Raynor

Member
  • Content Count

    83
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by Raynor

  1. I have now deployed EEC+EAM in our company. The read-only GUI setting works fine, but I really can't seem to find a way to make the behaviour blocker quarantine notifications read-only. Example: The behaviour blocker shows an alert because a suspicious program is trying to "change firewall settings". Users are told that the program will be quarantined after a couple of seconds, but are ALSO given the choice of clicking "Wait, I think this is safe"/"Thes program seems safe" (I can't remember the exact wording). I want to take that choice away from users, and NOT allow them to skip the behaviour blocker messages. They are the last line of defence, and I can guarantee that some users WILL allow new viruses to run by clicking "this is safe". So, please let me ask again: Is there any way to make the behaviour blocker prompts read-only without the option of skipping them ? I want them to work just as the normal "malware found" prompts (i.e. quarantining the program with no way around it). In there is no way, please let me kindly suggest again that an option to make these prompts read-only be added. Thanks and all the best Raynor
  2. On the topic of "playing around": I just installed a fresh copy of EEC (for pre-deployment testing purposes) in a fairly basic Windows Server 2016 virtual machine (VirtualBox), and stumbled over two obscure "Value does not fall within the expected range" warnings in the log. Again, quite basic & fresh Server 2016 VM, just installed EEC (2018.3.0.3338) a minute ago (first thing was taking a look at the logs). Any insights ? Best regards, Raynor
  3. Thanks, beta 2018.3.0.8528 seems to have fixed the problem. I had added an exclusion of the file VirtualBox.exe before, that helped as well. But with the recent beta, the exclusion is no longer required.
  4. Hi, starting yesterday (Friday 23-03-2018), VirtualBox always throws an error (see attached screenshot) when starting a virtual machine, be it an existing one or a new one. I was puzzled because I had extensively used VirtualBox just the day before (Thursday 22-03-2018) and everything worked fine (as it always had). This thread lead me onto the right track: https://forums.virtualbox.org/viewtopic.php?f=6&t=83791#p397261 "The "process has more than one thread" error implies, I think, that some other process was trying to access VirtualBox process memory. So, either malware or antivirus. [...] It would be something invasive: system monitor of some kind, developer debug environment, crash manager maybe." And indeed, If I shut down EAM, VirtualBox starts to work again just fine (no errors whatsoever ). So some very recent protection/signature update must have made EAM more invasive, thus causing this error. Please fix this. I am using EAM 2018.1.1 (delayed feed), Win 10 x64 v1709, VirtualBox 5.2.8. Thanks, Raynor
  5. Hmmm ... maybe with a BIG FAT "potential security issue" warning message ? Oh, and one more thing: The console window does not seem to remember its size and position, could this be fixed?
  6. PS: Could we please get a "remember password" checkbox in the EEC login/connection screen in the future? (no security risk for us, as only domain admins are allowed on the server anyway)...
