Raynor

Member
  • Content Count

    96
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by Raynor


  1. I have been beta testing the cloud console at home with three devices for some time now.

    Now I tried to remove one of the devices from the console, so that it won't be remotely managed any more.
    When I remove it from the workspace, at first it is correctly shown as "unmanaged" (red tag),
    and when I check the local EAM GUI on the device it does indeed say the device is no longer connected to the cloud.

    After I reboot windows, however, the device "automagically" returns to the cloud console (listed under new devices),
    and the local GUI shows that it is remotely managed.

    Do I have to uninstall EAM to really remove it from the cloud ? Is this a bug ?

    Right now, the cloud management seems to be a bit too overzealous/persistent/sticky 😄


  2. When I switch to downloading the installers with signatures, the download works OK.
    Has the download of the small packages without signatures been canceled/abandoned ?

    If so, can I safely manually delete the outdated "EmsisoftAntiMalwareSmallSetupXX.msi" files
    from "C:\ProgramData\Emsisoft Enterprise Console\Download\Server" and
    "C:\ProgramData\Emsisoft Enterprise Console\Share\Server" ?


  3. It seems like EEC currently fails to update the MSI installer packages for deployment.
    This seems to have been the case for quite some time now (didn't bother to look at the logs until now).
    The logs are full of errors (404) and manually clicking on the "Update" button in EEC's settings
    yields the same result. The deployable MSI packages are stuck at version 2019.3.1.

    Is there a server problem ?

    Thanks,
    raynor

    EEC-Update-Failure.png
    Download Image


  4. Dear Emsisoft Team,

    right now, using the behaviour blocker, you could locally add an application rule that blocks a certain exe file.
    However, the current implementation lacks flexibility:

    1) The application blocking rules CAN NOT be set using the Enterprise Console or the Cloud Console. There is no option for that.
         Rules can only be set using the local client UI (Protection--> Behaviour Blocker --> Add Application Rule),
         which is not suitable for enterprise usage.

    2) Wildcards CAN NOT be used, e.g. blocking file extensions such as "*.hta" or "*.scr" is not possible

    3) Hash rules and blocking program execution in entire directories (path rules) is not possible either

     

    Please let me kindly suggest that you improve the behaviour blocker and turn it into a real application control solution that can
    be centrally managed using EEC or the Cloud Console.

    Similar to what e.g. F-Secure and Kaspersky already offer:

    --> https://community.f-secure.com/t5/Protection/Application-Control-2-0/td-p/105812

    --> "In Kaspersky Endpoint Security for Business, administrators can configure startup blocking policies for applications, executable modules (PE-files, exe, scr, dll) and scripts executed via a variety of interpreters (com, bat, cmd,  ps1, vbs, js, msi, msp, mst, ocx, appx, reg, jar, mmc, hta, sys). For this, the administrator inventories applications on user computers and receives their list with metadata (vendor, certificate, name, version, installation path etc.) If new applications appear on hosts later, these are also inventoried."

     

    My reasoning behind this request:

    Right now, we are using Software Restriction Policies (SRP) to control the startup of some unwanted applications and file types (e.g. mshta.exe, *.hta, etc.).
    However, SRP has been deprecated by Microsoft starting with Windows 10 v1803. It still works, but who knows when MS will finally remove it.
    So SRP obviously is not a future-proof solution.

    Its successor, AppLocker, can only be used with Windows 10 Enterprise and Education, and is more complicated to set up and administer.
    So it is not an option for small companies which use Windows 10 Professional.

     

    Certainly this is not an ultra-urgent feature request (as SRP is still working), but it would be much appreciated if you
    could put this on your middle- to tong-term roadmap.
    After all, I believe that much of the technology required is very likely already contained in the current behaviour blocker,
    it just is not exposed via any UI that allows for flexible configuration.

    Thanks and best regards,
    Raynor

     


  5. Could I get a quick reply on my two little questions please ☺️🤗

    By the way: I have noticed that workspaces cannot be deleted.

    I assume this feature will be added later?

    Thanks!

    Raynor

    On 4/12/2019 at 12:39 AM, Raynor said:

    - I was wondering what the setting "Detect registry policy settings" in the Scanner Settings section does
      (see attached screenshot).

    -Why does my license vanish from the "Licenses --> Personal Licenses" section after assigning it to a workspace ?
     Is this by design? This seems confusing to me...
     What happens if I delete a workspace - will the license be returned to the "Personal Licenses" section?
     What about client PCs that are NOT associated with the workspace - will they have licensing problems
     (I don't want to add all my PCs to the workspace)?

    RegistryPolicies.png
    Download Image
    Download Image

     


  6. I just started playing around with the new "My Emsisoft Cloud Console".

    My first experiences have been quite positive. 🙂

    Two little things that I would like to suggest for improvement:

    1) I use only one policy for the whole network (i.e. workspace). This is why I delete all computer groups
    except "New Computers" (which cannot be deleted). I then set all required policy settings/options on the highest possible level,
    which is the "root" group called "Workspace". These settings are then of course inherited by the "New Computers" group
    (and possibly some other groups that I might add later).

