Eset Era 63 Era Admin Enu

ESET
REMOTE
ADMINISTRATOR 6
Administration Guide
Click here to navigate to the most recent version of this document
ESET REMOTE ADMINISTRATOR 6

Copyright
2016 by ESET, spol. s r.o.
ESET Remote Admi ni s tra tor 6 wa s devel oped by ESET, s pol . s r.o.
For more i nforma ti on vi s i t www.es et.com.
Al l ri ghts res erved. No pa rt of thi s documenta ti on ma y be reproduced, s tored i n a
retri eva l s ys tem or tra ns mi tted i n a ny form or by a ny mea ns , el ectroni c, mecha ni ca l ,
photocopyi ng, recordi ng, s ca nni ng, or otherwi s e wi thout permi s s i on i n wri ti ng from
the a uthor.
ESET, s pol . s r.o. res erves the ri ght to cha nge a ny of the des cri bed a ppl i ca ti on s oftwa re
wi thout pri or noti ce.
Cus tomer Ca re: www.es et.com/s upport
REV. 26/01/2016
Contents
1. Administration
.......................................................6
2.10 Threats
....................................................................................................83
2.11 Reports
....................................................................................................85
2.11.1
Create
..............................................................................86
a new report template
2.11.2
Generate
..............................................................................89
report
2.1 Opening
....................................................................................................8
the ERA Web Console
2.11.3
Schedule
..............................................................................89
a report
2.2 The....................................................................................................9
ERA Web Console login screen
2.11.4
Outdated
..............................................................................89
applications
2.3 Getting
....................................................................................................11
to know ERA Web Console
2.11.5
SysInspector
..............................................................................90
log viewer
2. First Steps
.......................................................7
2.4 Post
....................................................................................................14
Installation Tasks
2.5 Certificates
....................................................................................................15
2.6 Deployment
....................................................................................................15
2.6.1
Add client
..............................................................................15
computer to ERA structure
2.6.1.1
Using
..................................................................................16
Active Directory synchronization
2.6.1.2
Manually
..................................................................................16
typing name/IP
2.6.1.3
Using
..................................................................................17
RD Sensor
2.6.2
Agent..............................................................................19
deployment
2.6.2.1
Deployment
..................................................................................19
steps - Windows
2.6.2.1.1
Agent Live
........................................................................20
Installers
2.6.2.1.2
Deploy Agent
........................................................................22
locally
2.6.2.1.3
Deploy Agent
........................................................................25
remotely
2.6.2.2
Deployment
..................................................................................29
steps - Linux
2.6.2.3
Deployment
..................................................................................30
steps - OS X
2.6.2.4
Agent
..................................................................................30
protection
2.6.2.5
Troubleshooting
..................................................................................30
- Agent deployment
2.6.2.6
Troubleshooting
..................................................................................33
- Agent connection
2.6.3
Agent..............................................................................33
deployment using GPO and SCCM
2.6.3.1
Creating
..................................................................................34
MST file
2.6.3.2
Deployment
..................................................................................38
steps - GPO
2.6.3.3
Deployment
..................................................................................42
steps - SCCM
2.6.4
Product
..............................................................................58
installation
2.6.4.1
Product
..................................................................................60
installation (command line)
2.6.4.2
List
..................................................................................62
of problems when installation fails
2.6.5
Desktop
..............................................................................62
Provisioning
2.7 Working with ESET Remote

....................................................................................................62
Administrator
2.7.1
Add computers
..............................................................................63
to groups
2.7.1.1
Static
..................................................................................63
groups
2.7.1.1.1
Add computer
........................................................................64
to a static group
2.7.1.2
Dynamic
..................................................................................65
groups
2.7.1.2.1
New Dynamic
........................................................................66
Group Template
2.7.1.2.2
Create new
........................................................................66
Dynamic Group
2.7.2
Create
..............................................................................68
a new policy
2.7.3
Assign
..............................................................................70
a policy to a group
2.7.4
Mobile
..............................................................................71
Device Enrollment from Groups
2.8 Dashboard
....................................................................................................72
2.8.1
Dashboard
..............................................................................73
settings
2.8.2
Drill down
..............................................................................74
2.8.3
Edit report
..............................................................................75
template
2.8.4
Time..............................................................................78
Zone
3. Mobile
.......................................................92
Device Management
3.1 MDM
....................................................................................................92
configuration profiles
4. Admin
.......................................................94
4.1 Groups
....................................................................................................94
4.1.1
Create
..............................................................................96
new Static Group
4.1.2
Create
..............................................................................98
new Dynamic Group
4.1.3
Assign
..............................................................................99
Task to a Group
4.1.4
Assign
..............................................................................100
a Policy to a Group
4.1.5
Policies
..............................................................................101
and Groups
4.1.6
Dynamic
..............................................................................101
Group Templates
4.1.6.1
New
..................................................................................102
Dynamic Group Template
4.1.6.2
Manage
..................................................................................102
Dynamic Group Templates
4.1.6.3
Dynamic
..................................................................................103
Group template - examples
Group - a security product is installed

4.1.6.3.1 Dynamic........................................................................104
4.1.6.3.2 Dynamic Group - a specific software version is

installed
........................................................................105
4.1.6.3.3 Dynamic Group - a specific version of a software is not

installed
........................................................................106
at all
4.1.6.3.4 Dynamic Group - a specific version of a software is not

installed
........................................................................107
but other version exists
Group - a computer is in specific subnet
4.1.6.3.5 Dynamic........................................................................108
4.1.6.3.5.1 Dynamic Group - installed but not activated version of

server security
........................................................................109
product
4.1.7
Static
..............................................................................109
Groups
4.1.7.1
Static
..................................................................................110
Group Wizard
4.1.7.2
Manage
..................................................................................110
Static Groups
4.1.7.3
Add
..................................................................................112
Client Computer to Static Group
4.1.7.4
Import
..................................................................................113
clients from Active Directory
4.1.7.5
Assign
..................................................................................114
a Task to a Static Group
4.1.7.6
Assign
..................................................................................114
a Policy to a Static Group
4.1.7.7
Export
..................................................................................114
Static Groups
4.1.7.8
Import
..................................................................................115
Static Groups
4.1.8
Dynamic
..............................................................................116
Groups
4.1.8.1
Dynamic
..................................................................................116
Group Wizard
4.1.8.2
Create
..................................................................................117
Dynamic Group using existing Template
4.1.8.3
Create
..................................................................................119
Dynamic Group using new Template
4.1.8.4
Manage
..................................................................................119
Dynamic Groups
4.1.8.5
Move
..................................................................................121
Dynamic Group
4.1.8.6
Assign
..................................................................................122
a Policy to a Dynamic Group
4.1.8.7
Assign
..................................................................................122
a Task to a Dynamic Group
4.1.8.8
Rules
..................................................................................122
for a Dymanic Group template
2.9 Computers
....................................................................................................79
computer is in Dynamic Group?

4.1.8.8.1 When a........................................................................122
2.9.1
Add Computers
..............................................................................81
........................................................................122
description
4.1.8.8.2 Operation
2.9.2
Computer
..............................................................................82
details
........................................................................123
logical connectors
4.1.8.8.3 Rules and
4.1.8.8.4
Template
........................................................................124
rules evaluation
4.4.19.3
Mobile
..................................................................................200
Device ID location
4.1.8.8.5
How to ........................................................................125
automate ESET Remote Administrator
4.4.19.4
Device
..................................................................................201
Enrollment and MDC communication
4.2 User
....................................................................................................126
Management
4.4.20
Display
..............................................................................202
Message
4.2.1
Add..............................................................................128
New Users
4.4.21
Anti-Theft
..............................................................................203
Actions
4.2.2
Edit..............................................................................130
Users
4.4.22
Stop..............................................................................205
Managing (Uninstall ERA Agent)
4.2.3
Create
..............................................................................132
New User Group
4.4.23
Export
..............................................................................207
Managed Products Configuration
4.4.24
Assign
..............................................................................208
Task to Group
4.3 Policies
....................................................................................................133
4.3.1
Policies
..............................................................................134
Wizard
4.4.25
Assign
..............................................................................208
Task to Computer(s)
4.3.2
Flags
..............................................................................135
4.4.26
Triggers
..............................................................................209
4.3.3
Manage
..............................................................................135
Policies
4.3.4
Create a Policy for ERA Agent to connect to the new

ERA..............................................................................136
Server
4.5.1
Agent
..............................................................................211
Deployment
4.5.2
Delete
..............................................................................215
not connecting computers
4.3.5
Create a Policy to enable ERA Agent Password

protection
..............................................................................138
4.5.3
Generate
..............................................................................216
Report
4.3.6
Create a Policy for iOS MDM - Exchange ActiveSync

Account
..............................................................................141
4.5.4
Rename
..............................................................................218
computers
4.5.5
Static
..............................................................................218
Group Synchronization
4.3.7
Create a Policy to enforce restrictions on iOS and add

Wi-Fi
..............................................................................144
connection
4.5.5.1
Synchronization
..................................................................................219
mode - Active Directory
4.5.5.2
Static
..................................................................................220
Group Synchronization - Linux Computers
4.3.8
Create a Policy for MDC to activate APNS for iOS

enrollment
..............................................................................147
4.5.5.3
Synchronization
..................................................................................221
mode - VMware
4.3.9
How..............................................................................149
Policies are applied to clients
4.5.6
User..............................................................................222
Synchronization
4.3.9.1
Ordering
..................................................................................149
Groups
4.5.7
Triggers
..............................................................................224
4.3.9.2
Enumerating
..................................................................................150
Policies
4.5.7.1
Server
..................................................................................225
Trigger Wizard
4.3.9.3
Merging
..................................................................................151
Policies
4.5.7.2
Scheduling
..................................................................................225
Server Task
4.3.10
Configuration
..............................................................................151
of a product from ERA
4.5.7.3
Throttling
..................................................................................225
4.3.11
Assign
..............................................................................151
a Policy to a Group
4.3.12
Assign
..............................................................................153
a Policy to a Client
4.4 Client
....................................................................................................154
Tasks
4.5 Server
....................................................................................................210
Tasks
........................................................................228
too sensitive
4.5.7.3.1 Trigger is
4.5.7.4
Manage
..................................................................................228
Server Triggers
Trigger Sensitivity
4.5.7.4.1 Manage........................................................................229
........................................................................230
too often
4.5.7.4.2 Trigger fires
4.4.1
Client
..............................................................................155
Tasks executions
4.4.1.1
Progress
..................................................................................157
indicator
4.4.1.2
Status
..................................................................................158
icon
4.4.1.3
Drill
..................................................................................158
down
4.4.1.4
Trigger
..................................................................................160
4.4.2
Shutdown
..............................................................................161
computer
4.4.3
On-Demand
..............................................................................162
Scan
4.4.4
Operating
..............................................................................163
System Update
4.4.5
Quarantine
..............................................................................165
Management
4.4.6
Rogue
..............................................................................166
Detection Sensor Database Reset
4.4.7
Remote
..............................................................................167
Administrator Components Upgrade
4.4.8
Reset
..............................................................................169
Cloned Agent
4.4.9
Run..............................................................................170
Command
4.4.10
Run..............................................................................171
SysInspector Script
4.4.11
Server
..............................................................................172
Scan
4.4.12
Software
..............................................................................173
Install
4.4.13
Software
..............................................................................174
Uninstall
4.4.14
Product
..............................................................................176
Activation
4.4.15
SysInspector
..............................................................................177
Log Request
4.8.1
Users
..............................................................................247
4.4.16
Upload
..............................................................................178
Quarantined File
4.8.1.1
Create
..................................................................................247
a Native User
4.4.17
Virus
..............................................................................179
Signature Database Update
4.8.1.2
Mapped
..................................................................................248
Domain Security Group Wizard
4.4.18
Virus
..............................................................................180
Signature Database Update Rollback
4.8.1.3
Map
..................................................................................249
Group to Domain Security Group
4.4.19
Device
..............................................................................181
Enrollment - Client Task
4.8.1.4
Assign
..................................................................................250
User a Permission Set
4.4.19.1
Device
..................................................................................182
Enrollment Android
4.8.1.5
Two
..................................................................................251
Factor Authentication
4.4.19.2
Device
..................................................................................195
Enrollment iOS
4.8.2
Permission
..............................................................................251
Sets
4.8.2.1
Manage
..................................................................................252
Permission Sets
........................................................................231
4.5.7.4.3 CRON Expression
4.6 Notifications
....................................................................................................231
4.6.1
Notifications
..............................................................................232
Wizard
4.6.2
Manage
..............................................................................232
Notifications
4.6.3
How..............................................................................234
to configure an SNMP Trap Service
4.7 Certificates
....................................................................................................236
4.7.1
Peer..............................................................................236
Certificates
4.7.1.1
Create
..................................................................................237
a new Certificate
4.7.1.2
Export
..................................................................................238
Peer Certificate
4.7.1.3
APN
..................................................................................240
certificate
4.7.1.4
Show
..................................................................................241
revoked
4.7.1.5
Set
..................................................................................242
new ERA Server certificate
4.7.2
Certification
..............................................................................243
Authorities
4.7.2.1
Create
..................................................................................244
a new Certification Authority
4.7.2.2
Export
..................................................................................244
a Public Key
4.7.2.3
Import
..................................................................................245
a Public Key
4.8 Access
....................................................................................................246
Rights
Contents
4.9 Server
....................................................................................................253
Settings
4.9.1
Syslog
..............................................................................254
server
4.9.2
Export
..............................................................................255
logs to Syslog
4.10 License
....................................................................................................257
Management
4.10.1
Activation
..............................................................................259
5. Diagnostic
.......................................................262
Tool
6. FAQ.......................................................263
7. About
.......................................................265
ESET Remote Administrator
1. Administration
This section explaines how to manage and configure ESET Remote Administrator. The following chapters will show
you the recommended initial steps that should be taken after the installation of ESET Remote Administrator.
First steps - start setting things up.
Post Installation Tasks - learn how to get the most from ESET Remote Administrator and complete the
recommended steps for an optimal user experience.
ERA Web Console - the primary user interface for ESET Remote Administrator. Easy to use from any place or
device.
User Management - you can create a new User Group, add new Users, modify existing ones and synchronize with
Active Directory.
License Management - ESET Remote Administrator must be activated using an ESET-issued License key before you
can begin using it. See the License Management section for instructions on how to activate your product, or see
ESET License Administrator Online help for more information about using ESET License Administrator.
A fully customizable Dashboard gives you an overview of the security state of your network. The Admin section of
ESET Remote Administrator Web Console (ERA Web Console) is a powerful and user-friendly tool for managing
ESET products.
ERA Agent deployment - the ERA Agent must be installed on all client users that communicate with the ERA
Server.
Notifications - deliver relevant information in real time and Reports allows you to conveniently sort various types
of data that you can use later.
Mobile Device Management - you can install, enroll and set up your mobile devices.
2. First Steps
After you have successfully installed ESET Remote Administrator you can begin setting things up.
First, open ERA Web Console in your browser and log in.
Getting to know ERA Web Console
Before you begin initial setup, we recommend that you get to know the ERA Web Console, as it is the interface you
will use to manage ESET security solutions.
When you open ERA Web Console for the first time Post Installation Tasks will guide you through the recommended
steps to configure your system.
Creating/settings permissions for new users
During installation you created a default administrator account. We recommend that you save the Administrator
account and create a new account to manage clients and configure their permissions.
Adding client computers, servers and mobile devices on your network to ERA structure
During installation, you can choose to search your network for computers (clients). All clients found will be listed in
the Computers section when you start ESET Remote Administrator. If clients are not shown in the Computers
section, run the Static Group Synchronization task to search for computers and show them in groups.
Deploying an Agent
Once the computers are found, deploy the Agent on the client computers. The Agent provides communication
between ESET Remote Administrator and clients.
Installing ESET product (including activation)
To keep your clients and network secure, install ESET products. This is done using the Software Install task.
Creating/editing groups
We recommend that you sort clients into Groups, either Static or Dynamic, based on various criteria. This makes
managing clients easier and helps you keep an overview of your network.
Creating a new policy
Policies are used to distribute a specific configuration for ESET products running on client computers. They allow you
to avoid configuring ESET products on each client manually. Once you have created a new policy with your custom
configuration, you can assign it to a group (either static or dynamic) to apply your settings to all the computers in
that group.
Assigning a policy to a group
As explained above, a policy must be assigned to a group to take affect. Computers that belong to the group will
have this policy applied to them. The policy is applied and updated every time an Agent connects to ERA Server.
Setting up Notifications and creating Reports
We recommend that you use notifications and reports to monitor the status of client computers in your
environment. For example, if you want to be notified that a certain event occurred or want to view or download a
report.
2.1 Opening the ERA Web Console

There are multiple ways to open the ERA Web Console:
On your local server (the machine hosting your Web Console) type this URL into the web browser:
https://localhost/era/
From any place with internet access to your web server, type the URL in following format:
https://yourservername/era/
Replace "yourservername" with the actual name or IP address of your web server.
To log into the ERA Virtual appliance, use following URL:
https://[IP address]:8443/
Replace "[IP address]" with the IP address of your ERA VM. If you do not remember the IP address, see step 9 of
Virtual appliance deployment instructions.
On your local server (the machine hosting your Web Console), click Start > All Programs > ESET > ESET Remote
Administrator > ESET Remote Administrator Webconsole - a login screen will open in your default web browser.
This does not apply to the ERA Virtual appliance.
NOTE: Since the Web Console uses secure protocol (HTTPS), you might get a message in your web browser
regarding a security certificate or untrusted connection (exact wording of the message depends on the browser you
are using). This is because your browser wants you to verify the identity of the site you are trying to access. Click
Continue to this website (Internet Explorer) or I Understand the Risks, click Add Exception... and then click Confirm
Security Exception (Firefox) to allow access to the ERA Web Console. This only applies when you're trying to access
the ESET Remote Administrator Web Console URL.
When web server (that runs ERA Web Console) is up, the following screen is displayed.
If this is your first login, please provide the credentials you entered during the Installation process. For more details
about this screen, see Web Console login screen.
NOTE: In the rare case that you do not see the login screen or when the login screen appears to be constantly
loading, restart the ESET Remote Administrator Server service. Once the ESET Remote Administrator Server service is
8
up and running again, restart the Apache Tomcat service. After this, the Web Console login screen will load
successfully.
2.2 The ERA Web Console login screen

A user needs login credentials (username and password) to log into the Web Console. It is also possible to log in as a
domain user by selecting the check box next to Log into domain (a domain user is not related to any mapped domain
group). You can select your language from a list in the top right corner of the login screen. Select Allow session in
multiple tabs to allow users to open ERA Web Console in multiple tabs in your web browser.
NOTE: You receive the warning message Using unencrypted connection! Please configure the webserver to use
HTTPS when accessing the ESET Remote Administrator Web Console (ERA Web Console) via HTTP. For security
reasons, we recommend you to set up ERA Web Console to use HTTPS.
Change Password / Try different Account - allows you to change password or switch back to login screen. A user
without a permission set is allowed to log into the Web Console, but he will not see any relevant information.
To give a user read/write/modify permissions in Web Console modules, a proper Permission Set must be created
and assigned to the user.
Session management and security measures:
Login IP address lockout
After 10 unsuccessful login attempts from the same IP address, further login attempts from this IP address are
temporarily blocked for approximately 10 minutes. The IP address ban on login attempts does not affect existing
sessions.
Wrong session ID address lockout
After using an invalid session ID 15 times from the same IP address, all further connections from this IP address
are blocked for approximately 15 minutes. Expired session IDs are not counted in. If there is an expired session
ID in the browser, it is not considered an attack. The 15-minute IP address ban is for all actions (including valid
requests).
10
2.3 Getting to know ERA Web Console

ESET Remote Administrator Web Console is the main interface used to communicate with ERA Server. You can think
of it as a control panel, a central place from which you can manage all of your ESET security solutions. It is a webbased interface that can be accessed using a browser (see Supported Web browsers) from any place and any device
with internet access.
In the ERA Web Console standard layout:
The current user is always shown in upper right, where the timeout for his/her session counts down. You can click
Logout to log out at any time. When a session times out (because of user inactivity), a user must log in again.
You can click ? at the top of any screen to view help for that specific screen.
The Menu is accessible on the left at all times except when using a Wizard. Place your mouse on the left of the
screen to display the menu. The menu also contains Quick Links and displays your Web Console version.
The icon always denotes a context menu.
Click Refresh to reload/refresh displayed information.
Post-Installation Tasks show you how to get most from ESET Remote Administrator. These will guide you through
the recommended steps.
11
Screens with tree have specific controls. The tree itself is on the left with actions bellow. Click an item from the tree
to display options for that item.
12
Tables allow you to manage units from rows individually or in a group (when more rows are selected). Click a row to
display options for units in that row. Data in tables can be filtered and sorted.
Objects in ERA can be edited using Wizards. All Wizards share the following behaviors:
o Steps are vertically oriented from top to bottom.
o User can return to any step at any time.
o Invalid input data are marked when you move your cursor to a new field. The Wizard step containing invalid
input data is marked as well.
o User can check for invalid data any time by clicking Mandatory Settings.
o Finish is not available until all input data is correct.
13
2.4 Post Installation Tasks

We highly recommend you to go through the Post Installation Tasks as these will help you to with initial
configuration of ESET Remote Administrator.
Before you start

We invite you to visit instructional videos and the ESET Knowledgebase.
Users
You can create different users and configure their permissions to allow different levels of management in ESET
Remote Administrator.
Certificates
You can create Certification Authorities and Peer certificates for individual ESET Remote Administrator components
in to allow communication with ERA Server.
Licenses
ESET Remote Administrator from version 6 uses a completely new ESET licensing system, select the method you
want to use to add your new license.
Computers
Add devices to groups in ESET Remote Administrator.
Agents
There are multiple ways to deploy ERA Agent to client computers in your network.
Products
You can install software directly from the ESET repository or specify a file path to a shared folder with installation
packages.
SMTP Settings
ESET Remote Administrator can be configured to connect to your existing SMTP server which allows ERA to send
email messages, for example notifications, reports, etc.
14
2.5 Certificates
An important part of ESET Remote Administrator are certificates. Certificates are required for ERA components to
communicate with ERA Server.
You can use certificates that were created during ERA installation. Alternatively, you can use your custom
Certification Authority and Certificates. You can also Create Certification Authority (CA) or Import Public Key which
you will use to sign Peer Certificate for each of the components (ERA Agent, ERA Proxy, ERA Server, ERA MDM or
Virtual Agent Host).
2.6 Deployment
After the successful installation of ESET Remote Administrator, it is necessary to deploy the ERA Agent and ESET
Endpoint protection (EES, EEA...) to the computers in the network. Deployment consists of following steps:
1. Add client computers to ESET Remote Administrator groups structure.
2. ERA Agent deployment
3. ESET Endpoint protection deployment
Once the ERA Agent is deployed, you can perform remote installation of other ESET security products on your client
computers. The exact steps for remote installation are described in the Product installation chapter.
2.6.1 Add client computer to ERA structure

There are 3 ways to add client computer to ESET Remote Administrator:
Active Directory synchronization
Manually typing name/IP
Using RD Sensor
15
2.6.1.1 Using Active Directory synchronization

AD synchronization is performed by running the Static Group Synchronization server task.
Admin > Server Task is a pre-defined default task that you can choose to execute automatically during ESET Remote
Administrator installation. If the computer is in a domain, synchronization will be performed and computers from
the AD will be listed in a default group All.
To start the synchronization process just click the task and choose Run now. If you need to create a new AD
synchronization task, select a group to which you want to add new computers from the AD. Also select objects in the
AD you want to synchronize from and what to do with duplicates. Enter your AD server connection settings and set
the Synchronization mode to Active Directory/Open Directory/LDAP. Follow step-by-step instructions in this ESET
Knowledgebase article.
2.6.1.2 Manually typing name/IP

The Computers tab allows you to add New computers. This way, you can manually Add computers that are not found
or added automatically.
16
Type the IP address or host name of a machine you want to add and ESET Remote Administrator will search for it on
the network.
Click Add. Computers can be viewed in the list on the right when you select the group they belong to. Once the
computer is added, a pop-up window will open with the option to Deploy Agent.
2.6.1.3 Using RD Sensor

If you are not using AD synchronization, the easiest way to add a computer into the ERA structure is to use RD
Sensor. The RD Sensor component is part of the installation bundle. You can easily drill down the report Rogue
computers ratio, chart at the bottom of the Computers dashboard to view the rogue computers by clicking the red
part of the graph.
17
The Rogue computers report on the Dashboard now lists computers found by the RD Sensor. Computers can be
added by clicking the computer you want to Add, or you can Add all displayed items.
If you are adding a single computer, follow the instructions on screen. You can use a preset name or specify your
own (this is a display name that will be used in ERA Web Console only, not an actual host name). You can also add a
description if you want to. If this computer already exists in your ERA directory, you will be notified and can decide
what to do with the duplicate. The available options are: Deploy Agent, Skip, Retry, Move, Duplicate or Cancel. Once
the computer is added, a pop-up window will open with an option to Deploy Agent.
If you click Add all displayed items a list of computers to be added will be displayed. Click X next to the name of a
specific computer if you do not want to include it in your ERA directory at this time. When you are finished removing
computers from the list, click Add. After clicking Add, select the action to take when a duplicate is found (allow for a
slight delay depending on the number of computers in your list): Skip, Retry, Move, Duplicate or Cancel. Once you
have selected an option, a pop-up window listing all added computers will open with an option to Deploy Agents on
those computers.
The results of the RD Sensor scan are written to a log file called detectedMachines.log. It contains a list of
discovered computers on your network. You can find the detectedMachines.log file here:
18
Windows
C:\ProgramData\ESET\Rouge Detection Sensor\Logs\detectedMachines.log
Linux
/var/log/eset/RogueDetectionSensor/detectedMachines.log
2.6.2 Agent deployment

ERA Agent deployment can be performed in a few different ways. You can deploy the Agent:
Remotely using GPO and SCCM - we recommend you this method for mass deployment of the ERA Agent on client
computers (alternatively, you can use Server Task to deploy ERA Agent)
Locally - using an Agent installation package or Agent Live Installers, for example, if problems occur during remote
deployment
Local deployment can be performed in three ways:
Agent Live Installers - using a generated script from within the ERA Web Console, you can distribute Agent Live
Installers via email or run them from removable media (USB flash drive, etc.)
Server assisted installation - using the Agent installation package downloads certificates from the ERA Server
automatically (recommended local deployment method)
Offline installation - using the Agent installation package, you must manually export certificates and use them in
this deployment method
The Remote Agent deployment server task can be used for mass distribution of the Agent to client computers. It is
the most convenient distribution method since it can be performed from Web Console without the need to deploy
the Agent to each computer manually.
ERA Agent is very important because ESET security solutions running on client computers communicate with ERA
Server exclusively through the Agent.
NOTE: Should you experience problems when deploying the ERA Agent remotely (the Server task Agent
deployment fails) see the Troubleshooting guide.
2.6.2.1 Deployment steps - Windows

1. Make sure all prerequisites are met:
ERA Server and the ERA Web Console are installed (on a Server computer).
An Agent certificate is created and prepared on your local drive.
A Certification Authority is prepared on your local drive.
The Server computer must be accessible from the network.
NOTE: Should you experience problems when deploying ERA Agent remotely - the Server task Agent deployment
ends with status Failed - see the Troubleshooting guide.
2. Double-click the installation package to begin installation.
3. Enter a Server host (hostname/ip address) and a Server port (by default 2222) in the appropriate fields. These are
used for connection to the ERA Server.
4. Select a peer certificate and a password for this certificate. Optionally, you can add a certification authority. This
is only required for unsigned certificates.
5. Select a folder where the ERA Agent will be installed, or leave the pre-defined folder selected.
6. Click Install. The ERA Agent will be installed on your computer.
NOTE: If a detailed log from the installation is required, the user must start the installation through the msiexec
program, and supply the needed parameters:
msiexec /i program_installer.msi /lv* c:\temp\installer_log.txt
The folder c:\temp\ must exist prior to executing this command.

