Jump to content

Check if ESET is activated properly


offbyone
Go to solution Solved by offbyone,

Recommended Posts

Is there any way to check if ESET is activated properly e.g. via registry?

We found "HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\WebActivationState" which seems to be 0x900 on activated nodes and 0x000 otherwise. But as we have no idea what the codes mean we are not sure about it.

Any further information is most welcome.

THX

Link to comment
Share on other sites

  • Administrators

I for one am not aware of any official and documented way of determining the activation status programatically. Maybe it'd be possible via ESET PROTECT's API so I'd suggest raising a support ticket.

Link to comment
Share on other sites

  • Solution

I found "ermm.exe get license-info" in the docs which delivers what requested, but the interface is deactivated by default, so I have no idea if it is a good idea to enable it.

I think ESET hat good reasons to disable it by default.

Link to comment
Share on other sites

Docs on ERMM for ESET I found are very limited.

So I am not able to assess what security implication it has to enable RMM on the client via policy.

Any hints and suggestions are most welcome, esp. if enabling this functionality creates an additional attack surface which could be abused over the network.

THX.

Link to comment
Share on other sites

  • Administrators

Enabling ERRM increases attack surface, especially when work mode is set to "all operations" as opposed to "safe operations only".  An attacker could theoretically detect the application that has RMM access allowed and inject itself into it. On the other hand, we are not aware of such misuse of ERMM to date.

Link to comment
Share on other sites

@Marcos THX for the explanation.

As I have no information how RMM is implemented, do you have information regarding the following aspect?

Does enabling RMM via policy open additional network listening ports? If this is the case is the socket bound to localhost or 0.0.0.0?

Thanks again for your help.

Edited by offbyone
Link to comment
Share on other sites

To extend by last question further:

Can the RMM functions be triggered over the network via existing ESET management ports, or is the only way to access them "ermm.exe"?

Link to comment
Share on other sites

  • Administrators
53 minutes ago, offbyone said:

Does enabling RMM via policy open additional network listening ports? If this is the case is the socket bound to localhost or 0.0.0.0?

No. It's just a tool that internally communicates with ekrn and it's called by an RRM client with the desired parameters.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...