted July 22 Author Share Posted July 22 Docs on ERMM for ESET I found are very limited. So I am not able to assess what security implication it has to enable RMM on the client via policy. Any hints and suggestions are most welcome, esp. if enabling this functionality creates an additional attack surface which could be abused over the network. THX. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,838 Posted July 23 Administrators Share Posted July 23 Enabling ERRM increases attack surface, especially when work mode is set to "all operations" as opposed to "safe operations only". An attacker could theoretically detect the application that has RMM access allowed and inject itself into it. On the other hand, we are not aware of such misuse of ERMM to date. offbyone 1 Quote Link to comment Share on other sites More sharing options...
offbyone 10 Posted July 23 Author Share Posted July 23 (edited) @Marcos THX for the explanation. As I have no information how RMM is implemented, do you have information regarding the following aspect? Does enabling RMM via policy open additional network listening ports? If this is the case is the socket bound to localhost or 0.0.0.0? Thanks again for your help. Edited July 23 by offbyone Quote Link to comment Share on other sites More sharing options...
offbyone 10 Posted July 23 Author Share Posted July 23 To extend by last question further: Can the RMM functions be triggered over the network via existing ESET management ports, or is the only way to access them "ermm.exe"? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,838 Posted July 23 Administrators Share Posted July 23 53 minutes ago, offbyone said: Does enabling RMM via policy open additional network listening ports? If this is the case is the socket bound to localhost or 0.0.0.0? No. It's just a tool that internally communicates with ekrn and it's called by an RRM client with the desired parameters. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.