Jump to content

Eset Remote Administrator Agent 6 for image

phil2627
 Share
Go to solution Solved by Marcos,

Recommended Posts

  • 1 month later...
mickeyshowers

mickeyshowers 0

Posted
Posted

I am using the method referenced below to clone virtual desktops but am having trouble getting the group dynamic group to populate correctly.  The template that I have has a list of NAND not equal to a specific list of master image MAC addresses.

 

The problem is, when I clone, even though the new machines have different MACs, they never populate into the dynamic group.  Instead, I see in the details of the master image, multiple NICS with unique MACS.  Have I written my template wrong?

 

 

 

If the server cleanup task is run and this client is removed from the ERAS will this task still run when "A" that no longer even exists in the ERAS connects?

 

Yes, you are right and it won't work. Actually previous example was not practical, but was showing what will go wrong.

 

My favorite procedure for this scenario (cloning live image) is:

  • Install AGENT on base image and let it normally connect to ERA
  • Create special static group for base image computer(s) (i.e. "Base images")
  • Create dynamic group template "Non base image", that will never be matched by base image(s): for example add condition on MAC address or other identifier distinguishing your base images
  • Create dynamic group "Clones" under static group "Base images" containing only base images using dynamic group template from previous step. Group should be empty if everything is configured properly.
  • Attach reset cloned agent task to this dynamic group

Now when you clone base image, it will match condition of dynamic group because used identifier will be different and thus it will run reset task -> this will happen almost immediately after AGENT startup, most probably prior to any attempts to connect to SERVER because dynamic groups are autonomous once received by AGENT.

 

Link to comment
Share on other sites
  • ESET Staff
MartinK

MartinK 378

Posted
  • ESET Staff
Posted

 

I am using the method referenced below to clone virtual desktops but am having trouble getting the group dynamic group to populate correctly.  The template that I have has a list of NAND not equal to a specific list of master image MAC addresses.

 

The problem is, when I clone, even though the new machines have different MACs, they never populate into the dynamic group.  Instead, I see in the details of the master image, multiple NICS with unique MACS.  Have I written my template wrong?

 

 

 

If the server cleanup task is run and this client is removed from the ERAS will this task still run when "A" that no longer even exists in the ERAS connects?

 

Yes, you are right and it won't work. Actually previous example was not practical, but was showing what will go wrong.

 

My favorite procedure for this scenario (cloning live image) is:

  • Install AGENT on base image and let it normally connect to ERA
  • Create special static group for base image computer(s) (i.e. "Base images")
  • Create dynamic group template "Non base image", that will never be matched by base image(s): for example add condition on MAC address or other identifier distinguishing your base images
  • Create dynamic group "Clones" under static group "Base images" containing only base images using dynamic group template from previous step. Group should be empty if everything is configured properly.
  • Attach reset cloned agent task to this dynamic group

Now when you clone base image, it will match condition of dynamic group because used identifier will be different and thus it will run reset task -> this will happen almost immediately after AGENT startup, most probably prior to any attempts to connect to SERVER because dynamic groups are autonomous once received by AGENT.

 

 

 

Problem with cloning in ERAv6 is that logs from multiple machines (base image + it's clones) are show in ERA server as if they were generated on one client, and what is even worse, they are merged or overwritten in undefined order. This is reason why you see multiple NIC's for base image - it is most probably merge of data from all clones and this is something you won't be able to prevent. This may be also reason why you do not see computers in correct dynamic group, because clones are most probably reporting "matching" and base image is reporting "not matching". This means that even if your dynamic group is defined correctly and there are computers in this group, you may not be able to see it properly in Webconsole. Advantage in this case is that dynamic groups are populated on clients, therefore if you attach task or configuration policy to this group, it will be properly applied to clients.

 

Unfortunately I am not able to answer your question without more details. I guess you attached client task to this dynamic group, and in case it is not executed, there is high probability that either task or dynamic group are not properly configured. In case you have doubts about dynamic group matching I recommend to enable full trace logging on one of cloned clients (e.i. using dummy traceAll file or using configuration policy) and search for "Dynamic group template" in trace.log after AGENT's service is restarted. Outputs of dynamic group's processor may be quite hard for human to read (search for weird json-like lines), but it should contain dynamic group configuration, AGENT's inputs and results.

Link to comment
Share on other sites
mickeyshowers

mickeyshowers 0

Posted
Posted (edited)

I guess I needs some help with the logic on my dynamic template.  The template that I have created says:  NAND, not equal to MAC address.  This is applied to a dynamic group that I have created under a static group containing my master images.  With only my masters in the folder, the dynamic group is empty, which is expected.  However, when I clone (in my case recompose linked clones) the clones end up in Lost and Found instead of the dynamic group that I have created.