19
You can check the status log on the client machine C:\ProgramData\ESET\RemoteAdministrator\Agent\Logs
\status.html to make sure ERA Agent is working properly.
2.6.2.1.1 Agent Live Installers

This type of Agent deployment is useful when the remote and local deployment options do not suit you. In such
cases, you can distribute the Agent Live Installer via email and let the user deploy it. You can also run the Agent Live
Installer from removable media (USB flash drive, etc.).
NOTE: The client machine needs to have an internet connection to download the Agent installation package.
Also, the client needs to be able to connect to the ERA Server. You can use the following written instructions in our
1. Click Agent Live Installers... in the Quick Links section of the menu bar to create the installer.
2. Enter the server hostname or IP address and select the ERA Certification Authority that you created during initial
installation. Enter the Certification Authority passphrase that you created during Server Installation when
prompted for the certificate password.
20
3. Click Get Installers to generate links for Windows, Linux and MAC Agent installer files.
4. Click the Download link next to the installer file(s) that you want to download and save the zip file. Unzip the file
on the client computer where you want to deploy ERA Agent and run EraAgentOnlineInstaller.bat (Windows)
or EraAgentOnlineInstaller.sh script (Linux and Mac) to run the installer. How to deploy the ERA Agent on a
MAC OS X client using the Agent Live Installer see our KB article.
NOTE: If you are running the script on Windows XP SP2, you need to install Microsoft Windows Server 2003
Administration Tools Pack. Otherwise, the Agent Live Installer won't run properly. Once you have installed the
Administration Pack, you can run the Agent Live Installer script.
You can check the status log on the client machine C:\ProgramData\ESET\RemoteAdministrator\Agent\Logs
\status.html to make sure ERA Agent is working properly. If there are problems with the Agent (for example, it is
not connecting to the ERA Server) see troubleshooting.
If you want to deploy ERA Agent using Agent Live Installer from your local shared folder without ESET Repository
Download Server, follow these steps:
1. Edit the EraAgentOnlineInstaller.bat file (Windows) or EraAgentOnlineInstaller.sh script (Linux and Mac).
2. Change lines 28 and 30 to point to the correct local download files. For example:
3. Use your own URL (instead of the one shown below):
4. Edit line 80 to replace " ^& packageLocation ^& "
with !url!
5. Save the file.
21
2.6.2.1.2 Deploy Agent locally

To deploy the ERA Agent locally on a client computer using installation wizard, follow the steps below:
Download the ERA Agent installation package from the download section of the ESET website under Remote
Administrator 6 (click the + sign to expand the category) in ESET Remote Administrator Standalone Installers are
available components for download. Run the installer on client machine you want to deploy the Agent to. Also, you
can use this ESET Knowledgebase article with illustrated step-by-step instructions.
1. Server assisted installation:
Make sure Server assisted installation is selected, specify your Server host (name or IP address) and the Server port
of your ERA Server and then click Next. The default Server port is 2222, if you are using a different port, replace the
default port with your custom port number.
Specify the method used for connection to Remote Administrator Server: ERA Server or ERA Proxy Server and ERA
Web Console port and enter your ERA Web Console login credentials: Username and Password.
22
Click Choose custom Static Group and select the Static Group to which the client computer will be added using the
drop-down menu.
23
2. Offline installation:
To perform an Offline installation, enter 2222 in the Server port field, select Offline installation and click Next. For
this method you must specify a Peer certificate and Certification Authority.
For more information about how to export and use a Peer certificate and Certification Authority click here.
NOTE: You can check the status log on a client machine (located at C:\ProgramData\ESET\RemoteAdministrator
\Agent\EraAgentApplicationData\Logs\status.html or C:\Documents and Settings\All Users\Application Data\Eset
\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.hmtl) to make sure the ERA Agent is working
properly. If there are problems with the Agent (for example, if it is not connecting to the ERA Server) see
troubleshooting.
24
2.6.2.1.3 Deploy Agent remotely

There are two options for remote deployment of the ERA Agent. You can use a Server task as described below or you
can deploy the Agent using GPO and SCCM.
Remote deployment of the ERA Agent using a Server task is performed from the Admin section. You can use the
following written instructions in our Knowledgebase article.
NOTE: We recommend that you test mass Agent deployment in your environment before using it to deploy the
ERA Agent to large groups of clients. Before testing mass deployment, set the Agent connection interval to your
preference.
Click Server Task > Agent Deployment > New to start configuring your new task.
Basic
25
Enter basic information about the task, such as the Name, Description (optional) and Task Type. The Task Type
defines the settings and behavior of the task.
26
Settings
o Automatic resolution of suitable ERA Agent - If you have multiple operating systems (Windows, Linux, Mac OS)
in your network, select this option and this task will automatically find the appropriate server-compatible Agent
installation package for each system.
o Targets - Click this to select the clients that will be the recipients of this task.
o Username/Password - The username and the password for the user with sufficient rights to perform a remote
installation of the agent.
o Server hostname (optional) - You can enter a server hostname if it is different on the client side and the server
side.
o Peer certificate/ERA Certificate - This is the security certificate and certification authority for the agent
installation. You can select the default certificate and certification authority, or use custom certificates. For
more information, see the Certificates chapter.
o Custom certificate - If you use a custom certificate for authentication, navigate to the certificate and select it
when installing the Agent.
o Certificate passphrase - Password for the certificate, either the password you entered during Server installation
(in the step where you created a certification authority) or the password for your custom certificate.
NOTE: ERA Server can select the appropriate ERA Agent installation package for operating systems automatically.
To choose a package manually, deselect Automatic resolution of suitable Agent and then choose the package you
want to use from the list of available Agents in ERA repository.
Target
The Target window allows you to specify the clients (individual computers or groups) that are the recipients of this
task. Click Add Targets to display all Static and Dynamic Groups and their members.
27
Select clients, click OK and proceed to the Trigger section.

Trigger - Determines what event triggers the task.
As Soon As Possible - Executes the task as soon as the client connects to ESET Remote Administrator Server and
receives the task. If the task cannot be performed until the Expiration date, the task will be removed from the
queue - the task will not be deleted, but it will not be executed.
Scheduled Trigger - Executes the task at a selected time. You can schedule this task once, repeatedly or using a
CRON Expression.
Event Log Trigger - Executes the task based on events specified here. This trigger is invoked when a certain
event occurs in logs. Define the log type, logical operator and filtering criteria that will trigger the task.
Joined Dynamic Group Trigger - This trigger executes the task when a client joins the Dynamic Group selected in
the target option. If a Static Group or individual client(s) have been selected, this option will not be available.
NOTE: For more information about triggers, proceed to the Triggers chapter.
Advanced settings - Throttling - Throttling is used to restrict a task from being executed if a task is triggered by a
frequently occurring event, for example the Event Log Trigger or the Joined Dynamic Group Trigger (see above). For
more information, see the Throttling chapter.
Click Finish when you have defined the recipients of this task and the triggers that execute the task.
Summary
All configured options are displayed here. Review the settings and click Finish if they are ok. The task is now created
and ready to be used.
NOTE: Should you experience problems when deploying ERA Agent remotely (the Server task Agent deployment
fails) see the Troubleshooting section of this guide.
28
2.6.2.2 Deployment steps - Linux

These steps apply when performing a local installation of the Agent. If you want to deploy the Agent on multiple
computers, see the Agent Deployment section.
Make sure the following prerequisites are met:
ERA Server and the ERA Web Console installed (on a Server computer).
An Agent certificate created and prepared on your local drive.
Certification Authority prepared on your local drive.
The Server computer must be accessible from the network.
The Agent installation file must be set as an executable (chmod +x).
The Agent is installed by running a command in the terminal (see the example below).
Example
(New l i nes a re denoted by "\" to ma ke i t ea s i er to copy thi s s tri ng i nto Termi na l )
./Agent-Linux-i686-1.0.387.0.sh --skip-license --cert-path=/home/adminko/Desktop/agent.pfx \
--cert-auth-path=/home/adminko/Desktop/CA.der --cert-password=N3lluI4#2aCC \
--hostname=10.1.179.36 --port=2222
ERA Agent and the eraagent.service will be installed in the following location:
/opt/eset/RemoteAdministrator/Agent
Installation parameters
Attribute
Description
--skip-license
Installation will not ask user for license agreement confirmation
--cert-path
Local path to Agent's Certificate file
--cert-auth-path
Path to the Server's Certification Authority file
--cert-password
Must match the Agent certificate password
--hostname
Connection to the server (or proxy) in one of the following formats: hostname,
IPv4, IPv6 or SRV record
--port
Listening port - both for the Server and the Proxy (2222)
To verify a correct installation, run the following command:

sudo service eraagent status
NOTE: When you use a certificate that you created, signed by an authority other than the ERA Certification
Authority, it is necessary to leave the parameter --cert-auth-path out of the installation script, because the other
Certification Authority is already installed on your Linux OS (and also on your Server computer).
ends with a Failed status) see the Troubleshooting guide.
You can check the status log on the client machine /var/log/eset/RemoteAdministrator/Agent/trace.log or /var/log/
eset/RemoteAdministrator/Agent/status.html to make sure ERA Agent is working properly.
29
2.6.2.3 Deployment steps - OS X

1. Make sure all prerequisites are met:
ERA Server and the ERA Web Console are installed (on a Server computer).
An Agent certificate is created and prepared on your local drive.
A Certification Authority is prepared on your local drive.
ends with a Failed status) see the Troubleshooting guide.
2. Double click the .dmg file to start installation.
3. Enter the Server connection data: Server host (hostname or IP address of the ERA Server) and the Server port (by
default 2222).
4. Select a Peer certificate and a password for this certificate. Optionally, you can add a Certification authority. This
is only needed for unsigned certificates.
5. Review the install location and click Install. The Agent will be installed on your computer.
6. The ERA Agent log file can be found here: /Library/Application Support/com.eset.remoteadministrator.agent/
Logs/ or /Users/%user%/Library/Logs/EraAgentInstaller.log
2.6.2.4 Agent protection

The ERA Agent is protected by a built-in self-defense mechanism. This feature provides the following:
Protection against modification of ERA Agent registry entries (HIPS)
Files that belong to ERA agent cannot be modified, replaced, deleted or altered (HIPS)
ERA Agent Process cannot be killed
The ERA Agent Service cannot be stopped, paused, disabled, uninstalled or otherwise compromised
Some of the protection is being taken care of by the HIPS feature, which is part of your ESET security product (for
example ESET Endpoint Security).
NOTE: To ensure full protection of the ERA Agent, HIPS must be enabled on a client computer.
Password protected setup
In addition to self-defense, you can password protect access to the ERA Agent (available for Windows only). When a
password is used, the ERA Agent cannot be uninstalled or repaired unless the correct password is provided. To set
an ERA Agent password you need to create a policy for ERA Agent.
2.6.2.5 Troubleshooting - Agent deployment

You may encounter problems with ERA Agent deployment. If deployment fails, there are a number of things that
might be the cause. This section will help you:
o Find out what caused ERA Agent deployment to fail
o Check for possible causes according to the table below
o Resolve the issue and perform a successful deployment
Windows
1. To find out why Agent deployment failed, navigate to Reports > Automation, select Agent Deployment task
information in last 30 days and click Generate now.
A table will displayed deployment information. The Progress column displays error messages about why Agent
deployment failed.
If you need even more details, you can change the verbosity of the ERA Server trace log. Navigate to Admin > Server
Settings > Advanced Settings > Logging and select Error from the drop-down menu. Run the Agent deployment again
and when it fails check the ERA Server trace log file for the latest log entries at the bottom of the file. The report will
include suggestions about how to resolve the issue.
30
The latest ERA Server log file can be found here: C:\ProgramData\ESET\RemoteAdministrator\Server
\EraServerApplicationData\Logs\trace.log
The latest ERA Agent log file can be found here:
C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs
C:\Documents and Settings\All Users\Application Data\ESET\RemoteAdministrator\Agent\EraAgentApplicationData
\Logs
To enable full logging, create a dummy file named traceAll without an extension in the same folder as a trace.log.
Restart the ESET Remote Administrator Server service, this will enable full logging into trace.log file.
NOTE: In case of ERA Agent connection problems, see Troubleshooting - Agent connection for more information.
If the installation failed with error 1603, check ra-agent-install.log file. It can be found here: C:\Users\%user%
\AppData\Local\Temp\ra-agent-install.log on the target computer.
2. The table below contains several reasons Agent deployment can fail:
Error message
Could not connect
Access denied
Package not found in repository
Possible cause
Client is not reachable on the network
Client's host name could not be resolved
Firewall blocks communication
Ports 2222 and 2223 are not open in firewall (on both client and server side)
No password set for administrator account
Insufficient access rights
ADMIN$ administrative share is not available
IPC$ administrative share is not available
Use simple file sharing is enabled
Link to the repository is incorrect
Repository is unavailable
Repository doesnt contain required package
3. Follow the appropriate troubleshooting steps according to the possible cause:

o Client is not reachable on the network - ping the client from the ERA Server, if you get a response, try to log on
to the client machine remotely (for example, via remote desktop).
o Client's host name could not be resolved - possible solutions to DNS issues can include but are not limited to:
Using the nslookup command of the IP address and hostname of the server and/or the clients having Agent
deployment issues. The results should match the information from the machine. For instance, an nslookup
of a hostname should resolve to the IP address an ipconfig command shows on the host in question. The
nslookup command will need to be run on the clients and the server.
Manually examining DNS records for duplicates.
o Firewall blocks communication - check the firewall settings on both the server and the client, as well as any
other firewall that exists between these two machines (if applicable).
o Ports 2222 and 2223 are not open in firewall - same as above, make sure that these ports are open on all
firewalls between the two machines (client and server).
o No password set for administrator account - set a proper password for the administrator account (do not use a
blank password)
o Insufficient access rights - try using the Domain Administrator's credentials when creating an Agent deployment
task. If the client machine is in a Workgroup, use the local Administrator account on that particular machine.
o ADMIN$ administrative share is not available - The client machine must have the shared resource ADMIN$
activated, make sure it is present among the other shares (Start > Control Panel > Administrative Tools >
Computer Management > Shared Folders > Shares).
31
o IPC$ administrative share is not available - verify that the client can access IPC by issuing the following from a
command prompt on the client:
net use \\servername\IPC$
where servername is the name of the ERA Server

o Use simple file sharing is enabled - if you are getting the "Access denied" error message and your environment
is mixed (contains both a Domain and Workgroup), disable Use simple file sharing or Use Sharing Wizard on all
machines that are having problems with Agent deployment. For example, in Windows 7 do the following:
Click Start, type folder into the Search box, and then click Folder Options. Click the View tab and in the
Advanced settings box, scroll down the list and deselect the check box next to Use Sharing Wizard.
o Link to the repository is incorrect - In ERA Web Console, navigate to Admin > Server Settings, click Advanced
settings > Repository and make sure the URL of the repository is correct.
o Package not found in repository - this error message usually appears when there is no connection to the ERA
repository. Check your Internet connection.
NOTE: For later Windows operating systems (Windows 7, Windows 8, etc.) the Administrator user account must
be activated in order to run the Agent deployment task.
To activate the Administrator user account:
1. Open an administrative command prompt
2. Enter the following command:
net user administrator /active:yes
Linux and Mac OS

If Agent deployment does not work on Linux or Mac OS, the issue is usually related to SSH. Check the client
computer and make sure SSH daemon is running. Once fixed, run Agent deployment again.
32
2.6.2.6 Troubleshooting - Agent connection

When a client computer does not appear to be connecting to your ERA Server, we recommend that you perform ERA
Agent troubleshooting locally on the client machine.
By default, the ERA Agent synchronizes with ERA Server every 20 minutes. You can change this setting by creating a
new policy for the ERA Agent Connection Interval.
Check the latest ERA Agent log file. It can be found here:
C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs
C:\Documents and Settings\All Users\Application Data\ESET\RemoteAdministrator\Agent\EraAgentApplicationData
\Logs
NOTE: To enable full logging, create a dummy file named traceAll without an extension in the same folder as a
trace.log and then restart the ESET Remote Administrator Server service. This will enable full logging in the trace.log
file.
last-error.html protocol (table) that displays the last error recorded while the ERA Agent is running.
software-install.log text protocol of the last remote installation task performed by the ERA Agent.
status.html a table showing the current state of communications (synchronization) of ERA Agent with ERA
Server.
trace.log a detailed report of all ERA Agent activity including any errors that have been recorded.
The most common issues that can prevent the ERA Agent from connecting to the ERA Server are:
Your Internal network is not configured properly. Make sure that the computer where ERA Server is installed can
communicate with client computers where ERA Agent is installed.
Your ERA server is not configured to listen on port 2222.
DNS is not working properly, or ports are blocked by a firewall - check our list of ports used by ESET Remote
Administrator, or see our KB article What addresses and ports on my third-party firewall should I open to allow
full functionality for my ESET product?.
An Erroneously generated certificate containing false or limited features that do not match the public key of ERA
Server Certification Authority is in place - create a new ERA Agent certificate to resolve this.
2.6.3 Agent deployment using GPO and SCCM

After a successful installation of ESET Remote Administrator, it is necessary to deploy the ERA Agent and ESET
security products to client computers in your network.
Apart from local deployment or remote deployment using a Server task, you can also use management tools such as
GPO, SCCM, Symantec Altiris or Puppet. CLick the appropriate link below to view step-by-step instructions for two
popular ERA Agent deployment methods:
1. Deployment of ERA Agent using GPO
2. Deployment of ERA Agent using SCCM
33
2.6.3.1 Creating MST file

Before you deploying the ERA Agent installer file, you need to create a transform .mst file with settings for ERA
Agent. Install Orca (it is part of the Windows SDK). For more information about Orca see http://
support.microsoft.com/kb/255905/
1. Download the ERA Agent installer. For example, you can use Agent-6.1.365.0_x64.msi which is a component of
ERA version 6.1.28.0 for 64-bit systems. See our knowledgebase article for the list of ERA component versions.
2. Open Orca by clicking Start > Programs > Orca.
3. Click File in the top menu and then click Open and browse for Agent-6.1.365.0_x64.msi file.
4. Click Transform in the top menu and select New Transform.
34
6. Click Property.
35
7. Right-click anywhere in the list of property values and select Add Row from the context menu.
8. Add the property P_HOSTNAME and type the hostname or IP address of your ERA Server into the Value field.
9. Repeat steps 7 and 8 to add the property P_PORT, where the value is the port used to connect to your ERA Server
(2222) by default.
10. For ERA Agent, insert the Peer certificate ( .pfx) signed by your Certification Authority stored in ERA Server's
database. Insert the Public key of the Certification Authority ( .der file) which was used to sign your ERA Server
Peer certificate.
There are two ways to insert certificates:
1. You can insert the contents of the certificate and public key encoded in Base64 format (no certificate files will be
needed).
In ERA Web Console, navigate to to Admin > Certificates > Peer Certificate, click Agent Certificate and choose
Export as Base64...
Navigate to Admin > Certificates > Certification Authorities, click ERA Certification Authority and choose
Export
Public Key as Base64
Add the contents of the exported certificate and public key into the Property table in Orca using the following
property names:
Property name
Value
P_CERT_CONTENT
<peer certificate in Base64 format>
P_CERT_PASSWORD
<password for the peer certificate (dont add this when password is empty)>
P_CERT_AUTH_CONTENT
<exported public key of the Certification Authority in Base64 format>
P_CERT_AUTH_PASSWORD
<password for the Certificate Authority (dont add this when password is empty)>
36
New properties will be highlighted in green, click Transform and select Generate transform... to create a .mst file.
2. You can download the certificate files and make them accessible from the target machine. Export the Agent Peer
Certificate and Public Key file from Certification Authority of ERA Server and place them into a folder accessible
from the target machine where ERA Agent will be installed.
Go to Admin > Certificates > Peer Certificate, click Agent Certificate and choose
Export...
Go to Admin > Certificates > Certification Authorities, click Certification Authority and choose
Export Public Key
Use the exported files and add their path into the Properties table with Orca using following property names:
37
Property name
Value
P_CERT_PATH
<path to the exported .pfx certificate> (specify path to the certificate file including
extension)
P_CERT_PASSWORD
<password for the .pfx certificate (dont add this when password is empty)>
P_CERT_AUTH_PATH
<path to the exported Public Key of the Certification Authority>
P_CERT_AUTH_PASSWORD
<password for the Certificate Authority (dont add this when password is empty)>
The added properties will be highlighted in green, click Transform and select Generate transform... to create a
.mst file.
Command (if you generated a transform file with the name AgentSettings): msiexec
/i Agent-
6.1.265.0_x64.msi /qn TRANSFORMS=AgentSettings.mst
To create a log from the installation run this command instead: msiexec
/i Agent-6.1.265.0_x64.msi /qn
TRANSFORMS=AgentSettings.mst /L*v! log.txt
2.6.3.2 Deployment steps - GPO

Follow the steps below or see our Knowledgebase article to deploy the ERA Agent to clients using GPO:
1. Download the ERA Agent installer .msi file from ESET download page.
2. Create an ERA Agent Installer transform .mst file.
3. Put the ERA Agent installer .msi file and transform .mst file in a shared folder that can be accessed by your target
client(s).
NOTE: Client computers will require read/execute access to this shared folder.
4. Use an existing Group Policy Object or create a new one (right-click GPO and click New). In the GPMC (Group
Policy Management Console) tree, right-click the GPO you want to use and select Edit...
38
5. In Computer Configuration, navigate to Policies > Software Settings > Software Settings.
6. Right-click Software installation, select New, and click Package... to create a new package configuration.
7. Browse to the location of the ERA Agent .msi file. In the Open dialog box, type the full Universal Naming
Convention (UNC) path of the shared installer package that you want to use. For example \\fileserver\share
\filename.msi
39
NOTE: Make sure that you use the UNC path of the shared installer package.
8. Click Open and choose the Advanced deployment method.
9. This will allow you to configure deployment options. Select the Modifications tab and browse for the ERA Agent
Installer transform .mst file.
40
NOTE: The path must point to the same shared folder as the one used step 7.
10. Confirm the package configuration and proceed with GPO deployment.
41
2.6.3.3 Deployment steps - SCCM

Follow the steps below or see our Knowledgebase article to deploy the ERA Agent to clients using SCCM:
1. Download the ERA Agent installer .msi file from ESET download page.
2. Create an ERA Agent Installer transform .mst file.
3. Put the ERA Agent installer .msi file and transform .mst file on a shared folder.
NOTE: Client computers will require read/execute access to this shared folder.
4. Open SCCM console and click Software Library. In Application Management right-click Applications and choose
Create Application. Choose Windows Installer (*.msi file) and locate the source folder where you saved the ERA
Agent installer .msi file.
42
5. Specify all required information about the application and click Next.
43
6. Right-click the ESET Remote Administrator Agent Application, click the Deployment Types tab, select the only
deployment there and then click Edit.
44
7. Click the Programs tab and edit the Installation program field so that it reads msiexec/iAgent_x64.msi/qn
TRANSFORMS="Agent_x64.mst (if you are using 32-bit packages, this string will vary slightly as "x32" will appear
where "x64" does in the example).
8. Edit the Uninstall program field so that it reads msiexec/x {424F1755-2E58-458F-8583-4A2D08D8BBA8} /qn /
norestart.
45
9. Click the Requirements tab and then click Add. Select Operating system from the Condition drop-down menu,
select One of from the Operator drop-down menu and then specify the operating systems you will install to by
selecting the appropriate check box(es). Click OK when you are finished and then click OK to close any remaining
windows and save your changes.
46
47
10. In the System Center Software Library, right-click your new application and select Distribute Content from the
context menu. Follow the prompts in the Deploy Software Wizard to complete deployment of the application.
48
49
11. Right-click the application and choose Deploy. Follow the wizard and choose the collection and destination
where you want to deploy the agent.
50
51
52
53
54
55
56
57
2.6.4 Product installation