  7. Thanks, yes, I had figured this out already. I only need to lockdown normal users (for now).
  8. 1) Other context menus seem to be a bit wonky, too: Under "User Policies", If you right click on "Default for admins", you get a greyed out context menu, and if you right-click on "Default for non-admin", you get a normal, not greyed out context menu, but the "Edit" and "Delete" menu items do nothing. "Clone" works. Suggestion: Add a "New" Button at the bottom , and make the behaviour for context menus on non-deleteable default groups consistent (i.e. consistently allow "clone" and grey out "edit" and "delete"). 2) Thanks, yes, that makes it clear. May I suggest that you rename this section from "Scanner Settings" to "Scanner settings for console-initiated scans" and/or add a little descriptive text like "These settings are applied when performing a manually initiated scan from EEC". This might save some confusion for future users. 3) Thanks, this makes sense! Best regards, Raynor
  9. I've been playing around with EEC in a virtual machine prior to possibly deploying it in our company. A few questions and issues have arisen: 1) (See attached screenshot 1) For testing purposes, I have deleted all groups under "Polices-->Computers-->Groups" except the "New Computers" default group. Now I can't create any new groups, because the "clone" option is greyed out in all context menus and there is no "new" option anywhere. 2) (See attached screenshot 2) Why on earth is there a "Scanner Settings" section under Settings-->Options? I thought that all the settings for the clients, including the scanner settings would be configured via policies! And the same scanning options are indeed (as expected) present in the policies. To top it off, there is no mention of this section in the help or the manual 3) How often does the Update Proxy update its data? (signatures and downloadable EAM program updates) I can find nothing about this in the manual. Thank you in advance! Raynor
  10. Or would assigning "read-only" access to all normal users via EEC actually do what I described above? After all, the popup help for that setting states: "[...] All alerts and events are handled automatically. Read-only notifications." So, does this setting also apply for Behaviour Blocker Alerts? Thanks, Raynor
  11. Just to let you know, Windows Server 2016 does NOT automatically turn off Windows Defender when Emsisoft Anti-Malware gets installed. It does nothing. It doesn't even lift a finger. Zip. Nada. I just tried it in a virtual machine. More info to corroborate my findings here: https://partnersupport.microsoft.com/en-us/par_servplat/forum/par_winserv/disable-windows-defender-on-server-2016/3b19d95c-0969-44ba-b9c1-e348be7a7a98 So, that leaves me with 2 options: - Powershell: Set-MpPreference -DisableRealtimeMonitoring $true - Or removing Windows Defender completely (Add/Remove Roles&Features Wizard) I haven't decided what to do yet ... hmmm ... Oh, and one more thing: While the Anti-Malware Download page now lists Server 2016 as supported, the Enterprise Console download page does NOT (Server 2012 R2 only) (???)
  12. We are considering deploying EAM with EEC in our company in the near future. One thing that I am really worried about is that (if i'm not mistaken) at the moment there is always an option for users to skip the "suspicious program" alert popups of the behaviour blocker module. In other words, users could always choose to manually allow the action taken by a suspicious program. Why is this a problem? Well, users tend to be dumb, and clicking on "Allow" (or, as it is called starting with EAM version 2018-02 "Wait, I think this is safe") would allow a malicious program to run and infect our network, rendering the AV useless... Believe me, people really do click on stuff without knowing what they're clicking. It's ridiculous but true! We absolutely need to lock down all client PCs, with users not being given any way to manually allow suspicious program activity. At the moment, the only two options for the behaviour blocker are "Allow" and "Auto resolve with notification". I would kindly suggest to add a third option named something like "Always auto resolve (no allow option)" that still shows the suspicious behaviour alert to client PC users, but provides them with no way to cancel the auto resolve (quarantine, etc.) action. This is the one and only issue that keeps me from being 100% certain that EAM is the best option for our network . If I got it all wrong, and there already is a way in EEC to configure the alert popup in the way described above, I would like to apologize for wasting everybody's time Thanks, Raynor
  13. By the way: Does that mean that even UEFI Secure Boot would be supported? As mentioned above, we don't use that at the moment, I'm just curious...
  14. OK, thanks. We will be deploying EAM on our Windows Server 2016 in the not-too-distant future (in a couple of months - not too distant in Server OS terms ) I'll report back if there are any problems with the "automatic" disabling of Windows Defender...
  15. One more Question: What are your "official" recommendations concerning Windows Defender on Windows Server 2016 when EAM is to be installed on the Server ? A) Remove Windows Defender completely as a feature via the "Add Roles and Features" wizard ? B) Leave it installed, just disable realtime protection via the following Powershell command: Set-MpPreference -DisableRealtimeMonitoring $true C) Leave it installed, do nothing, as Windows Defender gets disabled automatically by EAMs Installer? (does it ??? if so, only the realtime protection???) Thank you Raynor
  16. Thank you. We are planning to deploy EAM on a Windows Server 2016 that uses "classic" MBR-style legacy boot, so I assume that there will (hopefully) be no problems.... One more thing: Is there any difference between the installer that you can download from the "normal" EAM section of your website and the installer that can be downloaded from the "EAM for Server" section ?