 

I have just enabled logging via policy but can someone help me understand the flaw in the logic that's causing the clones to end up in the wrong group?

 

Also, where does the output of the logging go when using the ERA appliance?

Edited by mickeyshowers
Link to comment
Share on other sites
  • ESET Staff
MartinK

MartinK 378

Posted
  • ESET Staff
Posted

I guess I needs some help with the logic on my dynamic template.  The template that I have created says:  NAND, not equal to MAC address.  This is applied to a dynamic group that I have created under a static group containing my master images.  With only my masters in the folder, the dynamic group is empty, which is expected.  However, when I clone (in my case recompose linked clones) the clones end up in Lost and Found instead of the dynamic group that I have created.

 

I have just enabled logging via policy but can someone help me understand the flaw in the logic that's causing the clones to end up in the wrong group?

 

Also, where does the output of the logging go when using the ERA appliance?

 

When computers are appearing in Lost&Found group after image is cloned, everything works as expected - it means that "Reset cloned task" was successfully executed. In case of this task failure (or in case it won't be executed) you won't be able to see clones in Webconsole as all of them will be shown only as one entry (= base image entry). Once computers matches dynamic group, they almost immediately change theirs unique identification and thus they will be considered by ERA as newly installed AGENTs with entries automatically created in Lost&Found group. This also results in fact that you will most probably never see any computer in this dynamic group as once computer will join it, attached processes will made it to leave this group ...

Unfortunately there is currently no way how to move computers between groups automatically except using AD/LDAP synchronization task.

Is there any specific reason for you to show cloned machines (even after reset) in dynamic group?

Link to comment
Share on other sites
  • 1 year later...
tperas

tperas 0

Posted
Posted
On 5/11/2016 at 10:21 PM, MartinK said:

 

Yes, you are right and it won't work. Actually previous example was not practical, but was showing what will go wrong.

 

My favorite procedure for this scenario (cloning live image) is:

  • Install AGENT on base image and let it normally connect to ERA
  • Create special static group for base image computer(s) (i.e. "Base images")
  • Create dynamic group template "Non base image", that will never be matched by base image(s): for example add condition on MAC address or other identifier distinguishing your base images
  • Create dynamic group "Clones" under static group "Base images" containing only base images using dynamic group template from previous step. Group should be empty if everything is configured properly.
  • Attach reset cloned agent task to this dynamic group

Now when you clone base image, it will match condition of dynamic group because used identifier will be different and thus it will run reset task -> this will happen almost immediately after AGENT startup, most probably prior to any attempts to connect to SERVER because dynamic groups are autonomous once received by AGENT.

Hi MartinK, 

I've used your scenario for cloning, but something get wrong. 

Here's my folder organization :

- Main folder

------------------ Master folder

---------------------------------------- Dynamic group with reset task and detection rule

I've installed the agent on my master, let it register the era, place it in my master folder and turn it off.

When my clone connect the ERA server, it is identified as my master server.

Because it don't have the same MAC/IP it is moved to the dynamic group and receive the reset task. 

After, a new entry in my main folder is created with the name of the clone server, but that's all. 

The cloned server continue to reset the SID and is registered endlessly to my ERA, and create new entry each time. 

Can you help me with that ? 

Don't really know whats happening because there is no task linked to the main folder. 

Link to comment
Share on other sites
dmenl

dmenl 2

Posted
Posted (edited)

Hi Guys,

The agent installer actually has a "hidden" flag to specify a custom GUID during installation (P_CMD_PRODUCT_GUID). Whenever we deal with these situations we use that flag to specify the MD5 hash of the computer name as GUID, and re-install the ERA agent every time the image is "refreshed". For this we use the following PowerShell script: 

For the base image, we make sure to pre-install the endpoint security software, but not activate it. Then, we use a GPO to run the above mentioned script upon boot. This will install the agent and base the GUID on the system hostname. the result of this is that you won't have to use a "Reset" task. There are some downsides though:

  • You will have to create an automatic task to activate the endpoint upon first connection. This is not a big problem but might potentially cause high traffic towards the ESET activation servers.
  • Tasks that use the "ASAP Trigger" will re-run every time an image is refreshed, because the new agent thinks the task has not been executed yet.

Other than that, it seems to work just fine without the need for removing double entries. But please, only use at your own risk and test first :).

Edited by dmenl
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...