ESET security products can be installed remotely by clicking the desired client computer and selecting New, or by
creating a new Software Install task under Admin > Client Tasks. Click New... to begin setting up your new task.
The Client Task Execution display shows you the current status of Client Tasks and includes a Progress indicator for
the selected task.
Basic
Enter Basic information about the task, such as the Name, optional Description and the Task Type. The Task Type
(see the list above) defines the settings and the behavior for the task.
Target
IMPORTANT: A Client Task must be defined before you can assign it to targets. First, configure the task under
Settings and click Finish. You will then be able to assign targets and configure any Triggers you want to use for this
task.
58
Settings
Click <Choose ESET License> and select the appropriate license for the installed product from the list of available
licenses. Select the check box next to I agree with application End User License Agreement if you agree. See License
Management or EULA for more information.
Click <Choose package> to select an installer package from the repository, or specify a package URL. A list of
available packages where you can select the ESET product you want to install (for example, ESET Endpoint Security)
will be displayed. Select your desired installer package and click OK. If you want to specify an installation package
URL, type or copy and paste the URL (for example file://\\pc22\install\ees_nt64_ENU.msi) into the text field (do not
use a URL that requires authentication).
http://server_address/ees_nt64_ENU.msi - If you are installing from a public web server or from your own HTTP
server.
file://\\pc22\install\ees_nt64_ENU.msi - if you are installing from a network path.
file://C:\installs\ees_nt64_ENU.msi - if you are installing from a local path.
NOTE: Please note that both ERA Server and ERA Agent must have access to the internet to access the repository
and complete the installation. If you do not have internet access, you can install the client software locally.
If you need to, you can specify Installation parameters, otherwise leave this field empty. Select the check box next
to Automatically reboot when needed to force an automatic reboot of the client computer after installation.
Alternatively, you can leave this option unchecked and the decision to restart can be made by someone using the
client computer.
Summary
Review the summary of configured settings and click Finish. The Client Task is now created and a dialog box will
open. We recommend that you click Create Trigger to specify when this Client Task should be executed and on what
Targets. If you click Close, you can create a Trigger later on.
59
2.6.4.1 Product installation (command line)

The following settings are intended for use only with the reduced, basic and none user interface settings. See
documentation for the msiexec version used for the appropriate command line switches.
Supported parameters:
APPDIR=<path>
o path - Valid directory path.
o Application installation directory.
o For example: ees_nt64_ENU.msi /qn
APPDIR=C:\ESET\ ADDLOCAL=DocumentProtection
APPDATADIR=<path>
o Application Data installation directory.
MODULEDIR=<path>
o Module installation directory.
ADDEXCLUDE=<list>
o The ADDEXCLUDE list is a comma-separated list of all feature names not to be installed, as a replacement for the
obsolete REMOVE.
o When selecting a feature not to install, then the whole path (i.e., all its sub-features) and related invisible
features must be explicitly included in the list.
o For example: ees_nt64_ENU.msi /qn ADDEXCLUDE=Firewall,Network
NOTE: The ADDEXCLUDE cannot be used together with ADDLOCAL.
ADDLOCAL=<list>
o Component installation - list of non-mandatory features to be installed locally.
o Usage with ESET .msi packages: ees_nt64_ENU.msi /qn ADDLOCAL=<list>
o For more information about the ADDLOCAL property see http://msdn.microsoft.com/en-us/library/aa367536%
28v=vs.85%29.aspx
Rules
o The ADDLOCAL list is a comma separated list of all feature names to be installed.
o When selecting a feature to install, the whole path (all parent features) must be explicitly included in the list.
o See additional rules for correct usage.
Feature Presence
o Mandatory - the feature will always be installed.
o Optional - the feature can be deselected for install.
o Invisible - logical feature mandatory for other features to work properly.
o Placeholder - feature with no effect on the product, but must be listed with sub-features.
Feature tree of Endpoint 6.1 is following:
Feature tree
Feature Name
Feature Presence
Computer
Computer / Antivirus and antispyware
Computer
Antivirus
Mandatory
Mandatory
60
Computer / Antivirus and antispyware > Real-time file

system protection
Computer / Antivirus and antispyware > Computer scan
Computer / Antivirus and antispyware > Document
protection
Computer / Device control
Network
Network / Personal Firewall
Web and e-mail
Web and e-mail ProtocolFiltering
Web and e-mail / Web access protection
Web and e-mail / E-mail client protection
Web and e-mail / E-mail client protection / MailPlugins
Web and e-mail / E-mail client protection / Antispam
protection
Web and e-mail / Web control
Update mirror
Microsoft NAP support
RealtimeProtection
Mandatory
Scan
DocumentProtection
Mandatory
Optional
DeviceControl
Network
Firewall
WebAndEmail
ProtocolFiltering
WebAccessProtection
EmailClientProtection
MailPlugins
Antispam
Optional
Placeholder
Optional
Placeholder
Invisible
Optional
Optional
Invisible
Optional
WebControl
UpdateMirror
MicrosoftNAP
Optional
Optional
Optional
Additional rules
o If any of the WebAndEmail feature/s are selected to be installed, the invisible ProtocolFiltering feature must
be included in the list.
o If any of the EmailClientProtection sub-features/s is selected to be installed, the invisible MailPlugins feature
must be explicitly included in the list
Examples:
ees_nt64_ENU.msi /qn ADDLOCAL=WebAndEmail,WebAccessProtection,ProtocolFiltering
ees_nt64_ENU.msi /qn ADDLOCAL=WebAndEmail,EmailClientProtection,Antispam,MailPlugins
List of CFG_ properties:

CFG_POTENTIALLYUNWANTED_ENABLED=1/0
0 - Disabled, 1 - Enabled
PUA
CFG_LIVEGRID_ENABLED=1/0
LiveGrid
FIRSTSCAN_ENABLE=1/0
0 - Disable, 1 - Enable
Schedule a new FirstScan after installation.
CFG_EPFW_MODE=0/1/2/3
0 - Automatic, 1 - Interactive, 2 - Policy, 3 - Learning
CFG_PROXY_ENABLED=0/1
CFG_PROXY_ADDRESS=<ip>
Proxy IP address.
CFG_PROXY_PORT=<port>
Proxy port number.
CFG_PROXY_USERNAME=<user>
User name for authentication.
CFG_PROXY_PASSWORD=<pass>
Password for authentication.
61
2.6.4.2 List of problems when installation fails

Installation package not found.
Required newer version of the Windows Installer Service.
Another version or conflicting product is already installed.
Another installation is already in progress. Complete that installation before proceeding with this install.
Installation or uninstallation finished successfully but computer restart is required.
Task failed - there was an error, you need to look at the Agent trace log and check the return code of the installer.
2.6.5 Desktop Provisioning

See Supported Desktop Provisioning Environments for details.
2.7 Working with ESET Remote Administrator

All clients are managed through the ERA Web Console. You can access the Web Console from any device using a
compatible browser. The Web Console is divided into three main sections:
1. At the top of the Web Console, you can use the Quick Search tool. Type a Client name or IPv4/IPv6 Address and
click the magnifier symbol or press Enter. You will be redirected to the Groups section where the relevant
client(s) will be displayed.
2. The menu on the left contains the main sections of ESET Remote Administrator and the following Quick links:
Dashboard
Computers
Threats
Reports
Admin
Quick links
New Native User
New Policy
New Client Task
Agent Live Installers
3. Buttons on the bottom of the page are unique for each section and function, and are described in detail in their
respective chapters.
NOTE: One button is common for all new items - Mandatory Settings. This red button is displayed when
mandatory settings have not been configured and therefore creation can not continue. This is also indicated by a red
exclamation mark next to each section. Click Mandatory Settings to navigate to the section where the settings in
question are located.
General rules
Required (mandatory) settings are always marked with a red exclamation mark next to the section and the
respective settings. To navigate to mandatory settings (if applicable), click Mandatory settings at the bottom of
each page.
If you need help when working with ESET Remote Administrator, click the ? icon in the top right corner or navigate
to the bottom of the pane on the left and click Help. The respective help window for the current page will be
displayed.
The Admin section is for specific configuration, read the Admin chapter for more information. This sections
demonstrates how to Add computer or Mobile devices to a groups. How to create new policy and assign a policy to
a group.
62
2.7.1 Add computers to groups

Client computers can be added to groups. This helps you keep the computers structured and arranged to your liking.
You can add computers to either a Static or Dynamic Group.
Static Groups are managed manually and Dynamic Groups are arranged automatically based on specific criteria in a
template. Once the computers are in groups, you can assign policies, tasks or settings to these groups. The policy,
task or setting is then applied to all the members of the group. The correlation between groups and tasks/policies is
described here:
Static Groups
Static Groups are groups of manually selected and configured clients. Their members are static and can only be
added/removed manually, not based on dynamic criteria.
Dynamic Groups
Dynamic Groups are groups of clients where membership in the group is determined by specific criteria. If a client
does not meet the criteria, it will be removed from the group. Computers that meet the criteria will be added to the
group automatically - hence the name Dynamic.
2.7.1.1 Static groups

Static Groups are used to manually sort client computers into groups and subgroups. You can create custom Static
Groups and move desired computers into them.
Static Groups can be created only manually. Client computers can then be moved manually into these groups. Each
computer can belong only to one Static Group.
There are two default Static Groups:
All - This is a main group for all computers in ERA Servers network. It is used for applying of Policies for each
computer as a default policy. The group is always displayed and it is not allowed to change Groups name by
editing the group.
Lost & Found as a child group of group All - Each new computer that first time connects with Agent to server is
automatically displayed in this group. The group can be renamed, copied but it can't be deleted or moved.
You can create Static Groups in the Group section of the Admin tab by clicking the Groups button and selecting New
Static Group.
63
2.7.1.1.1 Add computer to a static group

Create New Static Group or select one of the default Static Groups.
This feature allows you to manually add Computers or Mobile devices that are not found or added automatically.
Click the Computers tab, select a Static group and then click Add New select Computers.
Type the name of the computer you want to add into the Name field. Use the Conflict Resolution drop-down menu
to select the action to take if a computer you are adding already exists in ERA:
o Ask when conflicts are detected: When a conflict is detected, the program will ask you to select an action (see
the options below).
o Skip conflicting computers: Duplicate computers will not be added.
o Move conflicting computers from other groups: Conflicting computers will be moved from their original groups
to the All group.
o Duplicate conflicting computers: New computers will be added, but with different names.
64
o Click + Add Another to add additional computers. Alternatively, click Import to upload a .csv file containing a list
of computers to add. Optionally, you can enter a Description of the computers. Click Add when you are finished
making changes.
NOTE: Adding multiple computers may take a longer time, reverse DNS lookup may be preformed.
Computers can be viewed in the list on the right when you select the group they belong to. Once the computer is
added, a pop-up window will open with the option to Deploy Agent.
Choose the deployment type you want to use from the available options:
2.7.1.2 Dynamic groups

Every Dynamic Group uses a Template to filter client computers. Once defined, a template can be used in other
Dynamic Group to filter clients. ERA includes several default Dynamic Group templates out-of-the box to make it
easy to categorize client computers.
Dynamic Groups are groups of clients selected based on specific criteria. If a client computer does not fulfill the
criteria, it will be removed from the group. If it fulfills the defined conditions, it will be added to the group. Group
selection happens automatically based on configured settings, except for in the case of Static Groups.
The Dynamic Group Templates section contains both pre-defined and custom templates based on different criteria.
All templates are displayed in a list. Clicking an existing template allows you to edit it. To create a New Dynamic
Group template, click New Template.
65
2.7.1.2.1 New Dynamic Group Template

Click New Template under Admin > Dynamic Group Templates.
Basic
Enter a Name and a Description for the new Dynamic Group template.
See our examples with illustrated step-by-step instructions for samples of how to use Dynamic Groups on your
network.
2.7.1.2.2 Create new Dynamic Group

There are three ways to create a New Dynamic Group:
1. Click Computers > Groups >
2. Click Admin > Groups >
66
and select New Dynamic Group...
> New Dynamic Group...
3. Click Admin > Groups > Click the Group button and click New Dynamic Group...
A New Dynamic Group Wizard will appear. For more use-cases how to create new Dynamic Group with rules for
Dynamic Group template.
67
2.7.2 Create a new policy

In this example, we are going to create a new policy for the ERA Agent Connection Interval. We highly recommend
doing this prior to testing mass deployment in your environment.
Create a New Static Group. Add a new policy by clicking Admin > Policies. Click Policies at the bottom and select
New...
Basic
Enter a Name for the new policy (for example "Agent Connection Interval"). The Description field is optional.
Settings
Select ESET Remote Administrator Agent from the Product drop-down menu.
68
Connection
Select a category in the tree on the left. In the right pane, edit settings as required. Each setting is a rule for which
you can set a flag. To make navigation easier, all rules are counted. The number of rules you have defined in a
particular section will be displayed automatically. Also, you'll see a number next to a category name in the tree on
the left. This shows a sum of rules in all its sections. This way, you'll quickly see where and how many settings/rules
are defined.
You can also use these suggestions to make policy editing easier:
o use
to set Apply flag to all item in current a section
o delete rules using Trashcan icon
Click Change interval.
In the Regular interval field, change the value to your preferred interval time (we recommend 60 seconds) and click
Save.
Once you've created a new Agent Connection Interval policy, assign it to the Static Group you created in step 1.
69
After you are finished with mass deployment testing, edit the ERA Agent Connection Interval policy settings you
created in step 2.
Click Admin > Groups and select the Policies tab. Click Agent Connection Interval policy, choose Edit and then click
Settings > Connection. Click Change Interval and set the connection interval to 20 minutes.
2.7.3 Assign a policy to a group

After a Policy is created, you can assign it to a Static or Dynamic Group. There are a two ways to assign a policy:
1. Under Admin > Policies > select a policy and click Assign Group(s). Select a Static or Dynamic Group and click OK.
Select Group from the list.
2. Click Admin > Groups > Group or click the
70
icon next to the group name and select Manage Policies.
In the Policy application order window click Add Policy. Select the check box next to the policy that you want to
assign to this group and click OK.
Click Save. To see what policies are assigned to a particular group, select that group and click the Policies tab to view
a list of policies assigned to the group.
NOTE: For more information about policies, see the Policies chapter.
2.7.4 Mobile Device Enrollment from Groups

Mobile devices can be managed by ERA Server, as well as from the ESET Endpoint Security for Android mobile
application. To start managing mobile devices, you must to add these devices from within Groups and Enroll them in
ERA.
You can add Mobile devices to your ERA structure similarly to the way you would add a new computer:
1. Click the Admin tab.
2. Select the Static Group that you want to add your device to and then click Add New > Mobile devices.
3. The Client task wizard will guide you through the process of adding the new device.
71
Alternatively, you can use the Device Enrollment Client Task:

Device Enrollment Android
Device Enrollment iOS
2.8 Dashboard
Dashboard is the default page that is displayed after the user logs into the ERA Web Console for the first time. It
displays pre-defined reports about your network. You can switch between dashboards using the tabs in the top
menu bar. Each dashboard consists of several reports. You can customize your dashboards by adding reports,
modifying existing ones, resizing, moving and re-arranging them. All this gives you a comprehensive overview of
ESET Remote Administrator and its parts (clients, groups, tasks, policies, users, competences, etc.). Four dashboards
come pre-configured in ESET Remote Administrator:
Computers
This dashboard gives you an overview of client machines - their protection status, operating systems, update status,
etc.
Remote Administrator Server
In this dashboard, you can view information about the ESET Remote Administrator server itself - server load, clients
with problems, CPU load, database connections, etc.
Antivirus threats
Here you can see reports from the antivirus module of the client security products - active threats, threats in the last
7/30 days and so on.
Firewall threats
Firewall events of the connected clients - according to their severity, time of reporting, etc.
ESET applications
This dashboard lets you view information about installed ESET applications.
Dashboard functionality:
72
2.8.1 Dashboard settings

Dashboard settings are available for all dashboards, pre-defined and newly created, and let you manage your
dashboards. The available options are described below:
Add a new dashboard - Click the
symbol at the top of the Dashboard header. Enter a name for the new
Dashboard and click OK to confirm. A new Dashboard with nothing in the reports field is created. Once you set up
your dashboard, you can start adding reports to it.
Duplicate a dashboard - Select the Dashboard you want to duplicate and click the symbol next to the Dashboard
name. Select Duplicate from the list - a duplicated Dashboard is created.
Click Refresh page to reload/refresh displayed information.
Move a dashboard - Click and drag the name of a dashboard to change its location relative to other dashboards.
Change the dashboard size (number of reports displayed) - Click the symbol > Change layout. Select the
number of reports you want to display in the dashboard (drag) and click them. The dashboard layout will change.
Rename a dashboard - Click the symbol next to the Dashboard name and click Rename. Enter a new name for
the Dashboard and click OK.
Remove a dashboard - Click the symbol next to the Dashboard name, click Remove and then confirm the
removal.
Resize click the double-arrow symbol at the right of a report to re-size it. More relevant reports are larger, while
less relevant reports are smaller, you can also toggle full screen mode to display any report full-screen.
Change Chart Type - click the Chart symbol at the top left corner of a chart and select Pie Chart, Line Chart etc. to
change the chart type.
Click Refresh to refresh the displayed information.
Click Change to view a different report.
Click Edit report template to add or edit a template.
Click Set Refresh interval to define how often the data in a report is refreshed. The default refresh interval is 120
seconds.
Rename/Remove the report.
73
2.8.2 Drill down

This Dashboard functionality is useful for data examination in greater detail, it lets you interactively select specific
items from a summary and view detailed data about them. Focus in on the item of interest by 'drilling down' from
summary information in order to get further information about this particular item. There are usually multiple
levels you can drill down through.
There are four drill down types:
Show Detailed information - computer name and description, Static Group name etc. Displays original (not
aggregate) data for the clicked row.
Show Only 'value' - Information, Critical, Security risk, Security notification etc.
Expand column 'value' - it will show aggregated information (usually for count or sum), for example if there is just
a number in the column and you click Expand column Computer, it will list all details about computers
Show In Computers page (all) - redirects you to the Computers page (shows a result of 100 items only)
NOTE: The results you get using drill down of other reports will show the first 1000 items only.
74
2.8.3 Edit report template

This section details editing existing report templates (for information on how to create a new report template click
here).
Click a blank square shown in the new dashboard. The Add Report window will be displayed. Select Installed
applications and click Add or Edit Template.
Basic
Edit the Basic information about the Template. Review or change the Name, Description and a Category. This
information is pre-defined according to the selected Report type.
Chart
75
In the Chart section, select the Report type. In this example, we leave the Display Table option empty and select
the Display Chart option.
NOTE: Every selected chart type will be displayed in the Preview section. This way, you can see what the report
will look like in real-time.
Selecting a Chart gives you multiple options. For a better overview, we select the Stacked Line Chart type. This chart
type is used when you want to analyze data with different units of measure.
Optionally, you can define a title for the X and Y axis of the chart to make reading the chart and identifying trends
easier.
Data
In the Data section, we enter the information to be displayed on the X and Y axis of the chart. Clicking the respective
symbols opens a window with options. The choices available for the Y axis always depend on the information
selected for the X axis and vice versa, because the chart displays their relation and the data must be compatible.
For the X axis, we select Computer > Computer name to determine what computers are sending spam. The Format
will be set to Value > Absolute. Color and Icons are set by the administrator.
76
For the Y axis, we select Installed software > Size in MB to determine the absolute number of the spam messages.
The Format will be set to Value > Absolute. Color and Icons are set by the administrator.
Sorting
Add sorting to define the relation between the selected data. Select the starting information and then the method,
either Ascending or Descending. It is also possible to sort the data by both options (shown above).
Filter
Options displayed here depend on the settings configured earlier (information for the X and Y axis). Select an
option and a mathematical function to determine how the data will be filtered. For this example, we selected
Installed Software and Application name > is equal to > ESS and Installed Software. Size in MB > is greater than > 50.
Summary
77
In the Summary, review the selected options and information. If they are to your satisfaction, click Finish to create a
Report template.
2.8.4 Time Zone

All information is stored internally in ESET Remote Administrator using the UTC (Coordinated Universal Time)
standard. UTC time is automatically converted to the time zone used by ERA Web Console (taking daylight saving
into account). ERA Web Console displays the local time of the system where ERA Web Console is running (not the
internal UTC time). You can override this setting to set the time shown in ERA Web Console manually if you prefer.
To change User Time Settings, click your user name in top right corner of ERA Web Console. Deselect the check box
next to Use browser local time to override the default setting. You can then specify Console time zone manually,
and decide whether to use Daylight saving time or not.
NOTE: This setting only applies to the user who is currently logged on. Each user can have their own preferred
time settings for ERA Web Console. User-specific time settings are applied to that user regardless of where they
access ERA Web Console from.
IMPORTANT: In some cases, the option to use a different time zone (for example, the local time of a client on
which ERA is running) will be made available. This setting can be particularly pertinent when configuring triggers.
When this option is available, it is indicated in ERA Web Console and you will be able to choose weather to Use local
time or not.
78
2.9 Computers
All client computers that were added to ESET Remote Administrator are shown here and are divided into Groups.
Clicking on a group from the list (on the left) will display the members (clients) of this group in the right pane. You
can filter the clients using the filters at the top of the page, clicking Add Filter shows the available filtering criteria.
There are also a few pre-defined filters that are quickly accessible:
Four icons that let you filter by severity (red - Errors, yellow - Warnings, green - Notices and gray - Unmanaged
computers). The severity icon represents the current status of your ESET product on a particular client computer.
You can use a combination of these icons by turning them on or off. For example, to see only the computers with
warnings, leave only the yellow icon on (the rest if the icons must be turned off). To see both warnings and errors,
leave only these two icons on.
Subgroups check box - show subgroups of the currently selected group.
Unmanaged computers (clients on the network that do not have the ERA Agent or a ESET security product
installed) usually appear in the Lost & Found group.
Using the drop-down menu below the filters, you can limit the displayed clients (computers). There are a few
categories:
All Devices from the drop-down menu to see all the client computers again, without limiting (filtering) displayed
clients. You can use a combination of all the above filtering options when narrowing down the view.
ESET Protected (protected by an ESET product)
Remote Administrator (individual ERA components such as Agent, RD Sensor, Proxy, etc.)
Other (Shared Local Cache, Virtual Appliance). When you make your selection, only the respective clients will be
displayed.
NOTE: In case you are not able to find a particular computer in the list and know it is in your ERA infrastructure,
make sure that all filters are turned off.
You can use context menu (

available actions.
icon) to can create Static or Dynamic Group, create New task or select from other
Computers button actions:

New...
Manually Add Devices that are not found or added automatically.
79
Details...
Basic (Name, Parent Group, Device, OS Information, etc.)
Configuration (Configuration, Applied Policies, etc.)
SysInspector - displays SysInspector log Viewer, you need to run SysInspector log request Client Task to see the
output.
Task Executions (Occurred, Task Name, Task Type, Status, etc.)
Installed Applications (Name, Vendor,Version, Agent supports uninstall, etc.)
Alerts (Problem, Status, etc.)
Threats and Quarantine (All Threat Types, Muted, Cause, Threat Name, Threat Type, Object Name, Hash, etc.)
Delete
This will remove the client from the list, but as long as it is in the network it will appear in the Lost & Found group.
Move...
You can move the client to a different group, selecting this option displays a list of available groups.
Rename multiple items
Lets you make a bulk change of computer names shown in ERA Web Console. For example, if displayed name is
john.hq.company.com, type hq\.company into Search for (Regex) field and company into Replace with. Click
Rename button and computers will show up in ERA Web Console as john.eset.com.
Manage Policies...
A Policy can also be assigned directly to a client (multiple clients), not just a group. Select this option to assign the
policy to selected client(s).
Send Wake-Up Call
ERA Server initiates immediate communication with the ERA Agent on a client machine. This useful when you do
not want to wait for the regular interval when the ERA Agent connects to the ERA Server. For example when you
want a Client Task to be run immediately on client(s) or if you want a Policy to be applied right away.
NOTE: When you make a change and want it to be applied, wait about one minute before using Wake-Up Call.
Deploy Agent...
With this option, you can create a New Server Task.
Deactivate Products
When you use this option, a license will be deactivated (for selected client computer) within ESET License
Administrator. ESET security product running on a client computer will find out that the license has been
deactivated next time it connects to the Internet. The advantage of this is that you can deactivate license even for
computers which are no longer managed by ERA.
80
2.9.1 Add Computers

the options below).
to the All group.
making changes.
81
2.9.2 Computer details

Select a computer in Static or Dynamic Group and click Details to view more information about that computer.
The Computer details menu contains the following settings:

Basic - you can change the computer's Name, description and parent group.
Configuration - displays the entire configuration, connection and applied policies for this computer.
SysInspector - displays log / output, you need to run SysInspector log request Client Task to see the output.
Task Executions - Occurred, Task Name, Task Type, Status
Installed Applications - Name, Version, Size, Agent supports uninstall, etc.
Alerts - Problem, Status, Severity, Occurred, etc.
Threats and Quarantine - All Threat Types, Computer Muted, Threat resolved, Cause, Threat Name, Type, Object
Name, Hash, etc.
82
Tasks button actions

