Jump to content

ESET Admin 6.3 - Filtering OU's and pushing out updates


Recommended Posts

Version:

 

ESET Remote Administrator (Server), Version 6.3.136.0
ESET Remote Administrator (Web Console), Version 6.3.114.0

 

I recently had to reinstall ESET 6 due to the GUI not loading for some reason on an older install(IT consultant, I was brought in to help clean things up a bit)

 

Now the system is picking up all of the computers on the network but there are some issues I was hoping some of you could assist me with?

 

1.Under Admin\Server Tasks I have the Static group synchronization set up to run and under the SYNCHRONIZATION SETTINGS, i have populated the EXCLUDED DISTINGUISHED NAME(S) with several OU's I do not want the system to scan, however the system seemed to scan them anyways and now I have a bunch of systems in the ESET Admin that i do not want to show. I have deleted some as a test but they seem to keep coming back. Is this the proper way to exclude devices from the ESET system?

post-11512-0-33365000-1463086061_thumb.png

 

 

2.Since redoing the system, I set up the post set up tasks to deploy the agent to all devices I had wanted, to be sure they registered with the new ESET server, which for the most part the system did, 60 out of 100 licenses consumed. However, i have several systems that refuse to report with in the ESET Admin as protected, or will not get updates from the ESET Admin system. I have manually uninstalled and reinstalled the client , cleanly generated from the ESET Admin, tried to push out via the ESET Admin console and tasks, but they still fail to update?

 

Any thoughts to assist me would be great!

post-11512-0-33365000-1463086061_thumb.png

Link to comment
Share on other sites

  • ESET Staff

Hi @mbartlett,

 

Good to see someone who give data from the start about the problem.

Thanks for that! Kudos for you!

 

I can't answer on point 1, however in point 2:

  • Do you check the ports ESET need are open?
  • Endpoint Security or Antivirus?
  • the firewall is allow to pass ESET data?
  • Increase the level of the logs and send the task again, check the log and back to us.
Link to comment
Share on other sites

You are very welcome Gonzalo, being in IT you learn more info is often better than less!

  • Firewall policy is the same across all computers, this is all with in 1 location on the same LAN / Subnet, ports are open as needed (will double check just incase but GPO policy has not changed for firewall devices)
  • Endpoint Antivirus is what the end users get
  • This systems did previous work and connect fine with the old system they reported to, so they should have all access needed.
  • Will adjust the logging level and see what is reported back, hopefully something I am missing.

Could this also be related to if the last Admin console was set to not update versions of the local AV? Should i create a new policy to be sure all systems are forced to update their base application version?

Link to comment
Share on other sites

  • ESET Staff

Hi @mbartlett,

 

Could this also be related to if the last Admin console was set to not update versions of the local AV?

 

My guess is No.

Nevertheless, do you try this already?

 

  https://help.eset.com/era_admin/63/en-US/index.html?fs_agent_deploy_troubleshooting.htm

 

If I was there, I do this:

  • Create a new group "not reported machines"
  • move there all terminals listed but not responding or with troubles (in order to have easy access to all).
    Note: as this new group don't have policy settings, previous ones are gone.
  • Create the policy of the link for the group not the terminals. After you finish the policy, the agents
    should apply automatic on all terminals within the group.
  • Wait for changes, like 10 to 20 minutes.
  • Try the the "send a call to the agent"

Also search for this file (log) on the terminal who doesn't report...

 

  "C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html"

 

Let me know what happen.

 

When a Agent is sent from ERA to Terminal, he takes control and overrides the previous

ones, also if you have a Policy or configuration set (on ERA group).

 

Reading other threads, I never ask... Is a Windows Server or Linux Server?

Do you make a reboot (just in case) of the server machine?

Edited by Gonzalo Alvarez
Link to comment
Share on other sites

  • 3 weeks later...
I did as you suggested and I was able to get several more systems properly imported and showing.

 

Now though i noticed another issue. It seems ESET Admin Console is not always updating the IP/DNS that a computer has. I have had 3 computers all reporting as not updated, in red. When i checked the computer, in DNS and just a ping from powershell on the ESET Windows server, they show a different IP than what ESET Console shows...Thus ESET thinks the system is not updated or reporting correctly.

 

I have rebooted the server, done an ipconfig /flushdns but ESET seems to keep getting some systems IP's wrong....

 

Any thoughts on how ESET is getting the IP when resolving Netbios names, i presume it is an nslookup....

 

 

The 2nd issue is still ocurring, i have set the EXCLUDED DISTINGUISHED NAME(S) for when ESET sync's with what computers to pull from AD, and I have excluded all Servers which sit under an OU= on their own, but ESET keeps pulling them in anyways...as if it is ignoring the EXCLUDED DISTINGUISHED NAME(S) settings all together

 

And on top of that I have my DISTINGUISHED NAME set to one OU below the root, so it should not even be looking outside that directory, but is...