  17. Old thread, but the most fitting one for my question: Is EAM compatible with Server 2016 by now ? I am wondering because the download page for EAM for Server (https://www.emsisoft.com/en/software/antimalwareforserver/) still says "For Windows Server 2008 R2/2012/2012 R2 "... I believe this is just an oversight, right ?
  18. Yes, it is indeed a bit confusing, that's what I noticed as well. But back to my question: So it is possible to set everything required on the Server via GPO, so that all the clients are automatically configured via the GPO they get from the sever, right ?
  19. Thank you, now it's clear to me. One more thing: If you look at Page 83 and the following pages of the "Getting Started" user guide (see attached screenshot), instructions are given there on how to configure a couple of Group Policy settings on the server (mostly firewall execptions). I am talking about "Allow inbound File&Printer Sharing", "Allow Remote Administration", "AllowICMP", and "Enable Remote UAC LocalAccountTokenFilterPolicy". This is the way I would plan on preparing everything. Would setting all these GPOs on the server (for all client computers) be enough, or would it STILL be necessary to run a batch script file Prepare_PC_for_Deployment.bat) on a client PC ?
  20. So, If I understand you correctly, the Windows Server 2016 LOCAL Administrator account would have to be entered here, so that the EEC service can run in the background on the server with Admin privileges , even when no user is logged on, right ? This I do not fully understand. If you look at the screenshot it says "Domain\User:" at the top just under "Remote Administrator Account". But we do not use domain administrator accounts (i.e. users with administrative rights listed in Active Directoty), just the normal users have domain user accounts. There is just a local admin on every PC, (the admin-like user created during the Windows installation). How would I enter that user ? Just the Username, without any Domain name in front of it? Well, The local admin (which will be used to start the scripts) is just the admin-like user created during windows installation, as mentioned above. So UAC should be active for that user (as that user is nor a "real" admin and just gets its privileges elevated when required). So I would just run the first script, right ? Thanks again and best regards Raynor
  21. First of all, sorry for this noob-like question I am currently evaluating if Emsisoft Enterprise Console (combined with EAM) might be a future option for our small business network (one Windows Server 2016, mainly used as file server, Active Directory domain, about 30 client computers). EEC would be installed on our Win 2016 server, EAM on all of the clients. So far, I have skimmed across the EEC manual (we have not installed anything yet / decided on buying anything yet). And while most things seem pretty clear to me, there is one thing I can't get my head around: What is meant by Remote & Local Admin credentials (see screenshot)? Our 30 or so client computers all have a local admin account that is used for all admin purposes concerning the client PCs. I am talking about the "admin-like" local user account that is created during a standard windows installation (the one you get to choose a user name for), NOT the "Administrator" account (which is disabled by default, and still is). Users logon their computers with domain user accounts that only have user privileges (no roaming profiles or other fancy stuff). And, of course, the server itself has its own (local) Administrator account, which is used when administering the server. That's about it. So what would have to be entered for Remote & Local Admin ? Do both fields have to be filled in ? If so, why ? Yes, I know it's a beginner's question (sorry), but right now I'm a bit stumped Thanks Raynor
  22. FYI: I just updated to Creators Update build 15063.138 (April 11 cumulative update), and the firewall status is still incorrectly displayed as "OFF" in the Windows Defender Security Center. The old school Security and Maintenance classic control panel applet correctly shows Emsisoft firewall as being enabled.
  23. Thanks for that tip, but adding SearchIndexer.exe to the exclusions does not help. I am now 99.5% sure that it is not the fault of EIS, but that the Indexing Service in the Win 10 Anniversary Update is a bit buggy. The other forum threads that I found on that specific topic across the net all tend to point in that direction...