After selecting a computer or set of computers and clicking Tasks, the following options will be available:
Scan
Using this option will run the On Demand Scan task on the client that reported the threat.
Update Virus DB
Using this option will run the Virus Signature Database Update task (triggers an update manually).
Mobile
Enroll... - with this option, you can create a new client task.
Find - if you want to request the GPS coordinates of your mobile device.
Lock - device will be locked when suspicious activity is detected or the device is marked as missing.
Unlock - device will be unlocked.
Siren - triggers a loud siren remotely, the siren will start even if your device is set to mute.
Wipe - all data stored in your device will be permanently erased.
Reboot
If you select a computer and press Reboot or Shutdown, the device will be rebooted or shutdown.
New task...
Select a task and configure throttling (optional) for this task. The task will be queued according to the task settings.
This option immediately triggers an existing task from the list of available tasks. The trigger is not available for this
task because it will be executed immediately.
2.10 Threats
The Threats section gives you an overview of all threats found on computers in your network. On the left side, the
group structure is displayed. Here you can browse groups and view threats on members of a given group. Select the
All group and use the All threats types filter to display all threats found on clients in all groups.
Filtering threats
By default, all threat types from the last 7 days are shown. To add multiple filtering criteria, click Add filter and
select an item from the list - you can filter the results by Computer Muted, Threat Resolved, Name (name of the
threat), Cause (cause of the threat) or the IPv4/IPv6 address of the client that reported this threat. By default, all
threat types are displayed, but you can filter by Anti-virus, Firewall and HIPS threats for a more specific view.
83
On-demand scan
Mark as resolved / Marked as Not Resolved
Threats now can be Marked as resolved in the Threats section or under details for a specific client.
Mute
Selecting mute on a specific threat mutes this threat (not the client). This report will no longer be displayed as
active. You can also choose to mute the client (select Mute from the context menu on the threat) that reported this
threat.
Table columns:
Resolved, Object, Process Name, Description, User, Computer Description, Action details, Restart required, Scanner,
Object type, Circumstances, Number of Occurrences, Source Address, Source Port, Target Address, etc.
84
2.11 Reports
Reports allow you to access and filter data from the database in a convenient way. Reports are divided into
categories, each category includes a short description. Click Generate Now at the bottom of the page to create a
report based on a selected template and then display this report.
You can use predefined report templates from the list of Categories & Templates, or you can create a new report
template with custom settings. Click Create a new report template to view settings for each report in detail and
specify custom settings for a new report.
Selecting a report will bring up the Actions context menu, which appears after clicking Report Templates at the
bottom of the page. The following options are available:
Generate now...
Select a report from the list and navigate to Report Templates > Generate Now..., or click Generate now.... The
report will be generated and you can review the output data.
New Category...
Enter a Name and a Description to create a new Report Template category.
New Report Template...
Create a new custom Report Template.
Edit...
Edit an existing Report Template. The same settings and options used for creating a new Report Template apply.
Duplicate
Lets you create a new report based on the selected report, a new name is required for the duplicate.
Delete
Remove the selected report template completely.
Import...d
Select Report Template from the list, click Report Templates > Import, click Choose file and then browse to the file
you want to Import.
85
Export...
Select Report template you want to export from the list and click Report Templates > Export. The Report
Template(s) will be exported to a .dat file. To export multiple Report templates, change the select mode, (see
Modes below). You can also export whole Template category including all its Report Templates.
You can use Modes to change select mode (Single or Multiple). Clicking the arrow in upper right corner and choose
from the context menu:
Single select mode - you can select single item.
Multiple item select mode - lets you use the check boxes to select multiple items.
Refresh - reloads/refreshes displayed information.
NOTE: The Export... feature exports selected Report template, which can then be imported to another ERA Server
using Import. This is useful, for example, when you want to migrate your custom report templates to another ERA
Server.
IMPORTANT: The
Import / Export feature is designed for importing and exporting Report Templates only,
not an actual generated report with data.
2.11.1 Create a new report template

Navigate to Reports and click Report templates under Categories & Templates on the left. From the pop up window,
select New Report Template....
Basic
Edit the Basic information about the Template. Enter a Name, Description and Category. This can be either a predefined Category, or you can create a new one (use the New Category option described in the previous chapter).
86
Chart
In the Chart section, select the Report type. Either a Table, where the information is sorted in rows and columns, or
a Chart, that represents data using an X and Y axis.
NOTE: The selected chart type will be displayed in the Preview section. This way, you can see what the report will
look like in real-time.
Selecting a Chart gives you multiple options:
Bar chart - A chart with rectangular bars proportional to the values they represent.
Dots bar chart - In this chart, dots are used to display quantitative values (similar to a bar chart).
Pie chart - A pie chart is a circular chart divided into proportional sectors, representing values.
Doughnut chart - Similar to a pie chart, but the doughnut chart can contain multiple types of data.
Line chart - Displays information as a series of data points connected by straight line segments.
Simple line chart - Displays information as a line based on values without visible data points.
Stacked line chart - This chart type is used when you want to analyze data with different units of measure.
Stacked bar chart - Similar to a simple bar chart, but there are multiple data types with different units of measure
stacked in the bars.
Optionally, you can enter a title for the X and Y axis of the chart to make it easier to read the chart and recognize
trends.
87
Data
In the Data section, select the information you want to display:
a. Table Columns: Information for the table is added automatically based on the selected report type. You can
customize the Name, Label and Format (see below).
b. Chart Axes: Select the data for the X and the Y axis. Clicking the respective symbols opens a window with
options. The choices available for the Y axis always depend on the information selected for the X axis and vice
versa, because the chart displays their relation and the data must be compatible. Select the desired
information and click OK.
You can change the Format in which the data is displayed to any of the following:
Data Bar (only for the bar charts) / Value / Color / Icons
Sorting
Add Sorting to define the relation between the selected data. Select the starting information (sorting value) and
sorting method, either Ascending or Descending. This will define the outcome displayed in the chart.
Filter
Next, define the filtering method. Select the filtering value from the list and its value. This defines what
information will be displayed in the chart.
Summary
In the Summary, review the selected options and information. If they are to your satisfaction, click Finish to create a
new report template.
Every report in the dashboard has its own options for customization - click the wheel symbol in the upper right
corner to view them. Here, you can Refresh the displayed information, Change to a different report, Edit the report
template (see options above), set a new Refresh interval that defines how often the data in this report is refreshed
or Rename/Remove the report. Using the arrows in the symbol below, you can customize the size of the report. You
can make more relevant reports larger, less relevant reports smaller and so on. Click toggle fullscreen to view a
report in fullscreen mode.
88
2.11.2 Generate report

There are two ways to create or edit template:
1. Navigate to Admin > Tasks > Server Tasks. Select New... to create a new Generate Report task.
2. Select a report template from which you want to generate a report. You can use and Edit a pre-defined report
template or create a new report template.
You can either send this report in an e-mail ( in a file format defined here) or save it to file directly. Clicking either
option displays the corresponding settings below.
Configure the settings (as described in the Generate Report task) and click Finish.
The task is now created and displayed in the Task types list. Select this task and click Run Now on the bottom of
the page. The task will be executed immediately.
You can use Save or Refresh generate report.
2.11.3 Schedule a report

1. Navigate to Admin > Tasks > Server Tasks. Select New to create a new Generate Report task.
2. Select a report template from which you want to generate a report. You can use and edit a pre-defined report
template, or create a new report template.
You can either send this report in an e-mail ( in a file format defined here) or save it to a file. Clicking either
option displays the corresponding settings below.
Configure the settings (as described in the Generate Report task). This time, we will create a Server Trigger for
this task.
In the Trigger section, navigate to Settings. Select Scheduled trigger and the time when you want this task to run.
Click Finish. The task is created and will run at the period defined here (either one time, or repeatedly).
2.11.4 Outdated applications

To see what which ERA components are not up to date, use report called Outdated applications.
There are two ways to do that:
1. Add a New Dashboard, click one of the tiles and a pop-up screen with Report Templates listed will be displayed.
Select a report Outdated applications from the list and click Add.
2. Go to Reports, navigate to Computers category, select Outdated applications template from the list and Generate
now... button at the bottom. The report will be generated and you can review the output data.
To upgrade the components, use Client Task Administrator Components Upgrade.
89
2.11.5 SysInspector log viewer

Using SysInspector log viewer, you can view logs from SysInspector after it was run on a client computer. You can
also open SysInspector logs directly from a SysInspector Log Request task after it has been successfully executed.
To do so, follow the steps below:

1. Add a New Dashboard, click one of the tiles and a pop-up screen with Report Templates listed will be displayed.
2. Go to Reports, navigate to Automation category, select SysInspector snapshot history in last 30 days template
from the list and Generate now... The report will be generated and you can review the output data.
90
3. Select a computer in Static or Dynamic Groups and click

SysInspector log Viewer.
Details..., click SysInspector tab and select
Open
91
3. Mobile Device Management

In order to take advantage of the Mobile Device Management feature in ESET Remote Administrator, perform the
following steps to install, enroll, configure and apply policies.
1. Install Mobile Device Connector (MDC) using the All-In-one installer or component installation for Windows or
Linux. Make sure that you have met the prerequisites prior to the installation.
NOTE: If you are installing MDC using All-in-one installer, you do not need a 3rd party HTTPS certificate. If you are
installing the MDC component by itself, you will need a 3rd party HTTPS certificate chain. If you want to install ERA
with All-in-one installer and use 3rd party HTTPS certificate, install ESET Remote Administrator first, then change
your HTTPS certificate using Policy (in the General section, click Change certificate > Custom certificate).
2. Activate ERA MDC using a Product Activation Client Task. The procedure is the same as when activating any ESET
security product on a client computer (a license unit will not be used).
NOTE: If you are planning to manage Android based devices only (no iOS devices will be managed), you can skip
to step 6.
3. Run a User Synchronization Server Task (Recommend). This lets you automatically synchronize users with Active
Directory or LDAP for the purpose of User Management.
4. Create an APN certificate. This certificate is used by ERA MDM for iOS device Enrollment.
5. Create a new policy for ESET Mobile Device Connector in order to activate APNS.
6. Enroll mobile devices using a Device Enrollment Client Task. Configure the task to enroll devices for Android or
iOS. This can also be done from Groups by clicking Add new > Mobile devices.
7. Activate Mobile devices using a Product Activation Client Task - use an ESET Endpoint Security license. A license
unit will be used for each Mobile device.
8. You can edit Users in order to configure Custom attributes and Assign Mobile device(s).
9. Now you can start applying policies and managing mobile devices. For example, Create a Policy for iOS MDM Exchange ActiveSync Account which will automatically configure Mail account, Contacts and Calendar on iOS
devices. You can also apply restrictions on an iOS device and/or add a Wi-Fi connection.
3.1 MDM configuration profiles

You can configure the profile to impose policies and restrictions on the managed mobile device.
Profile Name
Short Description
Passcode
Requires end-users to protect their devices with passcodes each time they return from idle
state. This ensures that any sensitive corporate information on managed devices remains
protected. If multiple profiles enforce passcodes on a single device, the most restrictive
policy is enforced.
Restrictions
Restriction profiles limit the features available to users of managed devices by restricting
the use of specific permission related to Device functionality, Application, iCloud, Security
and Privacy.
Wi-Fi connection list
Wi-Fi profiles push corporate Wi-Fi settings directly to managed devices for instant access.
VPN connection list
VPN profiles push corporate virtual private network settings to corporate devices so that
users can securely access corporate infrastructure from remote locations. Connection Name
- View the name of the connection displayed on the device.
Connection type - Choose the type of connection enabled by this profile. Each connection
type enables different capabilities.
Server - Enter the hostname or IP address of the server being connected to.
92
Mail Accounts
Allows the administrator to configure IMAP/POP3 email accounts.
Exchange ActiveSync
Accounts
Exchange ActiveSync profiles allow end-users to access corporate push-based email

infrastructure. Please note that there are pre-populated look-up value fields and options
that only apply to iOS 5+ .
CalDAV - Calendar
Accounts
CalDAV provides configuration options to allow end-users to sync wirelessly with the
enterprise CalDAV server.
CardDAV - Contacts
Accounts
This section allows for specific configuration of CardDAV services.
Subscribed Calendars
Accounts
Subscribed Calendars provides calendar configuration.
93
4. Admin
The Admin section is the main configuration component of ESET Remote Administrator. This section contains all the
tools that administrator can use to manage client security solutions, as well as the ERA Server settings. You can use
Admin tools to configure your network environment in such a way that it won't require a lot of maintenance. Also,
you can configure notifications and dashboards which will keep you aware of the status of your network.
In this section
Post Installation Tasks
Dynamic Group Templates
Groups
User Management
Policies
Client tasks
Server tasks
Triggers
Notifications
Certificates
Access Rights
Server Settings
License Management
4.1 Groups
Groups allow you to manage and categorize computers. You can then easily apply different settings, tasks or
restrictions to client computers based on their presence in a particular group. You can use pre-defined groups and
group templates or create new ones.
There are two types of client groups:
Static Groups
Static Groups are groups of select client computers (members). Group members are static and can only be added/
removed manually, not based on dynamic criteria. A computer can only be present in one Static Group.
Dynamic Groups
Dynamic Groups are groups of clients where membership in the group is determined by specific criteria. If a client
does not fulfill that criteria, it will be removed from the group. Computers that satisfy the criteria will be added to
the group automatically.
The Groups window is divided into three sections:
1. A list of all groups and their subgroups is displayed on the left. You can select a group and an action for this group
from the context menu ( next to the group name). The options are the same as described below (Group actions
button).
2. Details for the selected group are shown on the right pane (you can switch between tabs):
94
Computers that are members of the group.

Policies assigned to this group.
Tasks assigned to this group.
Summary basic description of the group.
3. The popover menu buttons Groups and Computers let you perform all the following actions:
Group actions button:
New Static Group...
This option becomes available if you click a Group in the list on the left. This group will be the default parent group,
but you can change the parent group later when you create a new Static Group.
New Dynamic Group...
but you can change the parent group later when you create a new Dynamic Group.
Edit...
Allows you to edit the selected Group. The same settings apply as when you create a new Group (static or dynamic).
Move...
You can select a group and move it as a subgroup of another group.
Delete
Removes the selected group completely.
Import...
You can import a list (usually a text file) of computers, as members of the selected group. If the computers already
exist as a members of this group, the conflict will be solved based on the selected action:
Skip conflicting computers (conflicting computers will not be added)
Move conflicting computers from other groups (conflicting computers will be moved here from other groups
they belong to
Duplicate conflicting computers (conflicting computers will be added, but with different names).
Export...
Export the members of the group (and subgroups, if selected) in a list (.txt file). This list can be used for review, or
imported later.
Add New...
With this option, you can add a new device.
Scan
Update Virus DB
Mobile
Enroll... with this option, you can create new client task.
New task...
You can create a new Client Task. Select a task and configure the throttling (optional) for this task. The task will be
queued according to the task settings.
This option immediately triggers an existing task, that you select from a list of available tasks. The trigger is not
available for this task, because it will be executed immediately.
95
Manage Policies...
Assign a Policy for the selected group.
4.1.1 Create new Static Group

There are three ways to create a New Static Group:
and select New Static Group...
> New Static Group...
3. Click Admin > Groups > select a Static Group and click Group.
96
Basic
Enter a Name and Description (optional) for the new Static Group. By default, the parent group is the group you
selected when you started creating the New Static Group. If you want to change its parent group, click Change
Parent Group and select a parent group from the tree. The parent of the New Static Group must be a Static Group.
This is because it is not possible for a Dynamic Group to have Static Groups. Click Finish to create the New Static
Group.
97
4.1.2 Create new Dynamic Group

There are three ways to create a New Dynamic Group:
and select New Dynamic Group...
> New Dynamic Group...
3. Click Admin > Groups > Click the Group button and click New Dynamic Group...
98
A New Dynamic Group Wizard will appear. For more use-cases how to create new Dynamic Group with rules for
Dynamic Group template.
4.1.3 Assign Task to a Group

Click Admin > Groups > select Static or Dynamic group >
next to the selected group, or click Group >
The same can be done from Computers, select Static or Dynamic and click
window will open.
>
New task
New task. A New Client task wizard
99
4.1.4 Assign a Policy to a Group

100
4.1.5 Policies and Groups

Membership of a computer in Dynamic Group is determined by policies assigned to this computer. It is also
determined by the template on which the Dynamic Group is based.
4.1.6 Dynamic Group Templates

Dynamic group templates establish the criteria computers must meet to be placed in a Dynamic group. When these
criteria are met by a client, a client will automatically be moved into the appropriate Dynamic Group.
Create New Dynamic Group Template
Manage Dynamic Group Template
Rules for a Dynamic Group Template
Dynamic Group Template - examples
101
4.1.6.1 New Dynamic Group Template

Basic
See our examples with illustrated step-by-step instructions for samples of how to use Dynamic Groups on your
network.
4.1.6.2 Manage Dynamic Group Templates

Templates can be managed from Admin > Dynamic Group Templates. You can either create a New Template or edit
an existing template. To edit, select the template you want to edit and a wizard will open.
Alternatively, you can select a template by selecting the check box next to it and then clicking Edit Template.
Duplicate lets you create a new Dynamic Group Templates based on the selected Templates, a new name is
required for the duplicate task.
102
Click Save as if you want to keep your existing template and create a new one based on the template you are
editing. Specify the name for your new template.
4.1.6.3 Dynamic Group template - examples

The sample Dynamic Group templates in this guide demonstrate some of the ways you can use Dyanamic Groups to
manage your network:
Dynamic Group that detects if a security product is installed
Dynamic Group that detects if a specific version of a software is installed
Dynamic Group that detects if a specific version of software is not installed
Dynamic Group that detects if a specific version of software is not installed but another version exists
Dynamic Group that detects if a computer is in a specific subnet
Dynamic Group that detects installed but not activated versions of server security products
There are, of course, many other objectives that can be achieved using Dynamic Groups Templates with a
combination of rules. The possibilities are almost endless.
103
4.1.6.3.1 Dynamic Group - a security product is installed

This Dynamic Group can be used to execute task immediately after ESET security product is installed on a machine:
Activation, Custom scan, etc.
NOTE: It is also possible to specify operator "not in" or operation NAND to negate the condition. As the Manage
product mask itself is one line log, both will work.
You can create a New Template under Admin > Dynamic Group Templates and create new Dynamic Group with
template or create a new Dynamic Group using an existing or new template.
Basic
Expression
Select a logical operator in the Operation menu: AND (All conditions have to be true).
Click + Add Rule and select a condition. Select Computer > Managed products mask > in > ESET protected: Desktop.
You can also choose different ESET products.
Summary
Review the configured settings and click Finish to create the template. This new template will be added to the list
of all templates, and can be used later to create a new Dynamic Group.
104
4.1.6.3.2 Dynamic Group - a specific software version is installed

This Dynamic Group can be used to detect installed ESET security software on a machine. Then you will be able to
execute for example upgrade task or run custom command on those machines. Different operators like "contains"
or "has prefix" can be used.
Basic
Expression
Click + Add Rule and select a condition:
o Installed software > Application name > = (equal) > ESET Endpoint Security
o Installed software > Application version > = (equal) > 6.2.2033.0
Summary
105
4.1.6.3.3 Dynamic Group - a specific version of a software is not installed at all

This Dynamic Group can be used to detect missing ESET security software on a machine. The settings from this
example will include machines that do not contain the software at all or machines with different versions than one
specified.
This group is useful because you will be able to execute software installation task on those computers to either
install or upgrade. Different operators like "contains" or "has prefix" can be used.
Basic
Expression
Select a logical operator in the Operation menu: NAND (At least one condition has to be false).
o Installed software > Application name > = (equals) > "ESET Endpoint Security"
o Installed software > Application version > = (equals) > "6.2.2033.0"
Summary
106
4.1.6.3.4 Dynamic Group - a specific version of a software is not installed but other version exists
This Dynamic Group can be used to detect software that is installed but with different version than you are
requesting. This group is useful because you will be able to execute upgrade tasks on those machines where the
required version is missing. Different operators can be used but make sure that version testing is done with negated
operator.
Basic
Expression
o Installed software > Application name > = (equals) > "ESET Endpoint Security"
o Installed software > Application version >
> "6.2.2033.0"
Summary
107
4.1.6.3.5 Dynamic Group - a computer is in specific subnet

This Dynamic Group can be used to detect specific subnet. Then it can be used to apply custom policy for web
control or update. You can specify different ranges.
Basic
Expression
o Network IP addresses > Adapter IP address >
> "10.1.100.1"
o Network IP addresses > Adapter IP address >
> "10.1.100.254"
o Network IP addresses > Adapter subnet mask > = (equal) > "255.255.255.0"
Summary
108
4.1.6.3.5.1 Dynamic Group - installed but not activated version of server security product
This Dynamic Group can be used to detect inactive server products. Once these products are detected, you can
assign a Client Task to this group to activate client computers with proper license. In this example only EMSX is
specified, but you can specify multiple products.
Basic
Expression
o Computer > Managed products mask > in > "ESET protected: Mail Server"
o Functionality/Protection problems > Source > = (equals) > "Security product"
o Functionality/Protection problems > Problem > = (equals) > "Product not activated"
Summary
4.1.7 Static Groups

Static Groups are used to manually sort client computers into groups and subgroups. You can create custom Static
Groups and move desired computers into them.
Static Groups can be created only manually. Client computers can then be moved manually into these groups. Each
computer can belong only to one Static Group.
There are two default Static Groups:
All - This is a main group for all computers in ERA Servers network. It is used for applying of Policies for each
computer as a default policy. The group is always displayed and it is not allowed to change Groups name by
editing the group.
Lost & Found as a child group of group All - Each new computer that first time connects with Agent to server is
automatically displayed in this group. The group can be renamed, copied but it can't be deleted or moved.
109
You can create Static Groups in the Group section of the Admin tab by clicking the Groups button and selecting New
Static Group.
4.1.7.1 Static Group Wizard

Under Computers > Groups select one of the Static Groups, click the and then select New Static Group. You can
create Static Groups in the Group section of the Admin tab, click the Group button or the next to the Static Group
name.
Basic
Enter a Name and a Description for the new group. Optionally, you can change the Parent group. By default, the
parent group is the group that you selected when you created the New Static Group. Click Finish to create the New
Static Group.
4.1.7.2 Manage Static Groups

Navigate to Admin > Groups and select the Static Group you want to manage. Click the Group button or the
to the Static Group name. A popover menu will open with available options:
110
next
Static Group actions:

New Static Group... - This option becomes available if you click a Group in the list on the left. This group will be
the default parent group, but you can change the parent group later when you create a new Static Group.
New Dynamic Group...
but you can change the parent group later when you create a new Dynamic Group.
Edit...
Allows you to edit the selected Group. The same settings apply as when you create a new Group (static or dynamic).
Move...
You can select a group and move it as a subgroup of another group.
Delete
Import
You can import a list (usually a text file) of computers as members of the selected group.
Export
Export members of the group (and subgroups, if selected) to a list (.txt file). This list can be used for review or
imported later.
Add New...
Adds a computer to a Static Group.
Scan
Update Virus DB
Mobile
Enroll... - with this option, you can create new client task.
New task...
Select a task and configure the throttling (optional) for this task. The task will be queued according to the task
settings.
This option immediately triggers an existing task, that you select from a list of available tasks. The trigger is not
available for this task, because it will be executed immediately.
Manage Policies... - Assign a policy for the selected group.
New static group
The Static Group you selected when clicking the Group button or the will be the default parent group, but you can
change the parent group later (if needed) when you create a new Static Group.
Edit Group
Allows you to edit the selected group. The same settings apply as when creating a new group (static or dynamic).
Move
Allows you to move the selected group to another group. The group you moved will become a subgroup of that
group.
111
Delete
4.1.7.3 Add Client Computer to Static Group

Create New Static Group or select one of the default Static Groups.
the options below).
to the All group.
112
making changes.
4.1.7.4 Import clients from Active Directory

To import clients from AD, create a new Server Tasks Static Group Synchronization.
Select a group to which you want to add new computers from the AD. Also select objects in the AD you want to
synchronize from and what to do with duplicates. Enter your AD server connection settings and set the
Synchronization mode to Active Directory/Open Directory/LDAP. Follow step-by-step instructions in this ESET
113
4.1.7.5 Assign a Task to a Static Group

Both Static and Dynamic Groups are treated the same way with regard to task assignment. For instructions on how to
assign a task to a group, click here.
4.1.7.6 Assign a Policy to a Static Group

Both Static and Dynamic Groups are treated the same way when it comes to policy assignment. For instructions on
how to assign a policy to a group, click here.
4.1.7.7 Export Static Groups

Exporting a list of computers that are in the ERA structure is simple. You can export the list and store it as a backup
so that you can import the list back in the future, for example if you want to restore the group structure.
NOTE: Static groups need to contain at least one computer. Exporting empty groups is not possible.
1. Go to Admin > Groups > select a Static Group you want to export.
2. Click the Group button at the bottom (a context menu will pop-up).
3. Select Export.
4. The file will be saved in .txt format.
NOTE: Dynamic Groups cannot be exported because Dynamic Groups are only links to computers according to the
criteria defined in Dynamic Group Templates.
114
4.1.7.8 Import Static Groups

Exported files from Static Groups can be imported back into ERA Web Console and included in your existing group
structure.
1. Click Group (a context menu will pop-up).

