v4 prevents registry editing

Hi. Does v4 EAV lock down it's own registry settings? I tried to delete manually the hive HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile\Excludes, because I played too much with exclusion policies, but it didn't work. The hive permissions are ok. I was able to delete them only in safe mode. For one PC it's fine, but I messed up ~20 clients, and starting each of them in safe mode is not a solution.

Maybe I can disable something in settings to allow deleting?

 

You can revert to default extension settings by clicking the Default button in gui. If you want to edit the value directly in the registry (not recommended), disable self-defense and restart the computer first.

 

Thanks, I'll try.

But the exclusion management is not convenient anyway. What's the point of not enforcing deletion of exclusions?

 

How do you mean? I've pushed down down deletion of exclusions through my RAS before and the clients honored it.

 

I mean the principle of it. Policies should be like GPO policies, they shouldn't "tattoo" (thats MS terminology). You add something - it is pushed to client. You delete it - setting deleted from client. No "sticky" settings, no "history" of settings in server GUI window, which are marked for deletion. What's the point of them anyway?

Let's say I have 500 roaming clients, and hell knows when they are going to connect to server. I decide to delete exclusion (or scheduled task), so I mark it for deletion. Then either I leave that exclusion in the list for indefinite time, or just hope that during one month/year/whatever they will all refresh their policy at least once, and only then delete the policy itself. Basically - you are not sure if the deletion was pushed to all clients.

Oh, and don't forget, that you can't directly edit the particular exclusion, you need to "delete" it and add a new one Considering that manuals don't say anything about using variables or wildcards for exclusions, experimenting will leave you with a pretty good mess in your settings.

 

I agree with your first point, and the way that policies currently are handled forces you have to plan things out really well in advance, especially for exclusion lists, or you can get in a situation where old entries are stuck sitting around and require manual cleanup.

As for the second point, group policy finds itself in the exact same situation. If the client isn't connecting to a management server on a regular basis, it's going to have out of date policies. As a rule of thumb if you have a large number of clients that are going to be roaming around and not always on a VPN link to your site, I would strongly recommend you run a downstream RAS in a DMZ and expose the client reporting port to the internet. Just make sure you set a password for client connections.