Jump to content
stephenitsg

Eset 6 and 7 AV Definitions

Recommended Posts

Automate support finally got back to me and had us install the "Eset Direct Management Plugin" which promptly broke our integration with Automate.

That said, it did add the entries and they are working so I thought I would add them.

 

ESET File Security v7
{%-HKLM\SOFTWARE\ESET\ESET+Security\CurrentVersion\Info:InstallDir-%}\ecls.exe
{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ScannerVersion-%}
"{%-HKLM\SOFTWARE\ESET\ESET+Security\CurrentVersion\Info:InstallDir-%}\ecmd.exe" /update
{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ProductType-%}{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ProductVersion-%}

{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ProductType-%}{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ProductVersion-%}
ekrn*
\((20[12]\d[01]\d[0-3]\d)\)
Windows
^(efsw7\.*)

 

ESET Endpoint Antivirus v7
{%-HKLM\SOFTWARE\ESET\ESET+Security\CurrentVersion\Info:InstallDir-%}\ecls.exe
{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ScannerVersion-%}
"{%-HKLM\SOFTWARE\ESET\ESET+Security\CurrentVersion\Info:InstallDir-%}\ecmd.exe" /update
{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ProductType-%}{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ProductVersion-%}

--action=clean --quarantine /files
ekrn*
\((20[12]\d[01]\d[0-3]\d)\)
Windows
^(efsw7\.*)

 

ESET File Security v6
{%-HKLM\SOFTWARE\ESET\ESET+Security\CurrentVersion\Info:InstallDir-%}\ecls.exe
{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ScannerVersion-%}
"{%-HKLM\SOFTWARE\ESET\ESET+Security\CurrentVersion\Info:InstallDir-%}\ecmd.exe" /update
{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ProductType-%}{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ProductVersion-%}

--action=clean --quarantine /files
ekrn*
\((20[12]\d[01]\d[0-3]\d)\)
Windows
^(efsw6\.*)

Share this post


Link to post
Share on other sites
On 9/27/2018 at 4:17 PM, stephenitsg said:

ESET Endpoint Antivirus v7
{%-HKLM\SOFTWARE\ESET\ESET+Security\CurrentVersion\Info:InstallDir-%}\ecls.exe
{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ScannerVersion-%}
"{%-HKLM\SOFTWARE\ESET\ESET+Security\CurrentVersion\Info:InstallDir-%}\ecmd.exe" /update
{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ProductType-%}{%-HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info:ProductVersion-%}

--action=clean --quarantine /files
ekrn*
\((20[12]\d[01]\d[0-3]\d)\)
Windows
^(efsw7\.*)

Should that Version Mask not be...

^(eea7\.*)

Edited by kkevgreen
Punctuation incorrect

Share this post


Link to post
Share on other sites

Hi Guys,

Anyone able to confirm this configuration works? I've tried it with both version masks for ESET Endpoint Antivurus v7 ^(eea7\.*) and ^(efsw7\.*) but don't seem to be having it detect.

Share this post


Link to post
Share on other sites

Hi,

Essentially it is the same as the v6 config, just with the "Version Mask" updated.

It takes a while for the internal monitor to update and show the AV correctly in lists/on the computer screen. But it will get there 🙂

I've exported my working config:

INSERT INTO `virusscanners` (`Name`,`DefLocation`,`DefFilename`,`ProgLocation`,`UpdateCMD`,`ScanTemplate`,`AutoProtect`,`OsType`,`VersionCheck`,`VersionMask`,`InfectionCheck`,`InfectionMatch`,`GUID`) Values('ESET File Security v7','{%-HKLM\\SOFTWARE\\ESET\\ESET Security\\CurrentVersion\\Info:ScannerVersion-%}','\\((20[12]\\d[01]\\d[0-3]\\d)\\)','{%-HKLM\\SOFTWARE\\ESET\\ESET Security\\CurrentVersion\\Info:InstallDir-%}\\ecls.exe','\"{%-HKLM\\SOFTWARE\\ESET\\ESET Security\\CurrentVersion\\Info:InstallDir-%}\\ecmd.exe\" /update','--action=clean --quarantine /files','ekrn*','1','{%-HKLM\\SOFTWARE\\ESET\\ESET Security\\CurrentVersion\\Info:ProductType-%}{%-HKLM\\SOFTWARE\\ESET\\ESET Security\\CurrentVersion\\Info:ProductVersion-%}','^(efsw7\\.*)','','','b6681399-e7cf-4a24-b4c6-ad33e3902d75');

The export is as a .sql file that you directly load into the database. I'm relatively new to Automate, but I don't see a way to import it into the AV config screen (from where I've exported it). Quite "not so usefull", quirky, typical Automate behavior I suppose.

Anyway, the {%-HKLM\\SOFTWARE\\ESET\\ESET Security\\CurrentVersion\\Info:ScannerVersion-%} and the like, simply point to the registry key/parameter; you can check their presence on the target computer(s).

The {%-HKLM\\SOFTWARE\\ESET\\ESET Security\\CurrentVersion\\Info:ProductType-%}{%-HKLM\\SOFTWARE\\ESET\\ESET Security\\CurrentVersion\\Info:ProductVersion-%} concatenates two parameters which are evaluated against the "Version Mask". You can check/verify that too.

The (also working) v6 definition has file-path parameters with "\\ESET+Security\" in it. I couldn't see a reason, so I replaced that with "\\ESET Security\". It may turn out that that is some silly requirement for Automate when accessing the file system. I will find that out soon enough, but you may or may not want to stick to the "+"-version that was used in the default v6 monitor...

 

Best of luck 🙂

George

Share this post


Link to post
Share on other sites

Hello George! Thanks for you help here :)
I did find that after checking in on this the next day in my Automate, some agents were correctly reporting v7, so must have just needed some time.

Really appreciate you taking the time to export your working config and post here for me and anyone else who may need it... cheers!

-Ryan.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×