2. Select Import.
3. Click Browse and navigate to the .txt file.
4. Select the group file and click Open. The file name is displayed in the text box.
5. Select one of the following options to resolve conflicts:
Skip conflicting computers
If static Groups exist and computers from the .txt file already exist in this group, those computers are skipped and
are not imported. Information about this is displayed.
Move conflicting computers from other groups
If Static Groups exist and computers from the .txt file already exist in this group, it is necessary to move computers
to other Static Groups prior to the import, after the import, these computers will be moved back into original groups
where from they had been moved.
Duplicate conflicting computers
If Static Groups exist and computers from the .txt file already exist in this group, duplicates of these computers are
created in the same Static Group. The original computer is displayed with full information and the duplicate is
displayed with its Computer name only.
5. Click Import , Static Groups and computers within will be imported.
115
4.1.8 Dynamic Groups

Dynamic Groups are in essence custom filters defined in Templates. Computers are filtered on the Agent side, so no
extra information needs to be transferred to server. The Agent decides on its own which Dynamic Groups a client
belongs to, and only notifies the server about this decision. Dynamic Groups have their rules defined in the Dynamic
Group Template.
There are some pre-defined Dynamic Groups available after you have installed ESET Remote Administrator. If you
need to, you can create custom Dynamic Groups. When creating them, create a template first and then create a
Dynamic Group.
Another approach is to create a new Dynamic Group and new template on the fly.
More than one Dynamic Group can be created from one template.
A user can use Dynamic Groups in other parts of ERA. It is possible to assign policies to them or prepare a task for all
computers therein.
Dynamic Groups can be under Static Groups or Dynamic Groups. However, the topmost group is always static.
All the Dynamic Groups under a certain Static Group only filter computers of that Static Group no matter how deep
they are in the tree. Moreover, for nested Dynamic Groups, a deeper Dynamic Group filters the results of the
superior one.
Policies are applied as described here. However, once created, they can be moved freely across the tree.
4.1.8.1 Dynamic Group Wizard

You can create Dynamic Groups using an existing Template or a new template (which will then be used for this
Dynamic Group).
Basic
Enter a Name and Description (optional) for the new Dynamic Group. By default, the parent group is the group you
selected when you started creating the new static group. If you want to change its parent group, you can still do so
by clicking Change Parent Group and selecting one from the tree. The parent of the New Dynamic Group can be
Dynamic or Static. Click Finish to create the new Dynamic Group.
Template
You can either select an existing Dynamic Group template or create a new Dynamic Group template.
116
Summary
Review the configuration to make sure it is correct (if you need to make changes, you can still do so) and click Finish.
4.1.8.2 Create Dynamic Group using existing Template

To create a new Dynamic Group using an existing template, click the
click New Dynamic Group...
next to the Dynamic Group name and then
Alternatively, the New Dynamic Group... is accessible from Admin > Groups. Select a group (in the Groups pane) and
click Group at the bottom.
A Dynamic Group Wizard will appear. Enter a Name and Description (optional) for the new template. Users can also
change the parent group by clicking Change parent group.
117
Select Dynamic Group Template from the pre-defined templates or select a template you have already created.
Click Choose from existing and select the appropriate template from the list. If you have not created any templates
and none of the pre-defined templates in the list suits you, click New and follow the steps to create a new
template.
The last screen is a summary. The new group appears under the parent Static Group.
118
4.1.8.3 Create Dynamic Group using new Template

These steps are the same as when creating a Dynamic Group using an existing template up to the Dynamic Group
template step where you click New Dynamic Group Template and fill-in the details for new template.
Once finished, this new template is automatically used. Also, the template will appear in the Dynamic Group
Templates list and can be used to create other Dynamic Groups.
4.1.8.4 Manage Dynamic Groups

You can create a Dynamic Group using an existing template or create a new template that will be used for this
Dynamic Group.
Once created, a user can perform various operations on every Dynamic Group. Operations such as:
Edit - Allows you to edit the selected group.
Move - Allows you to move the selected group to another group.
Delete - Removes the selected group completely.
Run Tasks
Use for Notifications
You can perform these operations from three places:
1. Computer > Groups >
and select
119
2. Admin > Groups >
icon
3. Admin > Groups > select Dynamic Groups you want to manage and click Group.
120
4.1.8.5 Move Dynamic Group

Click the symbol next to the group name and select Move. A pop-up window will be displayed showing the
groups tree structure. Select the target group (static or dynamic) into which you want to move the selected group.
The target group will become a parent group. You can also move groups by dragging and dropping a group into the
target group of your choice.
A few exceptions to group organization should be noted. You cannot move a Static Group into a Dynamic Group.
Also, it is not possible to move pre-defined Static Groups (for example, Lost & found) to any other group. Other
groups can be moved freely. A Dynamic Group can be a member of any other group including Static Groups.
The following methods can be used when moving groups:
> Edit > Change parent group.
> Move > select a new parent group from the list and click OK.
NOTE: The Dynamic Group in a new position starts to filter computers (based on the template) without any
relation to its previous location.
121
4.1.8.6 Assign a Policy to a Dynamic Group

Both Static and Dynamic Groups are treated the same way when it comes to policy assignment. For instructions on
how to assign a policy to a group, click here.
4.1.8.7 Assign a Task to a Dynamic Group

Both Static and Dynamic Groups are treated the same way with regard to task assignment. For instructions on how to
assign a task to a group, click here.
4.1.8.8 Rules for a Dymanic Group template

When you set rules for a Dynamic Group template, you can use different operators for different conditions.
When does a computer become a member of a Dynamic Group?
Rules and logical connective
Operation type
Use cases - create a specific Dynamic Group template
Template Rules Evaluation
4.1.8.8.1 When a computer is in Dynamic Group?

For a computer to become a member of a specific Dynamic Group, it must meet certain conditions. These conditions
are defined in a Dynamic Group Template. Each template consists of one or several Rules. You can specify these
rules when creating a new Template.
o Certain information about the current condition of a client computer is stored by the Agent. The computer's
condition is evaluated by the Agent according to template rules.
o The set of conditions required for a client to join a Dynamic Group are defined in your Dynamic Group
Templates, and clients are evaluated for inclusion in Dynamic Groups each time they check in to ESET Remote
Administrator. When a client meets the values specified in a Dynamic Group template, it is automatically
assigned to this group.
o Dynamic Groups can be seen as filters based on computer status. One computer may apply for more than one
filter and, therefore, be assigned to more than one Dynamic Group. This makes Dynamic Groups different from
Static Groups, because a single client cannot belong to more than one static group.
4.1.8.8.2 Operation description

If you specify multiple rules (conditions), you must select which operation should be used to combine the rules.
Depending on the result, a client computer will or will not be added to a Dynamic Group which uses this Template.
AND - All defined conditions have to be true.
Checks if all conditions are evaluated positively computer must meet all required parameters.
OR - At least one condition has to be true.
Checks if one of the conditions is evaluated positively computer must meet one of the required parameters.
NAND - At least one condition has to be false.
Checks if one of the conditions cannot be evaluated positively computer must not meet at least one parameter.
NOR - All conditions have to be false.
Checks if all conditions cannot be evaluated positively computer doesn't meet all of required parameters.
NOTE: It is not possible to combine operations. Only one operation is used per Dynamic Group Template and
applies to all its rules.
122
4.1.8.8.3 Rules and logical connectors

A rule consists of an item, logical connector (logical operator) and defined value.
When you click + Add rule a pop-up window will open with a list of items divided into categories. For example:
Installed software > Application name
Network adapters > MAC address
OS edition > OS name
To create a rule, select an item, choose a logical operator and specify a value. The rule will be evaluated according to
the value you've specified and the logical operator used.
Acceptable value types include number(s), string(s), enum(s), IP address(es), product masks and computer IDs. Each
value type has different logical operators associated with it and ERA Web Console will automatically show only
supported ones.
"= (equal)" - Symbol value and template value must match. Strings are compared without case sensitivity.
- Symbol value and template value must not match. Strings are compared without case sensitivity.
"> (greater than)" - Symbol value must be greater than template value. Can also be used to create a range
comparison for IP address symbols.
- Symbol value must be greater or equal to template value. Can also be used to create a
range comparison for IP address symbols.
"< (less than)" - Symbol value must be less than template value. Can also be used to create a range comparison for
IP address symbols.
- Symbol value must be less than or equal to template value. Can also be used to create a range
comparison for IP address symbols.
"contains" - Symbol value contains template value. Search is done without case sensitivity.
"has prefix" - Symbol value has the same text prefix as template value. Strings are compared without case
sensitivity. Set the first characters from your search string, for example, for "Microsoft Visual C++ 2010 x86
Redistributable - 10.0.30319", the prefix is "Micros" or "Micr" or "Microsof"etc.
"has suffix" - Symbol value has same text suffix as template value. Strings are compared without case sensitivity.
Set the first characters from your search string, ,for example, for"Microsoft Visual C++ 2010 x86 Redistributable 10.0.30319", the suffix is "319" or "0.30319", etc.
"has mask" - Symbol value must match a mask defined in a template. Mask formatting allows any characters, the
special symbols '*' - zero, one or many characters and '?' exactly one character, e.g.: "6.2.*" or "6.2.2033.?".
"regex" - Symbol value must match the regular expression (regex) from a template. Regex must be written in Perl
format.
"in" - Symbol value must match any value from a list in a template. Strings are compared without case sensitivity.
"in (string mask)" - Symbol value must match any mask from a list in a template.
Negative rules:
IMPORTANT: Negated operators must be used with care, because in the case of multiple line logs such as
"Installed application", all lines are tested against these conditions. Please consult the included examples to see
how negated operators or negated operations must be used to get expected results.
"doesn't contain" - Symbol value does not contain template value. Search is done without case sensitivity.
"doesn't have prefix" - Symbol value does not have the same text prefix as template value. Strings are compared
without case sensitivity.
"doesn't have suffix" - Symbol value does not have text suffix as template value. Strings are compared without
case sensitivity.
"doesn't have mask" - Symbol value must not match a mask defined in a template.
"not regex" - Symbol value must not match a regular expression (regex) from a template. Regex must be written
in Perl format. Negation operation is provided as a helper to negate matching regex-es without rewrites.
"not in" - Symbol value must not match any value from the list in a template. Strings are compared without case
sensitivity.
"not in (string mask)" - Symbol value must not match any mask from a list in a template.
123
4.1.8.8.4 Template rules evaluation

Template rules evaluation is handled by ERA Agent, not ERA Server (only the result is sent to ERA Server). The
evaluation process is happens according to the rules that are configures in a Template. The following is an
explanation of the evaluation process with a few examples.
Status is a cluster of various information. Some sources provide more than one dimensional status per machine (for
example, Operating System, RAM size, etc.), others provide multidimensional status information (for example, IP
Address, Installed Application, etc).
Below is a visual representation of the status of a client:
Network Adapters - IP
Address
Network Adapters MAC Address
OS Name
OS Version HW - RAM size in Installed Application

MB
192.168.1.2
4A-64-3F-10-FC-75
Windows 7
Enterprise
10.1.1.11
2B-E8-73-BE-81-C7
PDF Reader
124.256.25.25
52-FB-E5-74-35-73
Office Suite
6.1.7601
2048
ESET Endpoint
Security
Weather Forecast
Status is made of information groups. One group of data always provides coherent information organized into rows.
The number of rows per group may vary.
Conditions are evaluated per group and per row - if there are more conditions regarding the columns from one
group, only the values on the same row are considered.
Example 1:
For this example consider the following condition:
Network Adapters.IP Address = 10.1.1.11 AND Network Adapters.MAC Address = 4A-64-3F-10-FC-75
This rule matches no computer, as there is no such row where both conditions hold true.
Address
OS Name

MB
192.168.1.2
4A-64-3F-10-FC-75
Windows 7
Enterprise
10.1.1.11
2B-E8-73-BE-81-C7
PDF Reader
124.256.25.25
52-FB-E5-74-35-73
Office Suite
6.1.7601
2048
ESET Endpoint
Security
Weather Forecast
Example 2:
For this example consider the following condition:
Network Adapters.IP Address = 192.168.1.2 AND Network Adapters.MAC Address = 4A-64-3F-10-FC-75
This time, both conditions matched cells on the same row and therefore, the rule as a whole is evaluated to TRUE. A
computer is selected.
124
Address
OS Name

MB
192.168.1.2
4A-64-3F-10-FC-75
Windows 7
Enterprise
10.1.1.11
2B-E8-73-BE-81-C7
PDF Reader
124.256.25.25
52-FB-E5-74-35-73
Office Suite
6.1.7601
2048
ESET Endpoint
Security
Weather Forecast
Example 3:
For conditions with the OR operator (at least one condition must be TRUE), such as:
Network Adapters.IP Address = 10.1.1.11 OR Network Adapters.MAC Address = 4A-64-3F-10-FC-75
The rule is TRUE for two rows, as only either of the conditions must be satisfied. A computer is selected.
Address
OS Name

MB
192.168.1.2
4A-64-3F-10-FC-75
Windows 7
Enterprise
10.1.1.11
2B-E8-73-BE-81-C7
PDF Reader
124.256.25.25
52-FB-E5-74-35-73
Office Suite
6.1.7601
2048
ESET Endpoint
Security
Weather Forecast
4.1.8.8.5 How to automate ESET Remote Administrator

1. Create a Dynamic Group for example: "Infected Computers".
2. Create a task for in-depth scan and assign it to Dynamic Group Infected Computers (Task triggered when clients
enters Dynamic Group).
3. Create a specific policy (in this example an "isolation policy") - when an ESET security product is installed, create a
Firewall rule that will block all traffic except the connection to ESET Remote Administrator.
4. Create a notification template for infected computers (you can specify various conditions) a notification is
triggered to alert you of a spreading threat.
Using the similar technique, you can automate product and OS updates, scanning, automatic activations of newly
added products with preselected license, and other tasks.
125
4.2 User Management

This section allows you to manage Users and User Groups for the purpose of iOS Mobile Device Management.
Mobile Device Management is conducted with the use of policies assigned to iOS devices. However, we recommend
that you synchronize Users with Active Directory first. Then you can modify users or add Custom Attributes.
User highlighted in orange have no device assigned to them. Click the user, select Edit... and click Assigned
Computers to view details for that user. Click Add computers to assign computers or device(s) to this user.
You can also add or remove Assigned users from within Computers details. When you are in Computers or Groups,
select a computer or mobile device and click Details. The user can be assigned to more than one computer/mobile
device.
You can filter the users using the filter at the top of the page, click Add Filter and select an item from the list.
126
User management actions:

Details....
The user details menu displays information such as Email Address, Office or Location, Custom Attributes and
Assigned Computers. The user can have more than one assigned computer/mobile device. You can change the user's
Name, Description or Parent group. Custom Attributes shown here are the ones that can be used when creating
policies.
New User Group...

You can create a New User Group.
127
Add Users...
Add a new User or Users.
Synchronize
Create a new Server task - User Synchronization.
Edit...
Allows you to edit the selected User or User Group.
Move...
You can select a User or User Group and move it as a subgroup of another User Group.
Delete
Removes the selected User or User Group completely.
4.2.1 Add New Users

Click Admin > User Management > Add Users... to add users that were not found or added automatically during User
Synchronization.
128
Type the name of the User you want to add into the User Name field. Use the Conflict Resolution drop-down menu
to select the action to take if a user you are adding already exists in ERA:
Ask when conflicts are detected: When a conflict is detected, the program will ask you to select an action (see
the options below).
o Skip conflicting users: Users with the same name will not be added. This also ensures that existing user's
custom attributes in ERA will be preserved (not overwritten with the data from Active Directory).
o Overwrite conflicting users: Existing user in ERA is overwritten by the user from Active Directory. If two
users have the same SID, the existing user in ERA is removed from its previous location (even if the user
was in a different group).
Click + Add Another to add additional users. If you want to add multiple users at once, click Import to upload a csv
file containing a list of users to be added. Optionally, you can enter a Description of the users for easier
identification.
Click Add when you are finished making changes. Users will appear in the parent group that you specified.
129
4.2.2 Edit Users

You can modify a user's details such as Basic information, Custom Attributes and Assigned Computers.
NOTE: When performing a User synchronization task for users that have custom attributes defined, set User
creation collision handling to Skip. If you do not, user data will be overwritten by data from your Active Directory.
Basic
If you have used a User synchronization task to create the user and some fields are blank, you can specify these
manually as required.
Custom Attributes
You can edit existing Custom Attributes or add new attributes. To add new ones, click Add New and select from the
categories:
Wi-Fi Accounts: Profiles can be used to push corporate Wi-Fi settings directly to managed devices.
VPN Accounts: You can setup a VPN along with the credentials, certificates, and other required information to
make the VPN readily accessible for users.
Email Accounts: This is used for any email account that uses IMAP or POP3 specifications. If you use an Exchange
server, use the Exchange ActiveSync settings below.
Exchange Accounts: If your company utilizes Microsoft Exchange, you can create all the settings here to minimize
the setup time for your users' access to mail, calendar, and contacts.
LDAP (Attribute Alias): This is especially useful if your company utilizes LDAP for contacts. You can map the contact
fields to the corresponding iOS contact fields.
CalDAV: This contains the settings for any calendar that uses the CalDAV specifications.
CardDAV: For any contacts that are synced through the CardDAV specification, the information for syncing can be
established here.
Subscribed Calendars: If any CalDAV calendars are setup, this is where you can define read-only access to others'
calendars.
Some of the fields will become an attribute which can then be used when creating a policy for iOS mobile debvice
as a variable (placeholder). For example, Login ${exchange_login/exchange} or Email Address ${exchange_email/
exchange} .
130
Assigned Computers
Here you can select individual Computers/Mobile devices. To do so, click Add Computers - all Static and Dynamic
Groups with their members will be listed. Use check boxes to make your selection and click OK.
Summary
Review the settings of this user account and click Finish.
131
4.2.3 Create New User Group

Click Admin > User Management >
and select
New User Group...
Basic
Enter a Name and Description (optional) for the new User Group. By default, the parent group is the group you
selected when you started creating the new User Group. If you want to change its parent group, click Change Parent
Group and select a parent group from the tree. Click Finish to create the new User Group.
You can assign specific permissions to this User Group from within Access Rights using Permission Sets (see User
Groups section). This way, you can specify which specific ERA Console users can manage which specific User Groups.
You can even restrict access for such users to other ERA functions, if desired. These users will then manage User
Groups only.
132
4.3 Policies
Policies are used to push specific configurations to ESET products running on client computers. This allows you to
avoid configuring each client's ESET product manually. A policy can be applied directly to individual Computers as
well as groups (Static and Dynamic). You can also assign multiple policies to a computer or a group, unlike in ESET
Remote Administrator 5 and earlier where it was only possible to apply one policy to one product or component.
Policy application
Policies are applied in the order that Static Groups are arranged. This is not true for Dynamic Groups, where child
Dynamic Groups are traversed first. This allows you to apply policies with greater impact at the top of the Group tree
and apply more specific policies for subgroups. With properly configured policies with flags, an ERA user with access
to groups located higher in the tree can override the policies of lower Groups. The algorithm is explained details in
How Policies are applied to clients.
Merging policies
A policy applied to a client is usually a result of multiple policies being merged into one final policy.
NOTE: We recommend that you assign more generic policies (for example, general settings such as update
server) to groups that are higher within the groups tree. More specific policies (for example device control settings)
should be assigned deeper in the groups tree. The lower policy usually overrides the settings of the upper policies
when merging (unless defined otherwise with policy flags).
NOTE: When you have a policy in place and decide to remove it later on, the configuration of the client computers
will not automatically revert back to their original settings once the policy is removed. The configuration will remain
according to the last policy that was applied to the clients. The same thing happens when a computer becomes a
member of a Dynamic Group to which a certain policy is applied that changes the computer's settings. These settings
remain even if the computer leaves the Dynamic Group. Therefore, we recommend that you create a policy with
default settings and assign it to the root group (All) to have the settings revert to defaults in such a situation. This
way, when a computer leaves a Dynamic Group that changed its settings, this computer receives the default
settings.
133
4.3.1 Policies Wizard

You can use policies to configure your ESET product the same way you would from within the Advanced setup
window of the product GUI. Unlike policies in Active Directory, ERA Policies cannot carry any script or series of
commands.
Policies are created and managed in the Admin > Policies tab. Click Policies at the bottom and select New...
Basic
Enter a Name for the new policy. The Description field is optional.
Settings
Select your product from the drop-down menu.
are defined.
o use
134
4.3.2 Flags
You can set a flag for each setting in a policy. They define how a setting will be handled by the policy:
Apply - settings with this flag will be sent to the client. However, when merging policies it can be overwritten by a
later policy. When a policy is applied to a client computer and a particular setting has this flag, that setting is
changed regardless of what was configured locally on the client. Because the setting is not forced, it can be
changed by other policies later on.
Force - settings with the force flag have priority and cannot be overwritten by a later policy (even if the later
policy has a Force flag). This assures that this setting wont be changed by later policies during merging.
are defined.
o use
4.3.3 Manage Policies

Navigate to Admin > Policies and select a policy you want to manage. Click the Policies button (alternatively the
next to existing policy).
Actions you can take with Policies:
New...
Use this option to create a new Policy.
Edit...
Allows you to edit the selected Policy.
Duplicate
Lets you create a new Policy based on the existing Policy you've selected, a new name is required for the duplicate.
Assign
To assign a Policy to a client or a groups.
135
Delete
Removes the selected Policy completely.
Import...
Click Policies > Import..., click Choose File and browse for the file you want to import. To select multiple Policies,
see Modes below.
Export...
Select a Policy you want to export from the list and click Policies button > select Export... The Policy will be exported
to a .dat file. To export multiple Policies, change select mode, see Modes below.
You can use Modes to change select mode (Single or Multiple). Clicking the arrow in upper right corner and choose
from the context menu:
Single select mode - you can select single item.
Multiple item select mode - lets you use the check boxes to select multiple items.
Refresh - reloads/refreshes displayed information.
4.3.4 Create a Policy for ERA Agent to connect to the new ERA Server
This policy lets you change the behavior of ERA Agent by modifying its settings. The following is especially useful
when migrating client machines to a new ERA Server.
Create new policy to set new ERA Server IP address and assign the policy to all client computers. Select Admin >
Policies > create New.
Basic
Enter a Name for your policy. The Description field is optional.
Settings
Select ESET Remote Administrator Agent from the drop-down menu, expand Connection and click Edit server list
next to Servers to connect to.
136
A window will open with a list of ERA Servers the ERA Agent can connect to. Click Add and type the IP address of
your new ERA Server into the Host field. If you are using different port than the default ERA Server port 2222, to
specify your custom port number.
You can use arrow buttons to change priority of ERA Servers in case you have multiple entries in the list. Make sure
your new ERA Server is at the top by clicking double-up arrow button and then click Save.
Assign
Here you can specify the clients (individual computers/mobile devices or whole groups) that are the recipients of
this policy.
Click Assign to display all Static and Dynamic Groups and their members. Select your desired clients and click OK.
137
Summary
Review the settings for this policy and click Finish.
4.3.5 Create a Policy to enable ERA Agent Password protection

Follow the steps below to create a new policy that will enforce a password to protect the ERA Agent. When
Password protected setup is used, ERA Agent cannot be uninstalled or repaired unless a password is provided. See
Agent protection for more details.
Basic
Enter a Name for this policy. The Description field is optional.
Settings
Select ESET Remote Administrator Agent from the drop-down list, expand Advanced settings, navigate to Setup and
type the password into the Password protected setup field. This password will be required if someone is trying to
uninstall or repair ERA Agent on a client computer.
IMPORTANT: Make sure to record this password in a safe place, it is essential to enter the password to allow ERA
Agent uninstallation from the client computer. There is no other regular way of uninstalling ERA Agent without a
correct password once Password protected setup policy is in place.
138
Assign
this policy.
139
Summary
140
4.3.6 Create a Policy for iOS MDM - Exchange ActiveSync Account

You can use this policy to configure a Microsoft Exchange Mail account, Contacts and Calendar on user's iOS mobile
devices. The advantage of using such a policy is that you only need to create one policy which you can then apply to
many iOS mobile devices without the need to configure each separately. This is possible using Active Directory user
attributes. You need to specify a variable, for example ${exchange_login/exchange} and this will be replaced with a
value from the AD for a particular user.
If you do not use Microsoft Exchange or Exchange ActiveSync, you can manually configure each service (Mail
Accounts, Contacts Accounts, LDAP Accounts, Calendar Accounts and Subscribed Calendar Accounts).
The following is an example of how to create and apply a new policy to automatically set up Mail, Contacts and
Calendar for each user on iOS mobile device using Exchange ActiveSync (EAS) protocol to synchronize these
services.
NOTE: Before you begin setting this policy up, make sure you've already performed the steps described under
Mobile Device Management.
Basic
Settings
Select ESET Mobile Device Management for iOS from the drop-down list, click Others to expand categories and then
click Edit next to Exchange ActiveSync Accounts.
Click Add and specify the details of your Exchange ActiveSync account. You can use variables for certain fields (select
from the drop-down list), such as User or Email Address. These will be replaced with actual values from User
Management when a policy is applied.
141
Account name - Enter name of the Exchange account. This is only for the user or administrator to identify what
Mail/Contacts/Calendar account it is.
Exchange ActiveSync Host - Specify the Exchange Server hostname or its IP address.
Use SSL - This option is enabled by default. It specifies whether the Exchange Server uses Secure Sockets Layer
(SSL) for authentication.
Domain - This field is optional. You can enter the domain this account belongs to.
User - Exchange login name. Select the appropriate variable from the drop-down list to use attribute from your
Active Directory for each user.
Email Address - Select the appropriate variable from the drop-down list to use an attribute from your Active
Directory for each user.
Password - Optional. We recommend that you leave this field empty. If it is left empty users will be prompted to
create their own passwords.
Past Days of Mail to Sync - Select the number of past days of mail to sync from the drop-down list.
Identity certificate - Credentials for connection to ActiveSync.
Allow messages to be moved - If enabled, messages can be moved from one account to another.
Allow recent addresses to be synced - If this option is enabled, the user is allowed to sync recently used
addresses across devices.
Use Only in Mail - Enable this option if you want to allow only the Mail app to send outgoing email messages from
this account.
Use S/MIME - Enable this option to use S/MIME encryption for outgoing email messages.
Signing Certificate - Credentials for signing MIME data.
Encryption Certificate - Credentials for encryption MIME data.
Enable per-message encryption switch - Allow the user to choose whether to encrypt each message.
142
NOTE: If you do not specify a value and leave the field blank, mobile device users will be prompted to enter this
value. For example a Password.
Add certificate - You can add specific Exchange certificates (User Identity, Digital Signature or Encryption
Certificate) if required.
NOTE: Using the steps above, you can add multiple Exchange ActiveSync Accounts, if desired. This way, there will
be more accounts configured on one mobile device. You can also edit existing accounts if necessary.
Assign
this policy.
143
Summary
4.3.7 Create a Policy to enforce restrictions on iOS and add Wi-Fi connection
You can create a policy for iOS mobile devices to enforce certain restrictions. You can also define multiple Wi-Fi
connections so that, for example, users will automatically be connected to the corporate Wi-Fi network at different
office locations. The same applies to VPN connections.
Restrictions that you can apply to iOS mobile device are listed in categories. For example, you can disable FaceTime
and the use of camera, disable certain iCloud features, fine-tune Security and Privacy options or disable selected
applications.
NOTE: Restrictions that can or cannot be applied depend on the version of iOS used by client devices. iOS 8.x and
newer are supported.
144
The following is an example of how to disable the camera and FaceTime apps and add Wi-Fi connection details to
the list in order to have the iOS mobile device connect to a Wi-Fi network whenever the network is is detected. If
you use the auto Join option, iOS mobile devices will connect to this network by default. The policy setting will
override a user's manual selection of a Wi-Fi network.
Basic
Settings
Select ESET Mobile Device Management for iOS, click Restrictions to see categories. Use the switch next to Allow
use of camera to disable it. Since the camera is disabled, FaceTime will automatically be disabled as well. If you
wish to disable FaceTime only, leave the camera enabled and use the switch next to Allow FaceTime to disable it.
145
After you've configured Restrictions, click Others and then click Edit next to Wi-Fi connection list. A window with
the list of Wi-Fi connections will open. Click Add and specify connection details for the Wi-Fi network you want to
add. Click Save.
Service Set Identifier (SSID) - SSID of the Wi-FI network to be used.

