ESET Endpoint Antivirus v5.0122.1 and LogMein

Hello

We just started deploying the new version of ESET Endpoint Antivirus (v5.02122.1)

We recently started noticing that when we use LogMeIn we are unable to use the ctrl+alt+del function to login into the system. Doing a search online we noticed multiple users having the same problem when using logmein and ESET Endpoint Antivirus. The only way to resolve this is by disabling HIPS.

System info

Win 7 Professional 64bit

Virus signature database: 7286 (20120710)
Update module: 1041 (20120430)
Antivirus and antispyware scanner module: 1363 (20120702)
Advanced heuristics module: 1121 (2011120
Archive support module: 1147 (20120620)
Cleaner module: 1057 (20120626)
Anti-Stealth support module: 1030 (20120322)
ESET SysInspector module: 1224 (20120223)
Self-defense support module: 1018 (20100812)
Real-time file system protection module: 1006 (20110921)
Translation support module: 1064P (20120427)
HIPS support module: 1047P (20120419)
Internet protection module: 1035 (20120323)
Database module: 1019 (20120404)

 

Hi Ramirez1,

We also have LogMeIn rescue, but I haven't tried doing a login yet with the application. I'm assuming that you are using "install as a service" button before you do screen sharing?

 

We dont use Logmein rescue. We have LogMein free already installed and Logmein central to manage the systems. This only started happening when we updated the nod32 clients. This is also happening on a brand new build PC.

 

I don't have that product. What you *can* do however is take a test PC and enable logging of blocked actions.

Advanced Setup -> Computer -> Hips -> Advanced setup.

Replicate the action and then push a policy to allow that action on all computers.

 

You have several old modules installed. Try running a manual update and make sure that the HIPS and Internet protection modules update to a newer version.

 

I've done this and still not working. I also did a manual update

Here's the HIPS log

 

Do you have the HIPS module version 1052 and the Internet protection module 1041 installed now? If not, there's some problem updating your signature database. Do you update from ESET's servers?

 

Marcos - Is there an issue with ERA 5 pushing out module updates? I just checked my two Endpoint Antivirus machines that I am testing version 5 on and they both have HIPS module 1047p and Internet Protection 1035, both very old. If I update from my mirror, there are no updates. I then cleared the cache on ERA server and did an Update Now. Running update on the clients again isn't downloading any module updates.

This server was a migration from ERA 4 to 5. Possibly ramirez1 is having the same issue, hence the older modules.

 

Just confirmed that my ERA 5 mirror isn't sending module updates. Cleared cache on one client, updated from mirror and HIPS module was still 1047P, Internet Protection Module 1035.

Added username/password and cleared cache and updated from ESET Servers and HIPS module updated to 1052, Internet Protection to 1041.

 

Looks like it's a "known issue":

ESET Remote Administrator Mirror Server provides incomplete or outdated module version updates to client workstations (5.x)

 

Yes, that's why I asked if you update from ESET's servers. Just yesterday I tested a new service build of ERA5 which has this issue already fixed and should be released after it passes QA tests.

The easiest solution to this issue is to install Endpoint on the computer running ERAS, enable mirroring of update files and disable mirroring in ERAS temporarily. This way you won't need to adjust any settings on clients and the change will be transparent. When the new ERAS is available, you'll simply disable mirroring in Endpoint and enable it in ERAS.

 

After pushing the manual update the HIPS and Internet protection module updated

I'm still having the problem I reported.

I have these allowed HIPS rules

I still see this messages on the log

 

I'm still dealing with this issue and I've been troubleshooting with ESET Support.

Just an update for everyone:

 

Please provide the output of running the commands
set ProgramFiles
set ProgramFiles(x86)

 

This is the last info I provided to ESET TEch support.

 

The problem is you don't have LogMeIn installed in the default %ProgramFiles% folder (C:\Program Files) but on drive D:

 

I've updated ERAC/ERAS to the new versions, run an 'update now' from Tools > Server Options in ERAC, and then forced an update on my Endpoint client, but the modules still haven't updated correctly.

Is there something else I need to do to ensure that program modules update correctly in EEA?

edit: my client did pull down an update from ERAC, as it went from 7332 > 7333, but no modules updated.

 

Please check if you have the latest version of ERAS 5.0.122 installed.

 

Thanks, it's definitely been updated to 5.0.122 though. I just checked in Tools > Server Options

 

Yes installing LogMeIn on C: correct this issue but this means I'll have to hold on deploying Endpoint. We have over 500 systems with LogMeIn installed on D: and there's other programs as well.

I just replied to ESET technical support to see if this is something they will fix on some later release.

Thank You.

 

There's nothing to fix, just appropriate allowing rules need to be created. Try the following:
- on one computer, switch to learning mode for a while
- connect via LogMeIn
- check the rules created
- create these rules in the policy that is applied to clients connecting to ERAS

I'll inquire the devs about the rule that was created for LogMeIn in the latest HIPS module update.

 

We already tried the learning mode and it didn't work. For now the only solution is installing LogMeIn on C: which is a pain due to the amount of machine where we have it installed on D:

 

I just wanted to update everyone on this.

I noticed ESET Endpoint Antivirus 5.0.2126.0 was release and I decided to test it out.

I installed LogMeIn back on the D: partition and updates ESET to 5.0.2126.0


I can now use the Ctrl+ALT+DEL function.

Thank you