Feedback on installing NOD32 at a client's location

First let me apologize for this rather long winded post. I will be doing my first NOD32 installation at a client this week and have a couple of questions regarding what is the best way to handle the configuration. This client has two separate locations each running Windows 2003 Server for database application (MS Exchange not being used). One location has 3 XP Pro workstations and the other has only 2 machines. The client machines are using the DHCP of the Win2k3 server. The only time I visit their sites is if they call me in on a problem. They have no other IT person per se and the users are not techies.

I purchased a 5 client Enterprise package for the 2 workstation location from a reseller here and I may install RAS on the Win2k3 server so that I have some means of capturing event information. Otherwise I will just do separate installations on each machine and have them independently update themselves.

I was wondering if I could get some feedback, from the other people who install NOD32 on systems on following items:

1) The licensing information that ESET generates i.e. User Name and Password along with the download location of the files etc. Is it your normal practice to either give the client a hardcopy or email them this information?

2) Since there is no IT tech on location at this client and I am only called in when they need something done would it still be advisible to set the component update option on all machines to b) rather than either a) or c):

a) Perform program component upgrade if necessary for proper virus
database function - Upgrades automatically only if the upgrade is necessary
for antivirus functions.

b) Notify before program components upgrade - Always display a
confirmation message before upgrading any executables.

c) Perform program component upgrade if available.

I came across the following thread regarding option c) and the drawback that it causes when the computer updated is a server https://www.wilderssecurity.com/showthread.php?t=85859&highlight=component automatic update .


3) Since the users are computer savy I was thinking of password protecting the settings and possibly giving only the office manager the password.


Any feedback regarding these 3 items is greatly appreciated.

 

I have the licenses sent (e-mail) to the client as well as myself when I place the order. It's good to give them a copy...in case you get run over by a bus...your client has proof of the licenses. That way the next IT guy has an easier time taking over their IT needs. I do this well everything related to their network..always keep a typed up "IT Notes" ...the guy who replaces if I get hit by a bus can take over their network by reviewing my notes in a few minutes.

If this is your first install...I'd recommend going onsite..unless you are comfortable with a remote control program We discussed remote admin in some other threads....I prefer to have VPN access to all my clients, and remote desktop or UltraVNC once I VPN in. I believe this is not an option for you...and since it's your first install of this..you might want to do it onsite because of greater ease..than trying to tackle something the first time remotely..one at a time. But if you need to do it remotely..and don't have VPN access...I purchased GoToMeeting for myself for this purpose..I used it again today to help a client who had a major issue out on an island..I wasn't able to get there physically for a few days. Did GoToMeeting...within about 2 minutes I was looking at her desktop and fiddling with her machine. Fiddled for about 45 minutes...got the job done, she was satisfied for the quick resolution..and BAM...$100.00 in my pocket.

I always setup auto program updates on workstations. It's on servers that I don't...since servers can run a few weeks or months or more without rebooting.

Since these networks are so small..eh...I dunno...run RAS/RAC..or run them all stand alone. Close call. Myself I'd tend to run RAS/RAC..at least on the main office. You have another issue to ponder though..since you haven't done a RAS/RAC install yet where you can deploy the install quickly...and this client seems to be far away from ya...it's up to you wether you want to "try to install it..with your client looking over your shoulder and wondering what you're having a problem with"..or "quickly deploy some stand alone installs".

 

Too bad the person who originally set this system up never did that. Would of saved me some time as well <g>.

Hmm interesting point. So workstations perform an autoupdate of the component and a server is set to Notify of Component Update?

The only RAS/RAC installs that I have done is on my testbed server config here at my office. Actually the client is not that far away from me. Regarding the client looking over my shoulder in the past they have gone about their work. I figured at least with RAS/RAC I would have one spot that would accumalate problem/incidents for the LAN rather than me having to look at each workstation separately. You are right though that in this particular case the standalone install would work on each computer.

 

Yeah...my logic there is...the workstations are higher risk..and are more prone to being rebooted....or powered off end of day, powered on in the morning. Etc. I encourage this and try to drill it into the heads of my clients...not because of stability issues...as since Win2K came out..you can run your rigs without reboot for months...a year or more...not like the memory instability of Win95. But I encourage it..due to the frequency, and importance, of keeping Windows updates going, and also antivirus updates. I strongly encourage them to watch the Windows Update notification in the systray. NOD32's dialog will prompt for a restart if the program update requires one anyways.

As for servers...my logic here is that they sit unattended for long periods of time. Often many of them go unlooked at..except when I remote in and check them as part of my maintenance package. This can be once a week, or once a month or so..depending. If a program component upgrade requires a restart...that means the antivirus services may be stopped..or not running in an optimal state...until you reboot. Now...you certainly don't want this to be like this for a long period of time. Expecially true on a Small Business Server or another server running MS Exchange. So I prefer to control that..perform the update when I'm doing other updates and bouncing the server.