Auto Join - Optional (enabled by default), device automatically joins this network.
Security settings:
Encryption Type - Select appropriate encryption from the drop-down list, make sure this value exactly matches
the capabilities of the Wi-Fi network.
Password - Enter the password that will be used to authenticate when connecting to the Wi-Fi network.
Proxy settings - Optional. If your network uses a Proxy, specify values accordingly.
Assign
this policy.
146
Summary
4.3.8 Create a Policy for MDC to activate APNS for iOS enrollment
This is an example of how to create a new policy for ESET Mobile Device Connector to activate APNS (Apple Push
Notification Services) and iOS device Enrollment feature. This is required for iOS device Enrollment. Before
configuring this policy, create a new APN certificate and have it signed by Apple on the Apple Push Certificates
Portal so that it becomes a signed certificate or APNS Certificate. For step-by-step instructions see the APN
certificate section.
Basic
Settings
Select ESET Remote Administrator Mobile Device Connector from the drop-down list. Under General, go to Apple
Push Notification Service and upload the APNS Certificate and a APNS Private Key.
NOTE: Type your actual organization's name over the Organization string. This is used by the enrollment profile
generator to include this information in the profile.
147
APNS Certificate (signed by Apple) - click the folder icon and browse for the APNS Certificate to upload it.
APNS Private Key - click the folder icon and browse for the APNS Private Key to upload it.
Assign
this policy.
Click Assign to display all Static and Dynamic Groups and their members. Select the Mobile Device Connector
instance that you want to apply an APNS Certificate on and click OK.
Summary
148
4.3.9 How Policies are applied to clients

Groups and Computers can have several policies assigned to them. Moreover, a Computer can be in a deeply nested
Group, the parents of which have their own policies.
The most important thing for the application of policies is their order. This is derived from the Group order and
order of policies assigned to the Group.
Follow the steps below to determine the active policy for any client:
1. Find the order of groups in which the client resides
2. Replace groups with assigned Policies
3. Merge Policies to get final settings
4.3.9.1 Ordering Groups

Policies can be assigned to Groups, and are applied in a specific order.
When ordering Groups into the list, several rules are applied:
1. Static Groups are traversed from the root Static Group - All.
2. On every level, the Static Groups of that level are traversed first in the order they appear in the tree - this is also
called Breadth-first search.
3. After all the Static Groups at a certain level are in the list, Dynamic Groups are traversed.
4. In every Dynamic Group, all its children are traversed in the order that they appear in the list.
5. At any level of Dynamic Groups, if there is a child, it is listed and searched for its children. When there are no
more children, the next Dynamic Groups at the parent level are listed - this is also called Depth-first search.
6. Traversal ends at a Computer.
In practice, the traversal would look as follows:
As shown above, the root (Static Group called All) is listed as Rule 1. Since there are no more groups at the same
level as the All group, policies from groups at the next level are evaluated next.
149
The Lost & Found, SG 1 and SG 2 Static Groups are evaluated next. The computer is actually only a member of the
All/SG 2/SG 3 Static Groups and therefore there is no need to traverse the Lost & Found and SG 1 groups. SG 2 is the
only group at this level that will be evaluated, so it goes into the list and traversal goes deeper.
At the third level, the algorithm finds SG 3, DG 1 and DG 2. According to Rule 2, Static Groups are listed first.
Traversal adds SG 3 and, since it is the last Static Group at level 3, moves to DG 1. Before moving on to DG 2 at level
3, the children of DG 1 must be listed.
DG 3 is added. It has no children, so traversal steps up.
DG 2 is listed. It has no children. At level 3, there are no more groups left. Traversal steps to level 4.
Only Dynamic Group DG 4 and the computer itself are on level 4. Rule 6 says that the computer goes last, hence DG 4
is picked up. DG 4 has two children that must be processed before going any further.
DG 5 and DG 6 are added to the list. They both lack children and traversal has nothing more to process. It adds
Computer and ends.
We ended up with the list:
1. All
2. SG 2
3. SG 3
4. DG 1
5. DG 3
6. DG 2
7. DG 4
8. DG 5
9. DG 6
10.Computer
This is the order in which the Policies are applied.
4.3.9.2 Enumerating Policies

Once the order of Groups is known, the next step is to replace each group with the policies assigned to it. Policies
are listed in the same order as they are assigned to a Group. A group without a policy is removed from the list. It is
possible to edit the priority of policies for a group with more policies assigned. Each policy configures only one
product (ERA Agent, ERA Proxy, EES, etc.)
We have 3 policies applied to both static and Dynamic Groups (see picture below):
Our list from step 1 would be transformed into:
150
1. All (removed, no Policy here)

2. SG 2 -> Policy 1, Policy 2
3. SG 3 (removed for no Policy)
4. DG 1 -> Policy 1, Policy 2
5. DG 3 (removed, no Policy)
6. DG 2 -> Policy 3
10.Computer (removed, no Policy)
The final list of Policies is:
1.
2.
3.
4.
5.
Policy 1
Policy 2
Policy 1
Policy 2
Policy 3
4.3.9.3 Merging Policies

Policies are merged one by one. When merging policies, the general rule is that the latter policy always replaces the
settings set by the former one.
To change this behavior, you can use policy flags (available for every setting). Settings are merged one by one.
Keep in mind that the structure of the groups (their hierarchy) and the sequence of the policies determines how the
policies are merged. Merging of any two policies may have different result in dependence on their order. The
groups have been ordered and policies have been enumerated.
4.3.10 Configuration of a product from ERA

You can use policies to configure your ESET product the same way you would from within the Advanced setup
window of the product GUI. Unlike policies in Active Directory, ERA Policies cannot carry any script or series of
commands.
4.3.11 Assign a Policy to a Group

151
152
4.3.12 Assign a Policy to a Client

To assign a policy to a client workstation, click Admin > Policies select the Clients tab and click Assign client(s).
Select your target client computer(s) and click OK. The policy will be assigned to all computers you have selected.
153
4.4 Client Tasks

You can use Client Tasks to manage client computers and their ESET security products. There is a set of predefined
tasks that cover the most common scenarios, or you can create a custom Client Task with specific settings. Use Client
Tasks to request an action from client computers.
Client tasks can be assigned to groups or individual computers. Once created, a task is executed using a Trigger.
Client tasks are distributed to clients when the ERA Agent on a client connects to the ERA Server. For this reason, it
may take some time for task execution results to be communicated to the ERA Server. You can manage your ERA
Agent connection interval to bring down task execution times. The following predefined tasks are available for your
convenience:
Each Task Category contains Task Types:
All Tasks
ESET Security Product
Export Managed Products Configuration
On-Demand Scan
Product Activation
Quarantine Management
Run SysInspector Script
Server scan
Software Install
SysInspector Log Request
Upload Quarantined File
Virus Signature Database Update
Virus Signature Database Update Rollback
ESET Remote Administrator
Remote Administrator Components Upgrade
Reset Cloned Agent
Rogue Detection Sensor Database Reset
Stop Managing (Uninstall ERA Agent)
Operating System
Display Message
Operating System Update
Run Command
Shutdown computer
Software Install
Software Uninstall
154
Mobile
Anti-Theft Actions
Device Enrollment
Display Message
Export Managed Products Configuration
On-Demand Scan
Product Activation
Software Install
Virus Signature Database Update
4.4.1 Client Tasks executions

The current status of each Client Task can be tracked under Admin > Client Tasks. For each task, a Progress indicator
bar and Status icon is displayed. You can Drill down to view further details of a given Client Task and even take
further actions such as Run on or Rerun on failed.
IMPORTANT: You must create a Trigger to execute all Client Tasks.
NOTE: A lot of data is re-evaluated during this process, it may require more time for execution than in previous
versions (depending on Client Task, Client Trigger and overall Computers count).
155
Client Task action (click the Client Task to see context menu):
Details...
The Client Task Detail displays Summary information about the Task, click the Executions tab to switch view to see
each execution result. You can Drill down to view details for a given Client Task. If there are too many executions,
you can filter the view to narrow down the results.
NOTE: When installing older ESET products, the Client Task report will display: Task delivered to the managed
product.
Edit...
Allows you to edit the selected Client Task. Editing existing tasks is useful when you only need to make small
adjustments. For more unique tasks, you might prefer to create a new task from scratch.
Duplicate...
Lets you create a new task based on the selected task, a new name is required for the duplicate.
Delete
Removes the selected task(s) completely.
Run on...
Add a new Trigger and select Target computers or groups for this task.
Rerun on failed
Creates a new Trigger with all computers that failed during previous Task execution set as targets. You can edit the
task settings if you prefer, or click Finish to rerun the task unchanged.
Execution action (use the

context menu):
sign to expand the Client Task to see its Executions/Triggers, click the Trigger to get
Edit...
Allows you to edit the selected Trigger.
Rerun ASAP
You can run the Client Task again (ASAP) using an existing Trigger straight away with no modification.
156
Delete
Removes the selected trigger completely.
Duplicate...
Lets you create a new Trigger based on the selected one, a new name is required for the duplicate.
4.4.1.1 Progress indicator

The progress indicator is a color bar that shows the execution status of a Client Task. Each Client Task has its own
indicator (shown in the Progress row). The execution status of a Client Task is shown in different colors, and
includes the number of computers in that state for a given task:
Running (blue)
Successfully finished (green)
Failed (orange)
Newly created Client Task (white) it might take some time for the indicator to change color, ERA Server must
receive a response from an ERA Agent to show the execution status. The progress indicator will be white if there is
no Trigger assigned.
A combination of the above
When you click the color bar, you can select from execution results and take further actions if necessary, see Drill
down for more details.
IMPORTANT: The progress indicator shows the status of a Client Task when it was last executed. This information
comes from the ERA Agent. The progress indicator shows exactly what the ERA Agent is reporting from client
computers.
157
4.4.1.2 Status icon

The icon next to Progress indicator provides additional information. It shows whether there are any planned
executions for a given Client Task as well as the result of executions that were completed. This information is
enumerated by ERA Server. The following statuses can be indicated:
Running Client Task is being executed on at least one target, there are no scheduled and no failed. This applies
even if the Client Task has already finished on some targets.
Success Client Task has finished successfully on all targets, there are no scheduled or running executions.
Error Client Task has run on all targets, but has failed on at least one. No further executions are planned
(scheduled).
Planned Client Task is planned for execution, but no executions are running.
Planned/Running Client Task has scheduled executions (from the past or in the future). No executions have
failed and at least one execution is currently running.
Planned/Successful Client Task still has some scheduled executions (from the past or in the future), no failed or
running executions and at least one execution has finished successfully.
Planned/Error Client Task still has some executions scheduled (from the past or in the future), no running
executions and at least one execution has failed. This applies even if some executions have completed successfully.
4.4.1.3 Drill down

When you click the color progress indicator bar, you can select from the following:
Show planned
Show running
Shown successful
Show failed
An Executions window will display a list of computers with your selected result (using a filter). Computers with a
result other than the one selected will not be shown. You can modify the filter or turn it off to see all computers
regardless of their last status.
You can also drill down deeper, for example by selecting History to see details about the Client Task execution
including the time when it Occurred, current Status, Progress and Trace message (if available). You can click
Computer name or Computer description and take further actions if necessary, or view Computer Details for a
specific client.
158
NOTE: If you do not see any entries in the Executions history table, try setting the Occurred filter to longer
duration.
159
4.4.1.4 Trigger
A Trigger must be assigned to a Client Task for it to be executed. To defining a Trigger, select the Target computers
or groups on which a Client task should be executed. With your target(s) selected, set the trigger conditions to
execute the task at a particular time or event. Additionally, you can use Advanced settings - Throttling to further
fine-tune the Trigger, if required.
Basic
Enter basic information about the Trigger in the Description field and then click Target.
Target

CRON Expression.
160
4.4.2 Shutdown computer

You can use the Shutdown computer task to shutdown or reboot client computers. Click New... to begin setting up
your new task.
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the Shutdown
computer task.
Target
IMPORTANT: It is not possible to add Targets while creating a Client Task. You will be able to add Targets after the
task has been created. Configure Settings for the task and click Finish to create the task and then create a Trigger to
specify Targets for the task.
Settings
Reboot computer(s)- select this check box if you want to reboot following task completion. If you want to
shutdown computer(s), leave it deselected.
Summary
Review the summary of configured settings and click Finish. The Client Task is now created and a pop-up window
will open. We recommend you to click Create Trigger to specify when this Client Task should be executed and on
what Targets. If you click Close, you can create a Trigger later on.
161
4.4.3 On-Demand Scan

The On-Demand Scan task lets you manually run a scan on the client computer (separate from a regular scheduled
scan). Click New... to begin setting up your new task.
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the On-Demand Scan
task.
Target
Settings
Shutdown after scan - If you select this check box, the computer will shut down after scanning is finished
162
Scan profile - You can select the profile you want from the drop-down menu:
In-depth Scan - This is a pre-defined profile on the client, it is configured to be the most thorough scan profile and
checks the whole system but also requires the most time and resources.
Smart scan - Smart scan allows you to quickly launch a computer scan and clean infected files with no need for
user intervention. The advantage of Smart scan is it is easy to operate and does not require detailed scanning
configuration. Smart scan checks all files on local drives and automatically cleans or deletes detected infiltrations.
The cleaning level is automatically set to the default value.
Scan From Context Menu - Scans a client using a pre-defined scan profile, you can customize the scan targets.
Custom Profile - Custom scan lets you specify scanning parameters such as scan targets and scanning methods.
The advantage of a Custom scan is the ability to configure the parameters in detail. Configurations can be saved to
user-defined scan profiles, which make it easy to repeat the scan using the same parameters. A profile must be
created prior to running the task with the custom profile option. Once you select a custom profile from the dropdown menu, type the exact name of the profile into the Custom profile field.
Cleaning
By default, Scan with cleaning is selected. This means that when infected objects are found, they are cleaned
automatically. If this is not possible, they will be quarantined.
Scan Targets
This option is also selected by default. Using this setting, all targets specified in the scan profile are scanned. If you
deselect this option, you need to manually specify scan targets in the Add Target field. Type the scan target into the
text field and click Add. The target will be displayed in the Scan targets field below.
Summary
4.4.4 Operating System Update

The System Update task is used to update the operating system of the client computer. This task can trigger the
operating system update on Windows, OS X and Linux operating systems.
Basic
Enter basic information about the task, such as a Name and Description and then select the Operating System
Update task. The Task Type (see the list of Client Task types) defines the settings and behavior for the task.
Target
163
Settings
Automatically Accept EULA - select this check box if you want to accept the EULA automatically. No text will be
displayed to the user.
Install Optional Updates - this option applies to Windows operating systems only, updates that are marked as
optional will also be installed.
Allow Reboot - this option applies to Windows operating systems only and causes the client computer to reboot
once the updates are installed.
Summary
164
4.4.5 Quarantine Management

The Quarantine management task is used to manage objects in the ERA Server quarantine - infected or suspicious
objects found during the scan.
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the Quarantine
Management task.
Target
Settings
Quarantine management settings
Action - Select the action to be taken with the object in Quarantine.
o Restore Object(s) (restores the object to its original location, but it will be scanned and if the reasons for the
Quarantine persist, the object will be quarantined again)
o Restore Object(s) and Exclude in Future (restores the object to its original location and it will not be
quarantined again).
o Delete Object(s) (deletes the object completely).
Filter type - Filter the objects in the Quarantine based on the criteria defined below. Either based on the Hash string
of the object or Conditions.
165
Conditional filter settings:

o Hash filter settings - Add hash items into the field. Only known objects can be entered, for example, an object
that has already been quarantined.
o Occurred from/to - Define the time range, when the object has been quarantined.
o Minimal/maximal size (bytes) - Define the size range of the quarantined object (in bytes).
o Threat name - Select a threat from the quarantined items list.
o Object name - Select an object from the quarantined items list.
Summary
4.4.6 Rogue Detection Sensor Database Reset

The Rogue Detection Sensor Database Reset task is used to reset the RD Sensor search cache. The task deletes the
cache and the search results will be stored again. This task does not remove detected computers. This task is useful
when detected computers are still in the cache and are not reported to the server.
NOTE: Settings are not available for this task.
Target
166
Summary
4.4.7 Remote Administrator Components Upgrade

The Remote Administrator Components Upgrade task is used to upgrade ERA components (ERA Agent, ERA Proxy,
ERA Server and MDM). For example, when you want to upgrade from ERA version 6.1.28.0, 6.1.33.0 to ERA version
6.2.x. See Components upgrade for detailed instructions.
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the Remote
Administrator Components Upgrade task.
Target
167
Settings
Select the check box next to I agree with application End User License Agreement if you agree. See License
Reference Remote Administrator Server - Select ERA Server version from the list. All ERA components will be
upgraded to versions compatible with the selected server.
Automatically reboot when needed - You can force a reboot of the client operating system, if the installation
requires so.
Summary
168
4.4.8 Reset Cloned Agent

The Reset Cloned Agent task can be used to distribute the ESET Agent in your network via a pre-defined image.
Cloned Agents have the same SID, which can cause problems (multiple Agents with the same SID), to resolve this,
use the Reset Cloned Agent task to reset the SID and assigns Agents a unique identity.
NOTE: Settings are not available for this task.
Target
Summary
169
4.4.9 Run Command

The Run command task can be used to execute specific command line instructions on the client. The administrator
can specify the command line input to run.
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the Run Command
task.
Target
Settings
Command line to run - Enter a command line you want to run on the client(s).
Working directory - Enter a directory where the command line above will be executed.
Summary
170
4.4.10 Run SysInspector Script

The Run SysInspector Script task is used to remove unwanted objects from the system. A SysInspector Script needs
to be exported from ESET SysInspector prior to using this task. After you export the script, you can mark objects you
want to remove and run the script with the modified data - the marked objects will be deleted.
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the Run SysInspector
Script task.
NOTE: Once the task is finished, you can review the results in a report.
Target
Settings
SysInspector Script - Click Browse to navigate to the service script. The service script needs to be created prior to
running this task.
Action - You can either Upload to, or Download a script from the ERA Console.
Summary
171
4.4.11 Server Scan

You can use the Server Scan task to scan clients with ESET Server solutions installed (currently ESET File Security 6
and ESET Mail Security 6).
Scanned Server - click Select to choose a server for scanning. Only one server can be selected.
Scan Targets - displays resources on the selected server that are available for scanning.
NOTE: The first time that you use Generate target list, allow about half the duration of specified Update period to
pick it up. For example, if the Update period is set to 60 minutes, allow 30 minutes to receive the list of scan targets.
For more information see ERA scan targets.
NOTE: You can use the Server Scan task scan to perform a Hyper-V scan on ESET File Security 6, as well as Ondemand mailbox database scan and Hyper-V scan on ESET Mail Security 6. Other scan methods are currently not
available.
172
4.4.12 Software Install

The Software Install task is used to install software on your client computers. It is primarily intended to install ESET
products, but you can use it to install any software you like.
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the Software Install
task.
Target
Settings
Select the check box next to I agree with application End User License Agreement if you agree. See License
Click <Choose ESET License> and select the appropriate license for the installed product from the list of available
licenses.
Click <Choose package> to select a installer package from the repository or specify a package URL. A list of available
packages where you can select the ESET product you want to install (for example, ESET Endpoint Security) will be
displayed. Select your desired installer package and click OK. If you want to specify a URL where the installation
package is located, type or copy and paste the URL (for example file://\\pc22\install\ees_nt64_ENU.msi) into the text
field (do not use a URL that requires authentication).
http://server_address/ees_nt64_ENU.msi - If you are installing from a public web server or from your own HTTP
server.
file://\\pc22\install\ees_nt64_ENU.msi - if you are installing from network path.
file://C:\installs\ees_nt64_ENU.msi - if you are installing from local path.
173
NOTE: Please note, that both ERA Server and ERA Agent require access to the internet to access the repository
and perform installation. If you do not have internet access, you can install the client software locally.
If you need to, you can specify Installation parameters, otherwise leave this field empty. Select the check box next
to Automatically reboot when needed to force an automatic reboot of the client computer after installation.
Alternatively, you can leave this option deselected and the the client computer can be restarted manually.
Summary
4.4.13 Software Uninstall

The Software Uninstall task is used to uninstall ESET security product from client computers when they are no longer
wanted/needed. Once you uninstall the ERA Agent from the client computer, ESET security product may retain some
settings after the ERA Agent has been uninstalled.
IMPORTANT: We recommend that you reset some settings (for example, password protection) to default
settings using a policy before the device is removed from management. Also, all tasks running on the Agent will be
abandoned. The Running, Finished or Failed execution status of this task may not be displayed accurately in ERA
Web Console depending on replication.
Basic
Enter basic information about the task, such as the Name, optional Description and the Task Type. The Task Type
Target
174
Settings
Software Uninstallation Settings
Uninstall - Application from list:
Package name - Select an ERA component or a client security product. All packages installed on the selected client(s)
are displayed in this list.
Package version - You can either remove a specific version (sometimes, a specific version can cause problems) of
the package, or uninstall all versions of a package.
Automatically reboot when needed - You can force a reboot of the client operating system if it is required for
uninstallation.
Uninstall - Third party antivirus software (Built with OPSWAT) - For a list of compatible AV Software, see our
Knowledgebase article. This removal is different from the Add or Remove Programs uninstallation. It uses
alternative methods to remove third party antivirus software thoroughly including any residual registry entries or
other traces.
Follow the step-by-step instructions in this article How do I remove third-party antivirus software from client
computers using ESET Remote Administrator? (6.x) to send a task to remove third-party antivirus software from
client computers.
If you want to allow uninstallation of password-protected applications see our Knowledgebase article. (see step
12.)
Summary
175
NOTE: In case the ESET security product uninstallation does not finish successfully, for example if you get
error
message, this is because there is a password protection setting enabled in ESET security product. Apply a policy to
the client computer(s) you want to uninstall ESET security product from in such a way, that the password protection
is disabled, which otherwise prevents the uninstallation.
Product: ESET Endpoint Security -- Error 5004. Enter a valid password to continue uninstallation.
4.4.14 Product Activation

Follow the steps below to activate an ESET security product on a client computer or a mobile device.
Basic
Target
Settings
Product activation settings - Select a license for the client from the list. This license will be applied to products
already installed on the client. If you do not see any licenses listed, go to License Management to add licenses.
176
Summary
4.4.15 SysInspector Log Request

The SysInspector Log Request task is used to request the SysInspector log from a client security product, that has this
function.
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the SysInspector Log
Request task.
Target
177
Settings
Store log on client - Select this if you want to store the SysInspector log on the client as well as on the ERA Server.
For example, when a client has ESET Endpoint Security installed, the log is usually stored under C:\Program Data
\ESET\ESET Endpoint Antivirus\SysInspector.
Summary
4.4.16 Upload Quarantined File

The Upload Quarantined File task is used to manage files quarantined on clients.
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the Upload
Quarantined File task.
Target
178
Settings
Quarantined object - Select a specific object from the quarantine.
Object password - Enter a password to encrypt the object for security reasons. Please note that password will be
displayed in the corresponding report.
Upload path - Enter a path to a location where you want to upload the object.
Upload username/password - In case the location requires authentication (network share,etc.), enter the
credentials to access this path.
Summary
4.4.17 Virus Signature Database Update

The Product Update task forces to update the virus signature database of the security product installed on the
clients. This is a general task for all products on all systems.
Target
179
Settings
Clear Update Cache - This option deletes the temporary update files in the cache on the client, and can often be
used to repair failed virus signature database update errors.
Summary
4.4.18 Virus Signature Database Update Rollback

