Panagiotis Goudas 0 Posted September 26 Share Posted September 26 Hello. We have set a weekly In-depth scan for the computers of our organisation. However we want to exclude our shared folders from scanning since they are already scanned in the file server. Any idea how to automate this procedure through policy? Thanks in advance. Quote Link to comment Share on other sites More sharing options...
P4r4do0x 1 Posted September 26 Share Posted September 26 Hello, I think shared folders are not directly scanned in the endpoint, but the moderators can confirm better. Per my info there is no specific option within a policy to exclude shared folders, or in a task you trigger. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted September 26 Administrators Share Posted September 26 Scheduled scans don't scan files in remote shares since ekrn.exe runs in the local system account and therefore does not have sufficient permissions. Quote Link to comment Share on other sites More sharing options...
Panagiotis Goudas 0 Posted September 27 Author Share Posted September 27 (edited) What if the user account we are connected to, has permissions to access these shared folders? Will it be the same situation or it will scan them? And finally. If I want to exclude specific folders from the file system, could I do it like the screenshot? Thanks. Edited September 27 by Panagiotis Goudas Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted September 27 Administrators Share Posted September 27 If you run an on-demand scan manually under a specific user who has access to the remote share, ESET will scan the files. However, if you schedule a scan via Scheduler, the scan will be run in the local system account and would not be able to access the share unless you share it for the specific AD computer instead of an AD user. Anyways, when scheduling a scan task you select the targets so the solution would be not to select the disk or folders you don't want to scan. Quote Link to comment Share on other sites More sharing options...
Panagiotis Goudas 0 Posted September 27 Author Share Posted September 27 When you say "scheduling a task", do you mean setting the "Scheduler" via a policy? Because that's what I have done and it didn't ask me to select disk or folders. Moreover the task type is "On-demand computer scan" so maybe it falls to the first thing you said. That ESET will scan the files since the user has access to them. I'm a bit confused about this issue. Quote Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,290 Posted September 27 Administrators Solution Share Posted September 27 When scheduling a scan via ESET PROTECT, you can choose to scan all targets defined in the selected on-demand scan profile or specify the targets in the tasks. I assume the custom targets also support strings listed at https://help.eset.com/protect_cloud/en-US/client_tasks_on_demand_scan.html so you could use something like this to scan only local disks: Quote Link to comment Share on other sites More sharing options...
Panagiotis Goudas 0 Posted October 1 Author Share Posted October 1 Thanks a lot for your answer, it helped me a lot! I have a couple of more questions. 1. I have set the weekly scan every Thursday for the PCs of my organisation. The log files configuration is set as seen in the screenshot: - Minimum logging verbosity -> Warnings - Delete records older than 60 days However I have the following (screenshot no.2) view of log files in the computers that run this weekly scan. As you can see, the log files include scans of files that didn't find something suspicious and just report that everything is OK. Since I have set the logging verbosity to "Warnings" is this a normal view? 2. I have attached an image of how the policies are applied at one of the organisation users.| According to the image (screenshot no.3) which policy is applied first and which is applied last? Does the number next to the policy indicate something about the queue of the policies? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted October 1 Administrators Share Posted October 1 Policies with higher numbers override those with lower numbers except settings that are enforced by selecting the flash icon next to it. You could provide logs collected with ESET Log Collector if you are unable to determine which of the policies enables the "Log all files" setting. Quote Link to comment Share on other sites More sharing options...
Panagiotis Goudas 0 Posted October 1 Author Share Posted October 1 The policy which has the highest number is set as I mentioned in my previous post. - Minimum logging verbosity -> Warnings - Delete records older than 60 days The screenshot is from a computer that has all the policies set by the organisation. However I get the picture I sent you above. Is this normal? If I need to provide logs, what kind of logs do you want? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted October 1 Administrators Share Posted October 1 The setting that enables logging of all scanned files is located in the ThreatSense setup of the on-demand scanner profile used in the scan. As for the logs, I meant logs collected with ESET Log Collector from the machine. Quote Link to comment Share on other sites More sharing options...
Panagiotis Goudas 0 Posted October 2 Author Share Posted October 2 (edited) So to understand, is this setting in contrary to the setting that sets the minimum logging verbosity to "Warnings"? What if I disable the setting "Log all objects"? To conclude, what I want is to log only the important incidents (Warnings, Errors, Critical) and not to fill the disk with all the logs. Edited October 2 by Panagiotis Goudas Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted October 2 Administrators Share Posted October 2 The setting in your screenshot affects logging to the Event log and some other logs only. Whether all scanned files are logged is determined by the "Scan all objects" setting in a particular on-demand scanner profile setup. Quote Link to comment Share on other sites More sharing options...
Panagiotis Goudas 0 Posted October 2 Author Share Posted October 2 I'm kind of confused, really. The same policy that sets minimum logging verbosity to "Warnings" has also the setting "Log all objects". This policy schedules a weekly scan through "Scheduler". What should I do to log only the important events and avoid logging everything in my weekly scan? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted October 2 Administrators Share Posted October 2 Please provide logs collected with ESET Log Collector so that I can check your config and suggest the desired change. Quote Link to comment Share on other sites More sharing options...
Panagiotis Goudas 0 Posted October 2 Author Share Posted October 2 OK then. Can you give me some instructions about what exactly do you need so I set the ESET Log Collector respectively? Do you just need some logs from a random PC of our network? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted October 2 Administrators Share Posted October 2 Please collect the logs on a machine where all scanned files are logged. Quote Link to comment Share on other sites More sharing options...
Panagiotis Goudas 0 Posted October 2 Author Share Posted October 2 OK I just sent you a PM with the log file Marcos. Thanks. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted October 2 Administrators Share Posted October 2 There are no policies that would run a scheduled on-demand scan. However, your "In-depth scan" on-demand scanner profile has logging of all objects enabled. Please disabled it. Also the In-depth scan profile should have smart optimization disabled too, otherwise it won't run true in-depth scans. Quote Link to comment Share on other sites More sharing options...
Panagiotis Goudas 0 Posted October 3 Author Share Posted October 3 Good morning Marcos. But I do have a policy with a Scheduler set to have a Weekly in-depth scan. The policy is called "Security Product for Windows - Protection - Balanced ( Custom )". I made the changes you proposed in the "In-depth profile". I'll check about the logs and will let you know. One more thing I don't understand is about "Enable Smart optimization". What does this option stops at in-depth scans? Thanks again. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,290 Posted October 3 Administrators Share Posted October 3 37 minutes ago, Panagiotis Goudas said: But I do have a policy with a Scheduler set to have a Weekly in-depth scan. The policy is called "Security Product for Windows - Protection - Balanced ( Custom )". I was able to find only these tasks scheduled on the machine from which the logs were collected: 37 minutes ago, Panagiotis Goudas said: One more thing I don't understand is about "Enable Smart optimization". What does this option stops at in-depth scans? Enabling it will cause many trusted and whitelisted files to be omitted from the scan, turning an ‘in-depth’ scan into a standard scan. Quote Link to comment Share on other sites More sharing options...
Panagiotis Goudas 0 Posted October 3 Author Share Posted October 3 (edited) Thanks for your answer Marcos. Actually the tasks running from Scheduler through our main policy are the following: Edited October 3 by Panagiotis Goudas Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.