    The problem is that whenever you re-visit the "Protection Policies" section by clicking in the navigation bar
    on the left hand side, the view defaults to the "New Computers" group.
    So if I'm not very careful, I'll change settings in this group instead of the root group "Workspace".

    It would be nice if the selection could default to "Workspace" whenever you re-visit the Protection Policies section.

     

    2) Using the Enterprise Console, it was easy to see at a glance if the settings on some client PCs deviated from the original policy setting
    (the overview in EEC then shows a little round arrow next to the policy name in the "Computer Policy" column).
    In the cloud console, you must have a detailed look at the settings of each client PC to see if there is anything different to the original policy.

    It would be very helpful to be able to see policy vs. current client settings differences directly on the overview dashboard.
    (please bring back the round arrow 😉)

     

    Furthermore, there are some minor cosmetic issues:

    - When clicking on the menu of the root protection group "Workspace", the menu item "Clone" is not greyed out.
       It is clickable, but (as expected) nothing happens. It should be greyed out like the rest of this group's menu items.
    - Some German translations don't fit into the UI (mostly on buttons)
    - When using browser zoom (I use 120% by default) some lines around some UI fields get cut off

     

    And two final questions:

    - I was wondering what the setting "Detect registry policy settings" in the Scanner Settings section does
      (see attached screenshot).

    -Why does my license vanish from the "Licenses --> Personal Licenses" section after assigning it to a workspace ?
     Is this by design? This seems confusing to me...
     What happens if I delete a workspace - will the license be returned to the "Personal Licenses" section?
     What about client PCs that are NOT associated with the workspace - will they have licensing problems
     (I don't want to add all my PCs to the workspace)?

     

    Thanks for the great job so far!
    Raynor

     

    RegistryPolicies.png
    Download Image

    • Like 1

  7. With the new cloud-based console ("My Emsisoft workspaces") in BETA,
    I was wondering what the future holds for the "classic" (i.e. locally installed) EEC.

    Having deployed EEC in my company, we might want to migrate to the cloud-based console
    at some point in the future, but certainly not before it has become utterly reliable and stable.

    For how long (rougly) is the classic EEC going to be supported in the future?

     

    Oh, and two additional question that have crossed my mind:

    1) What about the local update caching proxy that is supplied by EEC?
    How is this feature going to be transferred to cloud-managed installations?
    Are you planning some kind of peer-to-peer update caching similar to the
    Delivery Optimization feature of Windows 10?

    2) Is there going to be a way to import profiles from EEC to the cloud console
    (including perhaps automatically transferring locally managed clients to being cloud-managed)?
    That would ease the transition process quite considerably...

    Thanks!
    Raynor


  8. Quick Question:

    I just had a look around the "My Emsisoft" account settings and stumbled
    across the new option "Enable two-factor authentication" (see attached screenshot).

    I was wondering: What's the second factor ? How is this supposed to work exactly ?
    I would perhaps like to enable it, but I wouldn't want to risk locking myself if things go wrong...

    Thanks!

    2FA.png
    Download Image


  9. I've been digging a bit into methods for securing PowerShell, and the following question has come to my mind:

    Does EAM use the new Windows 10 scanning interface called "AMSI" to scan PowerShell scripts for malicious code when they are executed ?
    For more info on what I'm talking about please refer to:

    https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/

    Judging from the following post it seems that this might be the case, but I'm looking for a definite confirmation.

    https://support.emsisoft.com/topic/29757-new-in-20187-improved-file-guard-performance/

    Thanks :)


  10. 2 hours ago, Jonathan Starr said:

    Hi Raynor, we're also suffering from it too so you aren't alone.

    Thanks for this confirmation Jonathan. I thought I was going crazy.

    @Emsisoft: Please let me kindly ask that the process of verifying the client certificates is reviewed with regard to EEC's/EAM's behaviour
    after upgrading to a new semi-annual Windows version. I would really appreciate if this issue could get squashed once and for all. Thanks ☺️

     


  11. 14 hours ago, Frank H said:

    EAM will check this when the browser is  started.

    The notification shows you 3 options

    install now - later - Don't show again

    Please also add a configuration option to Emsisoft Enterprise Console
    to allow supressing/disabling this prompt. I wouldn't want it to be shown
    to the users in the company I work for, as we use other means for malicious website protection.