Sometimes a virus signature database update can cause issues, or you don't want to apply the update for all clients
(for example, for testing or when using pre-release updates). In this case, you can use the Virus Signature Database
Update Rollback task. When you apply this task, the virus signature database will be reset to the previous version.
Target
Settings
Here you can customize virus signature database update rollback settings.
Action
180
Enabled Updates - Updates are enabled and the client will receive the next virus signature database update.
Rollback and Disable Updates for Next - Updates are disabled for the specific time period in the Disable interval
drop-down menu - 24/36/48 hours or until revoked. Be careful when using the Until revoked option, as this
presents a security risk.
Summary
4.4.19 Device Enrollment - Client Task

Mobile devices can be managed by ERA Server and by the ESET Endpoint Security for Android mobile application
itself. To start managing mobile devices, you need to enroll them in ERA. Device Enrollment is done using a Client
Task.
Device Enrollment Android
Device Enrollment iOS
181
4.4.19.1 Device Enrollment Android

To enroll an Android mobile device in ERA, follow these steps:
Basic
Enter a task Name and Description (optional).
Mobile Device Connector
Select the machine where Mobile Device Connector is installed. An enrollment link (URL) will be displayed
automatically. If no links are displayed after clicking Select, make sure that the Mobile Device Connector server is
accessible. If you do not have Mobile Device Connector installed yet, refer to the Mobile Device Connector
installation - Windows or Linux chapters of this guide for installation instructions.
Settings
Type the Name of the mobile device (this name will be shown in the list of Computers), and optionally a
Description.
Enter the IMEI number for the mobile device you want to add. We also recommend that you enter the Email address
associated with the mobile device (the enrollment link will be sent to this email address).
Click + Add Another if you want to add another mobile device, you can add multiple devices at the same time.
Alternatively, click Import to upload a .csv file containing a list of mobile devices to add. Click Browse Existing and
select existing mobile devices.
Specify an Action by selecting the check box next to Display enrollment link and/or Send enrollment link (the URL
will be sent to the email address(es) associated with the device). If you want to send an enrollment link
(recommended) to the mobile device, edit the Subject and Message contents, but make sure to keep the
enrollment URL unchanged.
182
Summary
After you click Finish, the enrollment link (URL) will be displayed. If you do not specify an email address and did not
select Send enrollment link, you must either type the URL into the web browser on the mobile device manually, or
send this URL to the mobile device by other means.
There are two scenarios for enrollment when ESET Endpoint Security for Android (EESA) is activated on the mobile
device. You can activate EESA on the mobile device using a Product Activation task (recommended). The other
scenario is for mobile devices with the ESET Endpoint Security for Android app already activated.
EESA not activated yet - follow the steps below to activate the product and enroll your Device:
1. Tap the enrollment link URL (including the port number) received via email, or type it into the browser manually
(for example, https://eramdm:9980/enrollment). You might be asked to accept an SSL certificate, click Accept if
you agree and then click Connect.
183
2. If you do not have ESET Endpoint Security installed on the mobile device, you will automatically be redirected to
the Google Play store, where you can download the app.
184
NOTE: If you receive the notification Couldn't find an app to open this link, try opening the enrollment link in the
default Android web browser.
3. Enter the name of the mobile device user.
185
4. Tap Enable to enable uninstall protection.
186
5. Tap Activate to activate device administrator.
187
6. At this point, you can exit the ESET Endpoint Security for Android app on the mobile device and open ERA Web
Console.
188
7. In ERA Web Console, go to Admin > Client Tasks > Mobile > Product Activation and click New.
8. Select the mobile device by clicking Add targets.
9. Under Settings, click <Choose ESET license> , select the appropriate license and click Finish.
It might take some time for the Product Activation client task to run on the mobile device. Once the task is
successfully executed, the ESET Endpoint Security for Android app is activated and the mobile device can be
managed by ERA. The user will now be able use the ESET Endpoint Security for Android app. When the ESET
Endpoint Security for Android app is open, the main menu will be displayed:
189
EESA already activated - follow the steps below to enroll your device:
1. Tap the enrollment link URL (including the port number) received via email, or type it into the browser manually
(for example, https://eramdm:9980/enrollment). You might be asked to accept an SSL certificate, click accept if
you agree and then click Connect.
190
191
NOTE: If you do not have ESET Endpoint Security installed on the mobile device, you will automatically be
redirected to the Google Play store, where you can download the app.
NOTE: If you receive the notification Couldn't find an app to open this link, try opening the enrollment link in the
default Android web browser.
2. Check your connection details (Mobile Device Connector server address and port) and click Connect.
192
3. Type the ESET Endpoint Security admin mode password into the blank field and tap Enter.
193
4. This mobile device is now being managed by ERA, tap Finish.
194
4.4.19.2 Device Enrollment iOS

To enroll an iOS mobile device in ERA, follow these steps:
Basic
Enter a task Name and Description (optional).
Mobile Device Connector
Select the machine where Mobile Device Connector is installed. An enrollment link (URL) will be displayed
automatically. If no links are displayed after clicking Select, make sure that the Mobile Device Connector server is
accessible. If you do not have Mobile Device Connector installed yet, refer to the Mobile Device Connector
installation - Windows or Linux chapters of this guide for installation instructions.
Settings
Type the Name of the mobile device (this name will be shown in the list of Computers), and optionally a
Description.
Enter the Serial Number for the particular mobile device you want to add. We also recommend that you enter the
Email address that is associated with the mobile device (the enrollment link will be sent to this email address).
Click + Add Another if you want to add another mobile device, you can add multiple devices at the same time.
Alternatively, click Import to upload a .csv file containing a list of mobiles to add. Click Browse Existing and select
existing mobile devices.
Specify an Action by selecting the check box next to Display enrollment link and/or Send enrollment link (the URL
will be sent to the email address(es) associated with the device). If you want to send an enrollment link
(recommended) to the mobile device, you can edit the Subject and Message contents, but make sure to keep the
enrollment URL unchanged.
195
Summary
After you click Finish, the enrollment link (URL) will be displayed. If you do not specify an email address and did not
select Send enrollment link, you must either type the URL into the web browser on the mobile device manually, or
send this URL to the mobile device by other means. Alternatively, you can use a QR code.
Click Install to continue at the MDM Enrollment Install Profile screen.
196
Tap Trust to allow installation of the new profile.
197
After installing the new profile, the Signed by field will display that the profile is Not Signed. This is a standard
behavior for any MDM enrollment. The profile is actually signed with a certificate, despite this it is shown as "not
signed". This is because iOS does not yet recognize the certificate.
198
This enrollment profile allows you to configure devices and set security policies for users or groups.
IMPORTANT: Removing this enrollment profile removes all company settings (Mail, Calendar, Contacts, etc.) and
the iOS mobile device will not be managed. If a user removes the enrollment profile, ERA will not be aware of this
and the device's status will change to and later to . This will happen after 14 days because iOS mobile device is
not connecting. No other indication that the enrollment profile has been removed will be given.
199
4.4.19.3 Mobile Device ID location

iOS:
IMEI/Serial Number - to find this ID, go to Settings > General > About and scroll down, see https://
support.apple.com/en-us/HT204073 for more information. Alternatively, you can dial *#06# and the ID will
automatically be displayed.
UDID - every iPhone, iPod touch and iPad has a unique identifier number (UDID) associated with it, see http://
www.macworld.co.uk/how-to/iphone/how-find-out-your-iphone-or-ipad-udid-3530239 for more information.
Android:
200
Device ID - the IMEI/MEID/IMSI can be found on the device's status page, press Menu > Settings > About Phone >
Status. Alternatively, you can dial *#06# and the ID will automatically be displayed. See http://
www.wikihow.com/Find-the-IMEI-or-MEID-Number-on-a-Mobile-Phone for more information.
4.4.19.4 Device Enrollment and MDC communication

This is a diagram of how a Mobile Device communicates with Mobile Device Connector during the enrollment
process:
201
The following diagram demonstrates communication between ESET Remote Administrator components and a
mobile device:
4.4.20 Display Message

This functionality lets you send a message to any device (client computer, tablet, mobile, etc.). The message will be
displayed on-screen to inform the user.
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the Display Message
task.
Target
202
Settings
You can enter a Title and type in your Message.
Summary
4.4.21 Anti-Theft Actions

The Anti-Theft feature protects a mobile device from unauthorized access. If a mobile device (enrolled and
managed by ERA) is lost or gets stolen, there are some actions that take place automatically and some actions can be
performed using a client task. If an unauthorized person replaces a trusted SIM card with an untrusted SIM, the
device will automatically be locked by ESET Endpoint Security for Android and an alert SMS will be sent to the userdefined phone number(s). This message will include the phone number of the SIM card currently in use, the IMSI
(International Mobile Subscriber Identity) number and the phone's IMEI (International Mobile Equipment Identity)
number. The unauthorized user will not be aware that this message has been sent because it will automatically be
deleted from the device's messaging threads. You can also request the GPS coordinates of the lost mobile device or
remotely erase all data stored on the device using a client task.
203
Target
Settings
Find - The device will reply with a text message containing its GPS coordinates. If a more precise location is
available after 10 minutes, the device will re-send the message. Received information is displayed in the
Computer details.
Lock - The device will be locked. The device can be unlocked using the Administrator password or the unlock
command.
Unlock - The device will be unlocked so it can be used again. The SIM card currently in the device will be saved as
a Trusted SIM.
Siren - The device will be locked and it will play a very loud sound for 5 minutes (or until unlocked).
Wipe - All accessible data on the device will be erased (files will be overwritten). ESET Endpoint Security will
remain on the device. This can take up to several hours.
Enhanced Factory Reset - All accessible data on the device will be erased (file headers will be destroyed) and the
device will be reset to its default factory settings. This can take several minutes.
204
Summary
4.4.22 Stop Managing (Uninstall ERA Agent)

Desktop - This task will remove the Agent installed on the machine where MDM is installed.
Mobile - This task will cancel MDM enrollment of your mobile device.
After the device is no longer managed (Agent is removed), some settings may remain in the managed products.
IMPORTANT: We recommend that you reset some settings (for example, password protection) to default
settings using a policy before the device is removed from management. Also, all tasks running on the Agent will be
abandoned. The Running, Finished or Failed execution status of this task may not be displayed accurately in ERA
Web Console depending on replication.
1. If the device has some special settings that you do not want to maintain, set a device policy that returns
unwanted setti ngs to default values ?( or values which are desirable).
2. Before performing this step, we recommend that you to wait long enough to be certain that policies from point 1
have finished replication on the target computer before deleting the computer from the list in ERA.
3. Before performing this step, we recommend that you to wait long enough to be certain that policies from point 2
have finished replication on the target computer.
205
Settings are not available for this task.

Target
Summary
206
4.4.23 Export Managed Products Configuration

The Export Managed Products Configuration task is used to export the settings of individual ERA components or
ESET security products installed on the client(s).
Basic
(see the list above) defines the settings and the behavior for the task. In this case you can use the Export Managed
Products Configuration task.
Target
Settings
Export managed products configuration settings
Product - Select an ERA component or a client security product for which you want to export the configuration.
Summary
207
4.4.24 Assign Task to Group

Click Admin > Groups > select Static or Dynamic group >
next to the selected group, or click Group >
The same can be done from Computers, select Static or Dynamic and click
window will open.
4.4.25 Assign Task to Computer(s)

There are three ways to assign a task to computer(s).
1. Dashboard > Computers with problems > select
New Task...
2. Computer > select computer(s) using check boxes > select
208
New task...
>
New task
New task. A New Client task wizard
3. Admin> Groups > select computer(s) > Tasks button, select action and click
New task...
A New Client task wizard window will open.
4.4.26 Triggers
Triggers can be used on both the ERA Server and Agents (clients).
209
4.5 Server Tasks

Server Tasks can automate routine jobs. Server task can have Triggers configured, which cause the task to execute
when a certain combination of events occur on the ERA Server.
NOTE: Server Tasks cannot be assigned to any specific client or client group.
The following Server Tasks are pre-defined:
Agent Deployment - distributes the Agent to client computers.
Delete Not Connecting Computers - deletes clients that no longer connect to ESET Remote Administrator from
Web Console.
Generate Report - used to generate reports as they are needed.
Rename Computers - this task will periodically rename computers in groups using FQDN format.
Static Group Synchronization - updates group information to display current data.
User Synchronization - updates User or User Group.
To start creating your new task, click Admin > Server Tasks > New.
Basic
Enter basic information about the task, such as a Name, Description (optional) and the Task Type. The Task Type
defines the settings and the behavior of the task. Select the check box next to Run task immediately after finish to
have the task run automatically after you click Finish.
210
4.5.1 Agent Deployment

Remote deployment of the ERA Agent is performed from the Admin section. You can use the following written
instructions in our Knowledgebase article.
NOTE: We recommend you to first test mass Agent deployment in your environment. Once it's working fine, then
you can begin with actual deployment on users client computers. Also, before you start testing mass deployment,
change Agent connection interval.
Click Server Task > Agent Deployment > New... to start configuring your new task.
Basic
211
defines the settings and behavior of the task. Select the check box next to Run task immediately after finish to have
the task run automatically after you click Finish.
212
Settings
Automatic resolution of suitable Agent - If you have multiple operating systems (Windows, Linux, Mac OS) in your
network, select this option and this task will automatically find the appropriate server-compatible Agent
installation package for each system.
Targets - Click this to select the clients that will be the recipients of this task.
Username/Password - The username and the password for the user with sufficient rights to perform a remote
installation of the agent.
Server hostname (optional) - You can enter a server hostname if it is different on the client side and the server
side.
Peer certificate/ERA Certificate - This is the security certificate and certification authority for the agent
installation. You can select the default certificate and certification authority, or use custom certificates. For more
information, see the Certificates chapter.
Custom certificate - If you use a custom certificate for authentication, navigate to the certificate and select it
when installing the Agent.
Certificate passphrase - Password for the certificate, either the password you entered during Server installation
(in the step where you created a certification authority) or the password for your custom certificate.
NOTE: ERA Server can select the appropriate Agent installation package for operating systems automatically. To
choose a package manually, deselect Automatic resolution of suitable Agent and then choose the package you want
to use from the list of available Agents in ERA repository.
Target
213

CRON Expression.
Summary
ERA Agent deployment can be performed in a few different ways. You can deploy the Agent:
Remotely using GPO and SCCM - we recommend you this method for mass deployment of the ERA Agent on client
computers (alternatively, you can use Server Task to deploy ERA Agent)
Locally - using an Agent installation package or Agent Live Installers, for example, if problems occur during remote
deployment
214
Local deployment can be performed in three ways:

Agent Live Installers - using a generated script from within the ERA Web Console, you can distribute Agent Live
Installers via email or run them from removable media (USB flash drive, etc.)
Server assisted installation - using the Agent installation package downloads certificates from the ERA Server
automatically (recommended local deployment method)
Offline installation - using the Agent installation package, you must manually export certificates and use them in
this deployment method
The Remote Agent deployment server task can be used for mass distribution of the Agent to client computers. It is
the most convenient distribution method since it can be performed from Web Console without the need to deploy
the Agent to each computer manually.
ERA Agent is very important because ESET security solutions running on client computers communicate with ERA
Server exclusively through the Agent.
NOTE: Should you experience problems when deploying the ERA Agent remotely (the Server task Agent
deployment fails) see the Troubleshooting guide.
4.5.2 Delete not connecting computers

The Delete not connecting computers task lets you remove computers according to specified criteria. For example,
if the ERA Agent on a client computer has not connected for 30 days, it can be removed from ERA Web Console.
Basic
Settings - Group name - select a Static or Dynamic Groups or create new a Static or Dynamic Group for renamed
computers.
Number of days the computer has not been connected - type number of days after which computers will be
removed.
Deactivate License - use this option if you also want to deactivate licenses of removed computers.
Remove Unmanaged Computers - if you select this check box, unmanaged computers will also be removed.
Triggers
Select an existing trigger for this task, or create a new trigger. It is also possible to Remove or Modify a selected
trigger.
Summary
Review the configuration information displayed here and if it is ok, click Finish. The task is now created and ready to
be used.
215
4.5.3 Generate Report

The Generate Report task is used to generate reports from previously created or pre-defined Report templates.
Settings
Report template - Choose a report template from the list.
Select Send email or Save to file to get the generated report.

SEND EMAIL
To send/receive mail messages, you must configure SMTP settings under Server Settings > Advanced Settings.
Mail message
216
Send to - Enter the email address(-es) of recipients for report emails. Separate multiple addresses with a comma
(,). It is also possible to add CC and BCC fields; these work exactly as they do for mail clients.
Subject - Subject of the report message. Enter a distinctive subject, so that incoming messages can be sorted. This
is an optional setting, but we recommend that you do not leave it empty.
Message contents - Define the body of the report message.
Send mail if report is empty - use this option if you want the report to be sent even though there is no data in it.
Print options
Click Show print options to display the following settings:
Output format - Select the appropriate file format. The generated report will be attached to the message and can
be printed later.
Output language - Select the language for the message. The default language is based on the language selected
for the ERA Web Console.
Page size/Resolution/Paper orientation/Color format/Margin units/Margins - These options are relevant if you
want to print the report. Select the appropriate options based on your print preferences. These options only apply
to the PDF and PS format, not to the CSV format.
NOTE: The Generate report task allows you to select from several output file formats. Selecting CSV results in the
date and time values in your report to be stored in the UTC format. When you select either of the two remaining
output options (PDF, PS) the report will use the local server time.
SAVE TO FILE
File options
Relative file path - The report will be generated in a specific directory, for example:
C:\Users\All Users\ESET\RemoteAdministrator\Server\EraServerApplicationData\Data\GeneratedReports\
Save file if report is empty - use this option if you want the report to be saved even though there is no data in it.
Print options
Click Show print options to display the following settings:
Output format - Select the appropriate file format. The generated report will be attached to the message and can
be printed later.
Output language - Select the language for the message. The default language is based on the language selected
for the ERA Web Console.
Page size/Resolution/Paper orientation/Color format/Margin units/Margins - These options are relevant if you
want to print the report. Select the appropriate options based on your print preferences. These options only apply
to the PDF and PS format, not to the CSV format.
NOTE: The Generate report task allows you to select from several output file formats. Selecting CSV results in the
date and time values in your report to be stored in the UTC format. When you select either of the two remaining
output options (PDF, PS) the report will use the local server time.
Triggers
trigger.
Summary
NOTE: The Ubuntu Server Edition requires X Server and xinit installed for the correct function of the Report
Printer (PDF Reports).
217
sudo apt-get install server-xorg

sudo apt-get install xinit
startx
4.5.4 Rename computers

You can use Rename Computers task to rename computers to FQDN format in ERA. You can use existing server task
that came default with ERA installation. This task automatically rename synchronized computers located in Lost &
found every hour. or create new, click Server Task > Rename computers > New.
Basic
Settings
Group name - select a Static or Dynamic Groups or create new a Static or Dynamic Group, where will be renamed
computers.
Rename based on:
Computer name
Computer FQDN (Fully Qualified Domain Name)
Resolution of name conflicts for computers already present in ERA (computer name must be unique) and those
added via synchronization. Checks only apply to the names of computers outside the subtree being synchronized.
Triggers
trigger.
Summary
be used.
4.5.5 Static Group Synchronization

The Static Group Synchronization task will search your network (Active Directory, Open Directory, LDAP, local
network or VMware) for computers and put them into a Static group. If you select Synchronize with Active Directory
during Server Installation, computers that are found are added to the All group.
Click Admin > Server Task >Static Group Synchronization > New...
Basic
Enter basic information about the task, such as the Name and Description (optional). The Task Type defines the
settings and behavior of the task. Select the check box next to Run task immediately after finish to have the task run
automatically after you click Finish.
Settings
Expand settings and click Select under Static group name - By default, the root for synchronized computers will be
used. Alternatively you can create a new Static Group.
Object to synchronize - Either Computers and Groups, or Only Computers.
Computer creation collision handling - If the synchronization adds computers that are already members of the
Static Group, you can select a conflict resolution method: Skip (synchronized computers will not be added) or
Move (new computers will be moved to a subgroup).
Computer extinction handling - If a computer no longer exists, you can either Remove this computer or Skip it.
Group extinction handling - If a group no longer exists, you can either Remove this group or Skip it.
218
There are 3 Synchronization modes:

MS Windows Network - Enter a Workgroup to be used and the user with his credentials.
Active Directory/Open Directory/LDAP - type the basic Server connection, see synchronization mode for
detailed instructions.
VMware - type the VMware vCenter Server connection, see synchronization mode for detailed instructions.
In the Microsoft Windows Network synchronization settings section type the following information:
o Workgroup - Type the domain or workgroup that contains the computers that will be synced. If you do not
specify a workgroup, all visible computers will be synchronized.
o Login - Type the login credentials used for synchronization in your Windows Network.
o Password - Type the password used to log on to your Windows Network.
Triggers
trigger.
Summary
be used.
Only Windows computers will receive the task using default settings. If you have Linux computers in your Windows
domain and want them to receive this task as well, make them visible first. Linux computers in a Windows domain
doesnt display any text in ADUC (Active Directory Users and computers) computer properties, so this information
must be entered manually.
4.5.5.1 Synchronization mode - Active Directory

Basic
Settings
Server connection settings:
o Server - Type the Servername or IP address of your domain controller.
o Login - Type the login credentials for your domain controller in the format DOMAIN\username.
o Password - Type the password used to log onto your domain controller.
219
Use LDAP Parameters - If you want to use LDAP, select check box Use LDAP instead of Active Directory and enter
specific attributes to match your server, or you can select a Presets by clicking Custom... and the attributes will
be populated automatically:
o Active Directory - Click Browse next to Distinguished Name. Your Active Directory tree will be displayed. Select
the top entry to sync all groups with ERA, or select only the specific groups that you want to add. Click OK when
you are finished.
o Mac OS X Server Open Directory (Computer Host Names)
o Mac OS X Server Open Directory (Computer IP Addresses)
o OpenLDAP with Samba computer records - setting up the parameters DNS name in Active Directory.
Synchronization settings:
Distinguished name - Path (Distinguished Name) to the node in the Active Directory tree. Leaving this option
empty will synchronize the entire AD tree.
Excluded distinguished name(s) - You can choose to exclude (ignore) specific nodes in the Active Directory tree.
Ignore disabled computers (only in active directory) - You can select to ignore computers disabled in active
directory, the task will skip these computers.
Triggers
trigger.
Summary
be used.
4.5.5.2 Static Group Synchronization - Linux Computers

Linux computer joined to Windows domain does not display any text in Active Directory Users and Computers
(ADUC) in Computer properties, therefore it is necessary to insert text manually.
Check the Server prerequisites and the following prerequisites:
The Linux computers are in Active Directory.
Domain controller has a DNS server installed.
ADSI Edit is installed.
1. Open a command prompt and run adsiedit.msc
2. Navigate to Action > Connect to. The connection settings windows will be displayed.
3. Click Select a well known Naming context.
4. Expand the combo box below and select Default naming context.
5. Click OK - the ADSI value on the left should be the name of your domain controller - Default naming context (your
domain controller).
6. Click the ADSI value and expand its subgroup.
7. Click the subgroup and navigate to the CN (Common Name) or OU (Organizational Unit) where Linux computers
are displayed.
8. Click the hostname of the Linux computer and select Properties from the context menu. Navigate to the
dNSHostName parameter and click Edit.
9. Change the value <not set> to valid text (for example, ubuntu.TEST).
10.Click OK > OK. Open ADUC and select the properties of the Linux computer - the new text should be displayed
here.
220
4.5.5.3 Synchronization mode - VMware

It is possible to synchronize virtual machines running on VMware vCenter Server.
Basic
Settings
Server - Type the DNS or IP address of the VMware vCenter Server.
Login - Type the login credentials for the VMware vCenter Server.
Password - Type the password used to log onto your VMware vCenter Server.
Structure view - select the type of structure view, Folders or Resource pool.
Structure path - click Browse and navigate to the folder you want to synchronize. If the field is left empty, the entire
structure will be synchronized.
Computer view - Select whether to display computers by Name, Host Name or IP Address following synchronization.
Triggers
trigger.
Summary
be used.
221
4.5.6 User Synchronization