Might be worth your while, if you wish to consider RAS/RAC...to give yourself RDC access. Naturally asking the clients permission...I've never heard one not agree with it. You sell it as being a benefit to them...you can help them remotely, much easier. Monitor things. If they need something simple done...you can remote in..do it in a short period of time...and charge them less..since you're not charging for travel time. Ends up being a win-win for all...gives you more control..so you can actually do more..and in the end actually bill more!

 

Quick question regarding the component updates automatically being applied to the workstations. That is controlled by the NOD32 which is installed on each workstation and is set under TYPE OF UPDATE under the UPDATE settings. For the workstations this would be set to apply component updates automatically. On the mirror server I would assume that under the same SETUP item i.e. TYPE OF UPDATE that would be set to OFFER the Component Update.

However what about under the MIRROR | SETUP where there is an option which has a check box that says "Require Permission to Perform Program Component Upgrade"? Is this just for the workstations or all of the computers? In other words should this be checked or unchecked in this situation?

Re RDC access I will give that some thought as one can always do with more revenue <g>.

 

Component Upgrades will not be included in the mirror set if that box is checked, at lease not until you give the required permission (manually)

Cheers

 

So leave the box unchecked on the Mirror Server and to prevent the Win2k3 server from automatically updating itself with new components have the SETUP | TYPE OF UPDATE that would be set to OFFER the Component Update. On each of the workstations (small number) I would set UPDATE |TYPE OF UPDATE to Automatic.

Sorry for rehashing the question but since this is my first Enterprise installation I want to ensure I do it correctly <g>.

 

Well the installation went fairly smoothly for the RAC/RAS and the installation on the workstations. However I had to disable Advanced Heuristics as NOD was flagging the clients main app as a "probably unknown NewHeur_PE virus" and even though I added this file to the AMON exceptions list NOD32 still quaratined it. Have submitted the file to ESET to see what the problem is.

Why is the exception list not being used for the Adv Heuristics?

Question regarding IMON and the HTTP setting indicated in BlackSpear's settings (post #39):

https://www.wilderssecurity.com/showthread.php?p=266653#post266653

If the “Automatically deny download of file” is enabled then NOD blocks the download in their web browser but the customer has no idea why their web browser displays a connection error.

Is this normal?

I am thinking of using the "Display warning.." instead. That way the customer knows that there is a virus problem.

Comments regarding this setting?

Are there any problems with using MS Defender in conjunction with NOD32?

 

If in the IMON-->Setup-->HTTP-->Client compatability button you have set the browser to Higher Efficiency (green) then you would normally get a page load in your internet explorer to indicate what IMON is up to, similar to in this post --> https://www.wilderssecurity.com/showpost.php?p=755520&postcount=13

Have you configured IMON-->Setup-->Miscelaneous-->Setup for your client on both tabs? I usually tick everything and set all Actions for all detections to Clean & Quarantine / Delete & Quarantine unless there is a specific reason not to.

Have not used M$ Defender, although I'm sure others have.

Cheers

 

Seems I overlooked enabling the "Log intrustion.. " option. Once I did that the graphic appeared. Thanks for pointing me in the right direction.

Is there any way of enabling "Higher Efficiency (green) " for any new applications that NOD32 has not seen before? Appears that one has to ensure that you run all of the apps on the machine so that NOD32 can note the Applications Name etc in the compatibility window.

 

Higher efficiency used to be the default but it occasionally caused an issue that way so now it is Higher compatability by default. The main one to have as Higher Efficiency is thier browser but personally I set MOST things to Higher efficiency any time I'm going over a clients PC - there are a few exceptions that don't work properly on HE mode. If you wish to do that it may pay to check them first, mostly they are automatic software updaters and download software/managers.

Cheers

 

It's two separate things. The mirror updates the clients, the clients have their own configs. Your RAS will update from Eset, and your servers should have their own configs, including any member servers in the domain which would pull from the RAS. These servers configs..their update type should not be set to auto-component, at least IMO.

 

What application were they using that caused problems?

I have hundreds of installs of MS Defender out there..no problems..except a slighly increased disappointment in what was once a great product..I miss the advanced tools of the prior MS Antispyware (Giant) version. I think the program lost some of it's usefulness.

 

Its an custom DB application for tracking students test scores and progress.

Wouldn't be the first time MS has done that to a product. I'll keep that in mine. The people at least at the one location seem to limit their browsing to a small number of major web sites. They occassionally get some minor pieces of spyware that I clean off when I am there.

 

Know what the program and/or engine is? SASI? WinCAP?

 

Application is called EOS or EOOS. Sorry do not know the DB engine it is using.