Blue Dot beside some settings

Discussion in 'ESET Endpoint Products' started by rockshox, Jul 2, 2012.

Thread Status:
Not open for further replies.
  1. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    In reference to this thread here that was never answered: https://www.wilderssecurity.com/showthread.php?t=235175&highlight=policy blue

    I just upgraded our ESET servers to version 5 and am creating a new policy for our Endpoint Antivirus clients. I setup a client and configured it exactly the way I wanted and exported the settings and imported that to a new blank policy. Unfortunately the import cleared all the settings for "Potentially Unwanted Applications". While getting those set back up, I found I keep getting a blue dot when I try to enable Potentially Unwanted Applications via policy for the E-mail scanner. Did anyone ever figure out what the blue dot means?

    eset_blue_dot_01.jpg
     
  2. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    Marcos - After looking into this further and comparing the XML generated by Endpoint Antivirus vs. the XML being generate by ERA, there appears to be a problem with the XML being generated by ERA, specifically for scanners 1020200/1020201 (Email) and 1030200/1030201 (Web Access). Has there been any other reports of this issue with ERAS?

    Code:
        <SCANNER ID="1020200">
         <PROFILES>
          <NODE NAME="Enable" VALUE="0" TYPE="DWORD" />
         </PROFILES>
        </SCANNER>
        <SCANNER ID="1020201">
         <PROFILES>
          <NODE NAME="Enable" VALUE="0" TYPE="DWORD" />
         </PROFILES>
        </SCANNER>
        <SCANNER ID="1030200">
         <PROFILES>
          <NODE NAME="Enable" VALUE="0" TYPE="DWORD" />
          <NODE NAME="@My profile" TYPE="SUBNODE">
           <NODE NAME="HeuristicsEnable" VALUE="1" TYPE="DWORD" />
           <NODE NAME="AdvancedHeuristicsEnable" VALUE="1" TYPE="DWORD" />
           <NODE NAME="UnwantedEnable" VALUE="1" TYPE="DWORD" />
          </NODE>
         </PROFILES>
        </SCANNER>
        <SCANNER ID="1030201">
         <PROFILES>
          <NODE NAME="Enable" VALUE="0" TYPE="DWORD" />
         </PROFILES>
        </SCANNER>
       </SCANNERS>
     
  3. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    Opened a case with ESET support regarding this issue (Case #896423). I was told that the Potentially Unwanted Applications was on by default and that I didn't need to mark the item and push it via policy.

    I really don't agree with this answer and believe that I should be able to enable/disable this option via policy. As a test I pushed a clean install and found these options were not enabled by default.
     
  4. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    Marcos - You mentioned in another thread that you are testing the new build of ERAS server. Can you please check that the PUA can be enabled/disabled via Policy pushed via ERAS 5 to an Endpoint Antivirus client.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I assume you didn't change the setting for all email clients in the Configuration Editor, hence the blue dot.
    By the way, is there any reason for disabling potentially unwanted applications? For instance, they also cover rogue software that doesn't cause any harm to user's files or system.
     
  6. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    Yes, I did try that actually. I had suspicion that maybe the blue dot was meaning that something was enabled and just not everything, so I turned on PUA for all e-mail clients, still received the blue dot. I also thought that I must be missing something else that is required, so I setup the Endpoint client exactly the way I wanted it and exported the config, imported the config into a clean policy figuring now I would have all the settings I need. Set the policy on my client and as soon as it check in, PUA was unchecked and I received the blue dot.

    I used the option in ERAS to view the XML for the policy and in analyzing the two, I found that the XML from Endpoint clearly is not the same as the XML that the ERAS Policy Manager is showing, which I believe is the problem.

    When you install Endpoint Security by running the installer manually, you get a question asking to either enable/disable PUA. Selecting to Enable PUA works and all PUA options are enabled. However, I am not going to manually install the client on 150-200 workstations so I want to push it from ERAS. If you push Endpoint Security from ERAS, PUA is not enabled for the E-mail or HTTP scanners. Hence the need to enable it via policy.

    Secondly, there are settings in Endpoint that we feel are critical to be enabled. What we do is mark these in the policy so just in case one of the techs is troubleshooting an issue and turning things on/off to test, when the client checks back in the policy settings will be set back to as we intended. The scan engine settings are ones that we definitely mark and had no problems having these sent via policy in version 4, worked great for the last 3 years.
     
  7. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    Tested with ERA v5.0.122.0 and Endpoint Antivirus 5.0.2126.0 and this is still a problem. Potentially Unwanted Applications for both the Email Client Protection and Web Access Protection cannot be enabled/disabled via Policy without a blue dot showing up and the box becoming unchecked.
     
Thread Status:
Not open for further replies.