Jump to content

Console issue with Dynamic Groups


j-gray

Recommended Posts

Just discovered after the recent cloud upgrade. My dynamic groups are only updating if/when systems are online.

With the recent release of a new agent, I've updated dynamic templates and dynamic groups as I've always done to stage the upgrades.

I have an Agent Upgrade group (agent not equal 11.4.1107.0) and a Latest Agent group (agent = 11.4.1107.0) for both Windows and macOS.

In the past when I've updated these, the Latest Agent dynamic group immediately empties entirely as nothing meets the criteria yet. Now, the dynamic group slowly empties as clients check in. If they're offline, they do not get removed from the group even though they don't meet the criteria.

Same case for the Agent Upgrade group; clients are slowly moving into that group as they check in, but if offline they are not landing in the correct dynamic group.

This is the case for both Windows and macOS clients.

In short, dynamic groups are not affecting offline clients.

Link to comment
Share on other sites

  • Administrators

The membership in DG has always been evaluated by the agent on clients and nothing has changed in this regard. It's worked as follows:

1. A client connects to the ESET PROTECT server and receives a list of DG

2. The client evaluates the membership in DG

3. The client connects to the EP server and sends a list of DG that it's a member of.

Link to comment
Share on other sites

@Marcos It is working differently than it has in the past. Groups used to update immediately based on the criteria provided regardless if systems were online or offline.

As it is now, for example, I updated the Latest Agent dynamic group using criteria of "agent = 11.4.1107.0". Currently there are only offline systems (141 in total), in this dynamic group, none of which have the 11.4.1107.0 agent installed.

The dynamic group should be entirely empty, as we have no 11.4.1107.0 agents installed yet. 

Link to comment
Share on other sites

I should clarify that in the past, dynamic groups would update if/when criteria are not met.

Link to comment
Share on other sites

Hello, I totally agree with @j-gray. It's not working like before.
Before the new UI from July-August, when there was a change on a dynamic group template, the dynamic group associated to the template was reset and there was no assets in the dynamic group to let ESET check the new criterias.

Now, when you do this, all the old assets with the old dynamic group template criterias stay except if they're online.
Anyway, they are analysed and removed if they are not matching the template but online if they're online at the same moment. This is making a lot of mistake with tasks associated to dynamic groups.

At least this is the case for ESET Protect Cloud maybe it still working for the On Prem version.

@Marcos I hope it will be not like the issue with ESET Cloud Active Directory Scanner.
It's been one year or more I told the support there is an issue with the config.json file and the SID mapping.
To make it work, it's "Id":"objectSID" not "Id":"objectGUID" on line 31...

Common guys.

Link to comment
Share on other sites

  • ESET Staff
11 hours ago, j-gray said:

@Marcos It is working differently than it has in the past. Groups used to update immediately based on the criteria provided regardless if systems were online or offline.

As it is now, for example, I updated the Latest Agent dynamic group using criteria of "agent = 11.4.1107.0". Currently there are only offline systems (141 in total), in this dynamic group, none of which have the 11.4.1107.0 agent installed.

The dynamic group should be entirely empty, as we have no 11.4.1107.0 agents installed yet. 

Indeed it works differently as previously, but it is considered an issue and will be targeted in upcoming days. Problem is actually only with visualization of the dynamic group content in the console, evaluation itself and logic behind it is unaffected and as you mentioned. Just note, that for not connecting devices, when you make changes in dynamic group definition, those devices will be unaware of it and will be still evaluating original dynamic group = so even if current state is confusing and it is an unplanned change, it might be considered as more precise, as it communicates real state from the devices.

Link to comment
Share on other sites

9 hours ago, MartinK said:

...so even if current state is confusing and it is an unplanned change, it might be considered as more precise, as it communicates real state from the devices.

Unfortunately, it is quite the opposite. I have a dynamic group that is supposed to contain only clients with the latest agent (criteria "agent = 11.4.1107.0") and it's full of clients with earlier versions.

To add to the confusion there is no way to sort by or even display the agent version so I have no idea which clients are in fact running the latest agent.

This makes it so we can't run tasks on these groups because the clients present aren't meeting the defined criteria to run those tasks.

Link to comment
Share on other sites

  • ESET Staff
18 hours ago, j-gray said:

Unfortunately, it is quite the opposite. I have a dynamic group that is supposed to contain only clients with the latest agent (criteria "agent = 11.4.1107.0") and it's full of clients with earlier versions.

To add to the confusion there is no way to sort by or even display the agent version so I have no idea which clients are in fact running the latest agent.

This makes it so we can't run tasks on these groups because the clients present aren't meeting the defined criteria to run those tasks.

Just to clarify, because I might have misunderstood the usecase, but are those tasks to be executed assigned to dynamic group (i.e. dynamic group trigger), or those task are assigned on specific devices as seen in the console? I would expect first one should not be affected by this issue, i.e. there was no change in the behavior ... but second one is of course affected.
As rollout is already ongoing, I hope these issue will be resolved in upcoming days, but workaround might be to filter AGENTs with specific version in legacy reports (like older ESET Applications dashboard) where drilldown is capable of showing those devices also in "computers" screen, but in a less practical way...

Link to comment
Share on other sites

7 hours ago, MartinK said:

Just to clarify, because I might have misunderstood the usecase, but are those tasks to be executed assigned to dynamic group (i.e. dynamic group trigger), or those task are assigned on specific devices as seen in the console?

It can be either. Typically we only want to run certain tasks on workstations that meet specific criteria. A staged upgrade, for example. The task trigger may be manual, on group join, or on a cron schedule. We frequently use both of the latter two triggers on a group to catch already joined systems that are offline.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...