 

mydomain.local

----My computers  <---- is what my DISTINGUISHED NAME is set to look in

----My Servers    <--- is set under EXCLUDED DISTINGUISHED NAME(S)

 

but it is still pulling My Servers

Edited by mbartlett
Link to comment
Share on other sites

Here is an example. i have deleted this entry on the .48 IP about 6 times in the last hour and it keeps coming back, i choose to deactivate the device and then delete it and it comes back, but as you can see the proper device is there and picked up properly...

 

 

post-11512-0-62640000-1465499059_thumb.png

Link to comment
Share on other sites

  • ESET Staff

Here is an example. i have deleted this entry on the .48 IP about 6 times in the last hour and it keeps coming back, i choose to deactivate the device and then delete it and it comes back, but as you can see the proper device is there and picked up properly...

 

 

attachicon.gifdeleted device.PNG

 

Managed computer will be re-created each time it connects to ERA server -> you have to uninstall AGENT from this machine. In case both of clients with the same name are connecting, one of them will be most probably wrongly named and it will be two different AGENT installation = two different computers. Please check computer identifier in client details view to find out which one is correctly named.

Link to comment
Share on other sites

  • 2 weeks later...

I have servers that do not have any agent installed and are not managed, also their OU is excluded from being scanned but they keep appearing.

Link to comment
Share on other sites

  • ESET Staff

I am not sure as it not clearly visible from your screenshot, but AD synchronization task expects absolute (full) distinguished names for excludes. This means all excludes should contain also DN you specified in "Distinguied Name" field.

In case you won't be able to make it work, please provide full DN name of specific server and other parameters -> you may of course replace sensitive information with something else, but please replace it with the same word in all distinguished names so that we can compare them.

Link to comment
Share on other sites

Thank you for the reply Martink, Below are the SYNCHRONIZATION SETTINGS. The systems that keep coming back are under the OU

 

OU=Member Servers,DC=mydomain,DC=local,

SYNCHRONIZATION SETTINGS

DISTINGUISHED NAME
OU=MyMainDomain,DC=mydomain,DC=local

EXCLUDED DISTINGUISHED NAME(S)
OU=MyDomain-CRM4,DC=mydomain,DC=local, 
OU=MyLocation Users,DC=mydomain,DC=local, 
CN=Computers,DC=mydomain,DC=local, 
OU=Domain Admins,DC=mydomain,DC=local, 
OU=Domain Computers,DC=mydomain,DC=local, 
OU=Domain Controllers,DC=mydomain,DC=local, 
CN=ForeignSecurityPrincipals,DC=mydomain,DC=local, 
OU=Global Contacts,DC=mydomain,DC=local, OU=Groups,
DC=mydomain,DC=local, 
CN=Managed Service Accounts,DC=mydomain,DC=local, 
OU=Member Servers,DC=mydomain,DC=local
  
Edited by mbartlett
Link to comment
Share on other sites

 

Here is an example. i have deleted this entry on the .48 IP about 6 times in the last hour and it keeps coming back, i choose to deactivate the device and then delete it and it comes back, but as you can see the proper device is there and picked up properly...

 

 

attachicon.gifdeleted device.PNG

 

Managed computer will be re-created each time it connects to ERA server -> you have to uninstall AGENT from this machine. In case both of clients with the same name are connecting, one of them will be most probably wrongly named and it will be two different AGENT installation = two different computers. Please check computer identifier in client details view to find out which one is correctly named.

 

 

I did check and you are right, while in Windows that ERA is installed on an nslookup shows the correct info, ERA shows the wrong host name / IP association. Will review each one and clean them out and see how that goes.

Link to comment
Share on other sites

So a complete over sight on my behalf. In this location users have access to wireless and wired connections on desktops and surfaces, so sometimes if they dock they get wired, and thus a different IP on a different subnet, but DNS not always being instant to update, ERA see's the last IP it can, and it may not be the active IP on that range at the time. And thus perhaps another device grabbed the IP as it expired (8 day limit).

Link to comment
Share on other sites

  • ESET Staff

So a complete over sight on my behalf. In this location users have access to wireless and wired connections on desktops and surfaces, so sometimes if they dock they get wired, and thus a different IP on a different subnet, but DNS not always being instant to update, ERA see's the last IP it can, and it may not be the active IP on that range at the time. And thus perhaps another device grabbed the IP as it expired (8 day limit).

 

Computer name in ERA is not dynamically changing - it is based on reverse DNS resolution of IP address from which AGENT connected for the first time (especially in case computers are created in Lost&Found group). In case computers are changing name in time, you may use "Computer renaming" task to rename computer based on hostname they are reporting - this task is most probably configured to be executed automatically only over Lost&Found group.

Link to comment
Share on other sites

I did check and the computer renaming is enabled and set as a task as you noted. Seems the rDNS is not updated as frequently perhaps as would be ideal for this type of set up. all of the DNS options are enabled for updating PTR and A records and removing them as things change.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...