activex problem

Discussion in 'ESET NOD32 Antivirus' started by smoke455, Feb 19, 2009.

Thread Status:
Not open for further replies.
  1. smoke455

    smoke455 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    11
    I just upgraded a workstation from v2.7 to 3.0.684 - everything seemed ok until she went to a website with an activex application that she uses everyday. The application gives an error that data was blocked, but nothing shows up in the ESET logs. I disabled NOD32, the app still won't work and still nothing in the logs. I used the Remote Administrator Console to add exceptions for that website in the policy manager. Added exceptions in policy for the ip address of the website she is going to - still won't work and no errors are logged. I uninstall NOD32 and the website works perfect.
    Any ideas of what to look at next?
     
  2. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Try disabling active-mode HTTP scanning on IE if it is enabled. I've had that cause problems before.
     
  3. Rmuffler

    Rmuffler Former Eset Moderator

    Joined:
    Jun 26, 2008
    Posts:
    995
    Location:
    San Diego, CA USA
    Hello smoke455,

    Exclude the web address.

    Thank you,
    Richard
     
  4. smoke455

    smoke455 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    11
    I finally resolved the issue by going into Policy Manager in the Remote Administrator Console and removing port 80 from "ports used by HTTP protocol"

    I tried excluding the address, but it didn't help - may not have been entering it correctly tho... "*.company.com"
     
  5. smoke455

    smoke455 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    11
    I'm not sure where to find that setting in IE - I looked under options and didn't see it using IE7
     
  6. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    In Nod32, press F5 to open the advanced configuration page. Go to Antivirus and Antispyware, Web Access Protection, HTTP, Web Browsers, Active Mode and see if iexplore.exe is checked there. Uncheck it if it is, re-add port 80 to the HTTP protocol and see what happens.
     
  7. smoke455

    smoke455 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    11
    it is listed in there but it is not checked
     
  8. smoke455

    smoke455 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    11
    Does anyone know how to do this using the 'Policy Manager' in the 'Remote Administrator Console' ? I need to make this change on several hundred computers so traveling to each pc is not really an option.

    and BTW, SmackyTheFrog, you were right - that was the problem. I didn't see it at the time because for some reason it is checking iexplore.exe on some computers and not others.
     
  9. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    I've never looked into the Policy stuff, but it's easy to send a config file to each client....provided each client is configured to "phone home" to the server.

    All our clients contact the ERAS every 5 minutes, so policy distribution is easy. I'm sure it's easier with Policy stuff but this way works for us, and probably you too.


    Jim
     
  10. smoke455

    smoke455 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    11
    The problem was that I couldn't find where to make the exception in config files either...

    I finally found it under Personal Firewall, Setup, Rule Setup, Internet Browsers
    That location correlates to the client location of, Antivirus and antispyware, Web access protection, HTTP, Web browsers.

    I'm wondering if there is documentation somewhere showing a map of the client settings and where you find those settings in the configuration editor
     
  11. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    It is possible, just a pain in the butt to do. Luckily you are only going to have to do this once.

    1) On a desktop client, set active mode on, then export out the configuration of that client to an XML. Call it active_on.xml or something. Then turn off active mode on IE and save out an active_off.xml configuration.

    2) Open each xml and search for iexplore.exe. There should be an APP_FLAGS= setting that changed (in my case, went from F to D when I turned it off, whatever that means). Remember that setting.

    3) Log on to your RAS server and stop the RAS service. Nagivate to C:\Documents and Settings\All Users\Application Data\ESET\ESET Remote Administrator\Server\cache\policy\ and move the contents of this directory someplace else so the directory is blank but you can still get to them for recovery if need be.

    4) Navigate to C:\Documents and Settings\All Users\Application Data\ESET\ESET Remote Administrator\Server\storage\Policy_Configuration\00\00\00\ The files in this directory are your policy configuration files that have been re-named from .xml to .dat. Search through them to find references to iexplore.exe and change the associated flag. You might want to make a backup of this directory before you make manual edits.

    5) Restart the RAS service and you should be all set.


    When I encountered this problem, I resolved it by manually editing my cfg.xml so that new installs would be configured correctly and then pushed out a configuration change to only set that flag to the existing clients so those got fixed. I made that second xml that I pushed by editing out everything in the cfg.xml except the iexplore.exe line and its surrounding tags.
     
  12. smoke455

    smoke455 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    11
    So far I have been able to push out the exception to clients using "Personal Firewall, Setup, Rule Setup, Internet Browsers", adding iexplore.exe and marking it to be excluded.

    I'm printing out your information tho... not sure how long it will be until I get the next phone call about another app not working...
     
  13. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    Completely excluding Internet Explorer from scanning isn't a great idea, it essentially means that the traffic isn't being scanning by the HTTP module at all. The instruction I gave will change the browser scanning from Active Mode, which can cause conflicts with some people, to Passive Mode which is much less likely to have conflicts. This way you will still have scanning for what comes in over HTTP to the browsers, which is a huge vector for nasty stuff these days.
     
  14. smoke455

    smoke455 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    11
    ah, thanks - I'll get to work on that
     
Thread Status:
Not open for further replies.