    Thanks ☺️
     


  12. *Bump*

    Sorry for being so persistent 😀, but I find it hard to believe that we are the only ones suffering from this issue.
    Why ? because our Server 2016 is totally run-of-the-mill, nothing fancy, no special configuration at all.
    Just one server (fresh install, about one year ago), acting as Domain Controller for a bunch of workstations,
    and as a file server, and hosting the EEC. No additional firewalls/proxies/security appliances running in the network.
    As I said, no fancy stuff 😆

    Please let me reiterate my question: If the "Server certificate verification" fails according to the EAM log on the clients
    after upgrading Windows to a newer semi-annual build, something on the clients must have changed in a way that the
    certificate is no longer valid.

    I don't think that the server could be the culprit, as nothing whatsoever has changed on the server side.

    Again, any help would be greatly appreciated, as the current situation is quite unsatisfactory.

    Thanks
    Raynor
     


  13. On 11/15/2018 at 9:20 PM, GT500 said:

    They tested on Windows 10, and Emsisoft Anti-Malware has an issue on Windows 10 where the first update can take an abnormally long period of time to initialize (it doesn't happen 100% of the time, but I expect that it must have happened in their test to have not achieved a perfect score).

    Uh, any plans / ETA for a fix ? Speedy updates after the computer starts are very important IMHO...

    You know, people tend to start checking their emails right after startup, opening all kinds of attachments
    with viruses in them 😋

    Thanks 🤗


  14. We have just started upgrading a few clients from v1803 to v1809 for testing purposes.

    At the moment they are running EAM 2018.8.1 (delayed feed). Our Server 2016 is running the latest EEC version.

    The issue still persists. Clients are losing connectionto EEC after upgrading to v1809.
    Manually reconnecting the clients from the EAM User Interface is necessary and works flawlessly and instantly...

    The EAM Logs say:

    Connection with Emsisoft Enterprise Console SERVERNAME:8082 failed.
    276: Server certificate verification failed. Connection aborted.

    Any insights ? What could cause the certificate verification to fail ?
    We really need to get this fixed, we can't run around manually reconnecting each and every client
    from now until forever 😪

    Thanks!

    Raynor

     


  15. Unfortunately I don't have a test environment up and running at the moment, sorry.

    But thanks for the heads-up about the surf protection. I might disable it using the
    enterprise console as an extra security measure. But the issue of the surf protection interfering
    with SQL connections must really be thouroughly solved before switching the delayed
    feed to a newer version (see above).

     


  16. An das Emsisoft-Team:

    bitte stellen Sie sicher, dass die SQL-Verbindungsprobleme und alle anderen
    Netzwerkverbindungsprobleme 100% vollständig gelöst sind bevor der verzögerte Updatefeed
    ("delayed feed") von 2018.6 auf eine neuere Version umgestellt wird.

    SQL-Datenbankverbindungen sind für uns in der Firma von größter Wichtigkeit, und
    selbst kleinste Störungen in dem Bereich würden dazu führen, dass ich wie ein Depp
    dastehe
    . Warum ? Weil ich derjenige war, der sich dafür eingesetzt hat, unsere vorheriges
    Antivirus mit EAM zu ersetzen, indem ich überall erzählt habe wie toll und problemfrei EAM doch sei.

    Softwarestabilität ist für uns von äußerster Bedeutung, daher benutzen wir auch nur
    den verzögerten Updatefeed. Und wenn der auf eine problematische Version ungestellt wird,
    dann gute Nacht! Dann müsste EAM sofort verschwinden von allen Rechnern.

    Liebes Emsisoft-Team, bitte lasst mich nicht im Stich 🤗


  17. On 10/19/2018 at 1:59 PM, jedsiem said:

     

    Since 2018.9 I see network-related issues around applications under Windows 7x64. No frozen EAM or Malware. Just disconnection of SQL connections or other network-connection between different applications. Still investigating if it really is EAM causing these issue or a different installation which replaced runtimes.

    There are more reports of SQL disconnection issues in the German forum even with v2018.9.2.8988 .
    The delayed feed version 2018.6 is reported to work fine.

    https://support.emsisoft.com/topic/30051-sql-verbindungsabbrüche-über-odbc/

    Please make sure that all these issues are fully and thoroughly fixed before even considering
    switching the delayed feed to anything newer than 2018.6!

    SQL server connections are mission-critical in our company, and we depend on software reliability.
    This is why we are useing the delayed feed.

    If the delayed feed was switched to version that causes SQL connection issues, my bosses would
    pretty much kill me leading to me probably having to ditch EAM as a security solution altogether.

    I put my reputation on the line by telling everybody how great EAM was and that we should
    therefore switch to EAM as our security suite.  Please do not let me down 😥

    Quote

    Network related issues should have been fixed.

    This does not seem to be the case unfortunately...

     

     


  18. Fair enough, but what's with fresh installations of v1803/v1809 ?

    According to MS, the memory integrity feature is always switched on
    on qualifying modern PCs (with virtualization support, UEFI and stuff)
    when Windows is installed from scratch.

    Wouldn't then "average" users be greeted by a big fat blue screen when they try to install EAM ?
    Or am I missing something here / am I getting something wrong ?