This Server Task synchronizes the Users and User Groups information from a source such as Active Directory, LDAP
parameters, etc.
To run this task, click Admin > Server Task >User Synchronization > New...
Basic
Settings
Expand Settings and click Select under User Group name - By default, the root for synchronized users will be used
(by default, this is the All group). Alternatively, you can create a new User Group.
User creation collision handling - two types of conflict that might occur:
1. There are two users with the same name in the same group.
2. There is an existing user with the same SID (anywhere in the system).
You can set collision handling to:
Skip - user is not added to ERA during synchronization with Active Directory.
Overwrite - existing user in ERA is overwritten by the user from Active Directory, in the case of an SID
conflict the existing user in ERA is removed from its previous location (even if the user was in a different
group).
User extinction handling - If a user no longer exists, you can either Remove this user or Skip it.
User group extinction handling - If a user group no longer exists, you can either Remove this user group or Skip
it.
222
NOTE: If you use custom attributes for a user set User creation collision handling to Skip. Otherwise the user (and
all details) will be overwritten with the data from Active Directory loosing custom attributes. If you want to
overwrite the user, change User extinction handling to Skip.
o Server - Type the Server name or IP address of your domain controller.
o Login - Type the login credentials for your domain controller in the format DOMAIN\username.
o Password - Type the password used to log on to your domain controller.
Use LDAP Parameters - If you want to use LDAP, select the check box next to Use LDAP instead of Active
Directory and enter the information for your server. Alternatively you can select Presets by clicking Custom...
and the attributes will be populated automatically:
o Active Directory
o Mac OS X Server Open Directory (Computer Host Names)
o Mac OS X Server Open Directory (Computer IP Addresses)
o OpenLDAP with Samba computer records - setting up the parameters DNS name in Active Directory.
Distinguished name - Path (Distinguished Name) to the node in the Active Directory tree. Leaving this option empty
will synchronize the entire AD tree.
User group and user attributes:
A users default attributes are specific to the directory to which the user belongs.
Advanced user attributes:
If you want to use advanced custom attributes select Add New. This field will inherit the user's information, which
can be addressed in a policy editor for iOS MDM as a placeholder.
Triggers
trigger.
Summary
be used.
223
4.5.7 Triggers
Triggers are basically sensors that react to certain events in a pre-defined way. They are used to execute an action
(in most cases, to run a task). They can be activated by the scheduler (time events) or when a certain system event
occurs.
A trigger executes all tasks assigned to the trigger at the moment when the trigger is activated. The trigger does not
run newly assigned tasks immediatelythey are ran as soon as the trigger is fired. Trigger sensitivity to events can
be reduced further using throttling.
Server Trigger Types:
Dynamic Group Members Changed - This trigger is invoked when the contents of a Dynamic Group change. For
example, if clients join or leave a Dynamic Group called Infected.
Dynamic Group Size Changed According to Compared Group - This trigger is invoked when the number of clients
in an observed Dynamic Group change according to a compared group (static or dynamic). For example, if more
than 10% of all computers are infected (the group All compared to the group Infected).
Dynamic Group Size Changed According to Threshold - This trigger is invoked when the number of clients in a
Dynamic Group becomes higher or lower than the specified threshold. For example, if more than 100 computers
are in the group Infected.
Dynamic Group Size Changed Over the Time Period - This trigger is invoked when the number of clients in a
Dynamic Group changes over a defined time period. For example, if the number of computers in the group
Infected increases by 10% in an hour.
Event Log Trigger - This trigger is invoked when a certain event occurs in logs. For example, if there is a threat in
the Scan log.
Scheduled Trigger -This trigger is invoked at a certain time and date.
Server Started - Is invoked when the server starts. For example, this trigger is used for the Static Group
Synchronization task.
Duplicate lets you create a new Trigger Types based on the selected triggers, a new name is required for the
duplicate task.
224
4.5.7.1 Server Trigger Wizard

Triggers are created and managed in the Admin tab > Server tasks > Triggers. Select Triggers type > New Trigger.
4.5.7.2 Scheduling Server Task

Scheduled Trigger will run the task based on a date and time settings. Task can be scheduled to run once, on
repetitive base or on CRON expression.
4.5.7.3 Throttling
Under defined circumstances, throttling may prevent a trigger from firing. Time-based conditions take precedence
over statistical conditions.
If any of the conditions are met, all state information of all observers is reset (observation starts from scratch). This
holds for Time-Based as well as Statistical conditions. State information for observers is not persistant, they are
reset even if the Agent or Server is restarted.
Any modification made to a trigger causes a reset of its status.
There are several ways to control triggering:
Statistical
Statistical triggers fire based on any combination of the following parameters:
S1: Trigger should fire every N occurrences of the triggering event (modulo N) starting with last event in a
series (for example, from start, wait for the Nth event)
S2: Trigger if N events occur within X time (the time can be chosen from a pre-defined set) [N <= 100] in
floating total sense only the count of events during the last X time is taken into account. Firing of the trigger
causes a buffer reset
S3: N events with unique symbol S occur [N <= 100] in a row. The buffer is reset if the trigger is fired and there
is an event already in buffer. The Buffer is in the mode floating window FIFO queue. The new symbol is
compared with every symbol in the buffer.
Note: A missing value (n/a) is considered as not unique and therefore the buffer is reset
since last triggered
These conditions can be combined with the AND operator (all of the set ones must be satisfied) or the OR operator
(whichever occurs first).
225
Time based
All of the following conditions must be satisfied simultaneously (if set):
T1: The trigger may run within X time range. Range is given as a repeated series of marginal times (for
example, between 13:00 14:00 OR 17:00 23:30)
T2: The trigger can be executed at most once every X time.
Additional Properties
As stated above, not every event will cause a trigger to fire. Actions taken for non-firing events can be:
If there is more than one event skipped, group the last N events into one (store data of suppressed ticks) [N
<= 100]
for N == 0, only the last event is processed (N means history length, the last event is always processed)
All non-firing events are merged (merging the last tick with N historical ticks)
Examples:
S1: Criterion for occurrences (allow every 3rd tick)
Time
0 01
0
02
03
04
05
06
Ticks
S1
trigger is modified
07 08 09 10
11
12
13
14
15
S2: Criterion for occurrences within time (allow if 3 ticks occur within 4 seconds)
Time
00
Ticks
01
02
03
04
05
S2
06
trigger is modified
07
08
09
10
11
12
13
S3: Criterion for unique symbol values (allow if 3 unique values are in a row)
Time
00
01
02
03
04
05
06
Value
S3
trigger is modified
07
08
09
10
11
12
13
n/a
S3: Criterion for unique symbol values (allow if 3 unique values are since the last tick)
Time
00
01
02
03
04
05
06
07
Value
S3
trigger is modified
08
09
10
11
12
13
14
n/a
T1: Allow a tick in certain time ranges (allow every day starting at 8:10, duration 60 seconds)
Time
8:09:50
8:09:59
8:10:00
8:10:01
Ticks
x
1
T1
trigger is modified
8:10:59
8:11:00
8:11:01
This criterion has no state; therefore trigger modifications have no effect on the results.
226
T2: Allow a single tick in a time interval (allow at most once every 5 seconds)
Time
00
Ticks
T2
01
02
03
04
05
06
trigger is modified
07
08
09
10
11
12
13
S1+S2 combination
S1: every 5th tick
S2: 3 ticks within 4 seconds
Time
00
01
02
03
04
Ticks
05
06
07
08
09
10
11
12
S1
13
14
15
16
S2
Result
The result is enumerated as: S1 (logical or) S2

S1+T1 combination
S1: Allow every 3rd tick
T1: Allow every day starting at 8:08, duration 60 seconds
Time:
8:07:50
8:07:51
8:07:52
8:07:53
8:08:10
8:08:11
8:08:19
8:08:54
8:08:55
8:09:01
Ticks
S1
T1
Result
1
1
1
1
The result is enumerated as: S1 (logical and) T1

S2+T1 combination
T1: Allow every day starting at 8:08, for a duration of 60 seconds
Time:
8:07:50
8:07:51
8:07:52
8:07:53
8:08:10
8:08:11
8:08:19
8:08:54
8:08:55
8:09:01
Ticks
S2
T1
1
1
Result
1
1
The result is enumerated as: S2 (logical and) T1.

Note that the state of S2 is reset only when the global result is 1.
S2+T2 combination
T2: Allow at most once every 20 seconds
227
Time:
00
01
02
03
04
05
06
07
Ticks
S2
T2
Result
1
1
16
17
18
19
20
21
22
23
24
The result is enumerated as: S2 (logical and) T2.

Note that the state of S2 is reset only when the global result is 1.
4.5.7.3.1 Trigger is too sensitive

Use the same throttling conditions shown in the Trigger fires too often section of this guide.
4.5.7.4 Manage Server Triggers

To manage Server Triggers, from the Admin tab click Server tasks > Triggers, select Trigger type and click Edit.
Basic
Define a name for your trigger, you can also enter a description of the trigger if you want.
Settings
Select a trigger type. Trigger type defines the method to activate the trigger. Select an Event Log Trigger and
continue.
Select a log type. The trigger is activated when a certain event occurs in this log.
Define the event that has to occur in order to activate the trigger. Select a logical operator for filtering the events.
In this example, select AND (All conditions have to be true).
If you need add a filter from the list (as event) and select the logical operator for the custom string.
Select a logical operator in the Operation menu.

AND - All defined conditions have to be true.
OR - At least one condition has to be true.
NAND - At least one condition has to be false.
NOR - All conditions have to be false.
Advanced Settings - Throttling
228
Specify the Number of ticks to aggregate. This will define how many ticks (trigger hits) are needed in order to
activate the trigger. For more specific information, see the Throttling chapter.
Summary
Review the settings of your new trigger, make adjustments and click Finish. Your trigger is now saved on the server
and ready to be used. You can also view triggers that you have created in the list on the right. To edit or delete the
trigger, simply click the trigger in the list and select the appropriate action from the context menu. To delete
multiple triggers at once, select the check boxes next to the triggers you want to remove and click Delete.
4.5.7.4.1 Manage Trigger Sensitivity

Throttling is used to restrict a task from being executed if a task is triggered by a frequently occurring event. Under
certain circumstances, throttling may prevent a trigger from being fired. If any of the defined conditions are met,
stacked information for all observers is reset (the count starts over from 0). This information is also reset if the
Agent or ERA Server are restarted. All modifications made to a trigger reset its status.
Time-based throttling conditions take precedence over statistical conditions. We recommend that you only use one
statistical condition and multiple time-based conditions. Multiple statistical conditions can be an unnecessary
complication, and can alter trigger results.
Statistical conditions
The Statistical conditions can be combined either using the AND logical operator (all conditions must be fulfilled) or
with the OR logical operator (the first condition fulfilled triggers the action).
Time based conditions
All of the configured conditions must be fulfilled in order to trigger an event. The throttling criteria are focused on
the time when the event occurred.
Aggregation
Number of ticks to aggregate - Number of ticks (how many times the trigger is hit) needed to activate the trigger.
The trigger is prevented from activating until this number is reached. For example, with this set to 100, if 100
threats are detected you won't receive 100 notifications, just one notification containing 100 threats. If 200 threats
are detected, only the last 100 threats will be included in the notification.
Time based criteria
229
Aggregate invocations during time period - You can allow a hit once every X seconds. If you set this option to 10
seconds and during this time 10 invocations occur, only 1 will be counted.
Time ranges - Allow ticks only within the defined time period. You can add multiple time ranges to the list, they
will be sorted chronologically.
Statistical criteria
Statistical criteria application - This option defines the method by which the statistical criteria will be evaluated.
Either all of them need to be met (AND), or at least one (OR).
Triggered every No of occurrences - Allow only every X tick (hit). For example, if you enter 10, only each 10th tick
will be counted.
No of occurrences within a time period - Allow only tick(s) within the defined time period. This will define the
frequency. For example, allow the execution of the task if the event is detected 10x in an hour.
o Time period - Define the time period for the option described above.
Number of events with symbol - Record a tick(hit) if X events with the specific symbol are provided. For example,
if you enter 10, a tick will be counted for every 10th installation of a certain application.
o Applies when number of events - Enter a number of events in a row after the last tick to count another tick. For
example, enter 10 and a tick will be counted after 10 events from the last tick.
Applies when number of events - The trigger is applied when the ticks are either Received in a Row (trigger
execution is not taken into account), or Received Since Last Trigger Execution (when the trigger is executed, the
number is reset to 0).
4.5.7.4.2 Trigger fires too often

If you want to be notified less often, consider the following suggestions:
If the user wants to react only if there are more events, not a single one, see statistical condition S1 in
Throttling.
If the trigger should fire only when a cluster of events occur, follow statistical condition S2 in Throttling.
When events with unwanted values are supposed to be ignored, refer to statistical condition S3 in Throttling.
When events from outside relevant hours (for example, working hours) should be ignored, see time-based
condition T1 in Throttling.
To set a minimum time between trigger firings, use time-based condition T2 in Throttling.
NOTE: The conditions can also be combined to form more complex throttling scenarios.
230
4.5.7.4.3 CRON Expression

A CRON Expression is used to configure specific instances of a trigger. It is a string consisting of 7 subexpressions
(field), that represent individual values of the schedule. These fields are separated by a space, and they can contain
any of the allowed values with various combinations.
Name
Required
Value
Allowed Special Characters
Seconds
Yes
0-59
,-*/
Minutes
Yes
0-59
,-*/
Hours
Yes
0-23
,-*/
Day of the month
Yes
1-31
,-*/ L W C
Month
Yes
0-11 or JAN-DEC
,-*/
Day of the week
Yes
1-7 or SUN-SAT
,-*/ L C #
Year
No
empty or 1970-2099
,-*/
Examples are available here.
4.6 Notifications
Notifications are essential for keeping track of the overall state of your network. When a new event occurs (based
on your configuration), you will be notified using a defined method (either an SNMP Trap or email message), and
you can respond accordingly.
All notification templates are displayed in the list, and can be filtered by Name or Description.
Click Add Filter to add filtering criteria and/or enter a string into the Name/Notification field.
Selecting an existing notification gives you the option to Edit it or Delete it completely.
To create a new notification, click New notification on the bottom of the page.
Duplicate lets you create a new notification based on the selected notification, a new name is required for the
duplicate task.
231
4.6.1 Notifications Wizard

Basic
Contains the Name and Description of the notification. This is important for filtering multiple notifications, the filter
is located at the top of the Notification page.
4.6.2 Manage Notifications

Notifications are managed in the Admin tab. Select a notification and click Edit Notification or Duplicate.
Basic
You can edit a Notification Name and Description to make it easier to filter between different notifications.
232
Notification template
Existing Dynamic Group - An existing Dynamic Group will be used to generate notifications. Select a Dynamic Group
from the list and click OK.
Dynamic Group Size Changed According to Compared Group - If the number of clients in an observed Dynamic Group
changes according to a compared group (either static or dynamic), the notification will be invoked.
Other Event Log Template
This option is used for notifications not associated with a Dynamic Group, but based on system events filtered out
from the event log. Select a Log type on which the notification will be based and a Logical operator for filters.
Tracked State - This option notifies you of object state changes in relation to your user-defined filters.
NOTE: You can change Tracked state and + Add Filter or Logical operator for filters.
Configuration
Notify every time the Dynamic Group content changes - Enable this to be notified when members of a Dynamic
Group are added, removed or changed.
Notification time period - Define the time period (in minutes, hours or days) for the comparison with the new state.
For example, 7 days ago the number of clients with outdated security products was 10 and the Threshold (see
below) was set to 20. If the number of clients with an outdated security product reaches 30, you will be notified.
Threshold - Define a threshold that will trigger the sending of a notification. You can either define a number of
clients, or a percentage of clients (members of the Dynamic Group).
Generated message - This is a pre-defined message that will appear in the notification. It contains configured
settings in a text form.
Message - Beside the pre-defined message, you can add a custom message (it will appear at the end of the predefined message above). This is optional, but it is recommended for better filtering of notifications and overview.
NOTE: Available options depend on the selected notification template.
Advanced settings - Throttling
Time-Based Criteria
Specify the Number of ticks to aggregate. This will define how many ticks (trigger hits) are needed in order to
activate the trigger. For more specific information, see the Throttling chapter.
Statistical criteria
233
Statistical criteria application - This option defines the method by which the statistical criteria will be evaluated.
Either all of them need to be met (AND), or at least one (OR).
Triggered every No of occurrences - Allow only every X ticks (hits). For example, if you enter 10, only each 10th
tick will be counted.
No of occurrences within a time period - Only allow ticks within the defined time period. For example, allow the
execution of the task if the event is detected 10x in an hour. Time period - Define the time period for the option
described above.
Number of events with symbol - Allow a tick(hit) if X events with the specific symbol are provided. For example, if
you enter 10, a tick will be counted for every 10 installations of a certain software. Applies when number of
events - Enter a number of events in a row after the last tick to count another tick. For example, enter 10 and a tick
will be counted 10 events after the previous tick was counted.
Applies when number of events - The trigger is applied when the ticks are either Received in succession (trigger
execution is not taken into account), or Received Since Last Trigger Execution (when the trigger is executed, the
number is reset to 0).
Distribution
Subject - The subject of a notification message. This is optional, but also recommended for better filtering or when
creating rules to sort messages.
Distribution
Send SNMP Trap - Sends an SNMP Trap. The SNMP Trap notifies the Server using an unsolicited SNMP message.
For more information, see How to configure an SNMP Trap Service.
Send email - Sends an email message based on your email settings.
Send syslog - You can use ERA to send notifications and event messages to your Syslog server. Also, it is possible
to export logs from a client's ESET security product and send them to the Syslog server.
Email addresses - Enter the email addresses of the recipients of the notification messages, separate multiple
addresses with a comma (",").
Syslog severity - Choose severity level from the drop-down list. Notifications will then appear with such severity on
the Syslog server.
Click Save as to create a new template based on the template you are editing. You will be required to enter a name
for the new template.
4.6.3 How to configure an SNMP Trap Service

To successfully receive SNMP messages, the SNMP trap service needs to be configured. Configuration steps
according to operating system:
WINDOWS
Prerequisites
The Simple Network Management Protocol service must be installed on the machine where ERA Server is
installed, as well as the machine where the SNMP trap software will be installed.
Both computers (above) should be in the same subnet.
The SNMP Service must be configured on the ERA Server computer.
SNMP Service configuration (ERA Server)
234
Press the Windows key + R to open a run dialog box, type Services.msc into the Open field and press Enter. Search
for the SNMP Service.
Open the Traps tab, type public into the Community name field and click Add to list.
Click Add, type the Host name, IP or IPX address of the computer where the SNMP trapping software is installed
into the appropriate field and click Add.
Proceed to the Security tab. Click Add to display the SNMP Service Configuration window. Type public into the
Community name field and click Add. Rights will be set to READ ONLY, this is ok.
Make sure that Accept SNMP packets from any hosts is selected and click OK to confirm. The SNMP service is not
configured.
SNMP Trap Software configuration (Client)
The SNMP Service is installed and doesn`t need to be configured.
Install AdRem SNMP Manager or AdRem NetCrunch.
AdRem SNMP Manager: Start the application and select Create New SNMP Node List. Click Yes to confirm.
Check the network address of your subnet (displayed in this window). Click OK to search your network.
Wait for the search to finish, the search results will be displayed in the Discovery results window. The IP address
of the ERA Server should be displayed in this list.
Select the IP address of the server and click OK. Your server address is displayed in the Nodes section.
Click Trap Receiver Stopped and select Start. Trap Receiver Started will be displayed. Now you can receive SNMP
messages from your ERA Server.
LINUX
1. Install the snmpd package by running one of the following command:
apt-get install snmpd snmp (Debi a n, Ubuntu di s tri buti ons )
yum install net-snmp (Red-Ha t, Fedora di s tri buti ons )
2. Open the /etc/default/snmpd file and make the following attribute edits:
#SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'
Adding # will disable this line completely.

SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf'
Add this line to the file.

TRAPDRUN=yes
Change the trapdrun attribute to yes.

3. Create a backup of the original snmpd.conf file. The file will be edited later.
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.original
4. Create a new snmpd.conf file and add these lines:

rocommunity public
syslocation "Testing ERA6"
syscontact [email protected]
5. Open the /etc/snmp/snmptrapd.conf file and add the following line at the end of the file:
authCommunity log,execute,net public
6. Type the following command to start the SNMP manager services and logging of incoming traps:
/etc/init.d/snmpd restart
or
service snmpd restart
7. To check if the trap is working and catching the messages, run the following command:
tail -f /var/log/syslog | grep -i TRAP
235
4.7 Certificates
Certificates are an important part of ESET Remote Administrator , they are required for ERA components to
communicate with ERA Server. To make sure all components can communicate correctly, all Peer Certificates need
to be valid and signed to the same Certification Authority.
You can create a new Certification Authority and Peer Certificates in ERA Web Console, follow the instructions in
this guide to:
Create a new Certification Authority
o Import a Public Key
o Export a Public Key
o Export a Public Key in BASE64 format
Create a new Peer Certification

o Create a Certificate
o Export a Certificate
o Create an APN certificate
o Revoke a certificate
o Certificate usage
o Set new ERA Server certificate
4.7.1 Peer Certificates

If a Certification Authority is present on you system, you should create a peer certificate for individual ESET Remote
Administrator components. Each component (ERA Agent, ERA Proxy and ERA Server) requires a specific certificate.
New...
This option is used to create a new certificate. These certificates are used by the ERA Agent, ERA Proxy and ERA
Server.
APN Certificate
This option is used to create a new APN certificate. This certificate is used by the MDM.
Certificate usage
You can also check which clients are using this ERA certificate.
Edit...
Select this option to edit an existing certificate from the list. The same options apply as when you create a new
certificate.
Export...
This option is used to export a certificate as a file. This file is necessary if you install the ERA Agent locally on a
computer or when installing MDM.
Export as Base64...
This option is used to export a certificate as a .txt file.
Revoke...
If you no longer want to use a certificate, select Revoke. This option invalidates the certificate. Invalid certificates
will not be accepted by ESET Remote Administrator.
236
IMPORTANT: The revoke action is irreversible, you will not be able to use a certificate that has been revoked.
Make sure there are no ERA Agents left using this certificate before you revoke it. This will prevent loss of
connection to client computers or servers (ERA Server, ERA Proxy, Mobile Device Connector, Virtual Agent Host).
Show Revoked - shows you all revoked certificates.
Agent certificate for server assisted installation - This certificate is generated during server installation, provided
that you have selected the Generate certificates option.
4.7.1.1 Create a new Certificate

As part of the installation process, ESET Remote Administrator requires that you create a Peer certificate for Agents.
These certificates are used to authenticate products distributed under your license.
NOTE: There is one exception, Agent certificate for server assisted installation cannot be created manually. This
certificate is generated during server installation, provided that you have selected Generate certificates option.
To create a new certificate in the ERA Web Console, navigate to Admin > Certificates and click Actions > New.
Basic
Enter a Description for the certificate.
Product - Select the type of certificate you want to create from the drop-down menu.
Hostname - Leave the default value (an asterisk) in the Host field to allow for distribution of this certificate with
no association to a specific DNS name or IP address.
Passphrase - We recommend that you leave this field blank, but you can set a passphrase for the certificate that
will be required when clients attempt to activate.
Attributes - These fields are not mandatory, but you can use them to include more detailed information about this
certificate.
Common name - This value should contain the string "Agent", "Proxy" or "Server", according to the selected
Product.
If you want, you can enter descriptive information about the certificate.
Enter the Valid from and Value to values to ensure that the certificate is valid.
Sign
The signing method should be Certification authority.
Select the ERA Certification Authority created during the initial installation.
Skip the custom .pfx file option, this option only applies to self-signed pfx certification authorities.
237
The signing method should be Custom pfx file.

Click Browse to select a custom pfx file. Navigate to your custom pfx file and click OK. Click Upload to upload this
certificate to the Server.
Summary
Review the certificate information you entered and click Finish. The certificate is now successfully created and
will be available in the Certificates list to use when installing the Agent.
4.7.1.2 Export Peer Certificate

Export a Peer Certificates
1. Select the Peer Certificates you want to use from the list and select the check box next to it.
2. From the context menu select Export. The certificate will be exported (including private key) as a .pfx file. Type a
name for your public key and click Save.
Export as Base64 from Peer Certificates:

Certificates for ERA components are available in Web Console. To copy the contents of a certificate in Base64
format, click Admin > Peer Certificates, select a certificate and then select Export as Base64. You can also download
the Base64 encoded certificate as a file. Repeat this step for other component certificates as well as for your
Certification Authority.
238
NOTE: If you are using custom certificates that are not in Base64 format, they will need to be converted to Base64
format (alternatively, you can export these certificates as described above). This is the only format accepted by ERA
components to connect to ERA Server. For more details about how to convert certificates see http://linux.die.net/
man/1/base64 and https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/
base64.1.html. For example:
'cat ca.der | base64 > ca.base64.txt' a 'cat agent.pfx | base64 > agent.base64.txt'
239
4.7.1.3 APN certificate

An APN (Apple Push Notification) certificate is used by ERA MDM for iOS device enrollment. First, you need to
create an Apple-provided push certificate and get it signed by Apple in order to enroll iOS devices to ERA. Also,
make sure your ERA has a valid license.
Click the Admin tab > Certificates > Peer Certificates, click New and then select APN Certificate.
NOTE: You will need an Apple ID to get the APN certificate signed by apple.
Create Request
Specify certificate attributes (Country code, Organization name, etc.) and click Submit request.
Download
Download your CSR (Certification Signing Request) and a Private Key.
Certificate
Open the Apple Push Certificates Portal and log in using your Apple ID. Follow the on-screen instruction on the
portal page and use the CSR file to get the APN Certificate signed by Apple (APNS).
240
Upload
Once you have completed all the steps above, you can create a Policy for MDC to activate APNS for iOS enrollment.
You can then Enroll any iOS device the same way as an Android device - by visiting https://
<mdmcore>:<enrollmentport>/enrollment from the device's browser.
4.7.1.4 Show revoked

This list displays all certificates that have been created and then invalidated by the ERA Server. Revoked certificates
will automatically be removed from the main Peer certificate screen. Click Show Revoked to view certificates that
have been revoked from the main window.
To revoke a certificate, follow the steps below:
1. Go to Admin > Certificates > Peer Certificates > select a certificate and click Revoke...
2. Specify the Reason for revocation and click Revoke.

3. Click OK.
241
The certificate will disappear from the list of Peer Certificates. To see previously revoked certificates, click Show
revoked button.
4.7.1.5 Set new ERA Server certificate

Your ERA Server certificate is created during installation and distributed to ERA Agents and other components to
allow communication to the ERA Server. If necessary, you can configure ERA Server to use a different peer
certificate. You can use ERA Server certificate (generated automatically during installation) or a Custom certificate.
The ERA Server certificate is required for a secure TLS connection and authentication. The Server certificate is used
to make sure that ERA Agents and ERA Proxies do not connect to an illegitimate server. Click Tools > Server Settings
to edit certificate settings.
Click Admin > Server Settings > expand section Connection, select Change certificate.
Choose from the two Peer certificate types:

Remote Administrator certificate - click Open certificate and select the certificate to use.
Custom certificate - browse to your custom certificate. If you are performing a migration, select the exported
certificate from your old ERA Server.
242
Select Custom certificate, select the ERA Server certificate (.pfx) file you exported from the old server and then
click OK.
Restart the ERA Server service, see our Knowledgebase article.
4.7.2 Certification Authorities

Certification Authorities are listed and managed in the Certification Authorities section. If you have multiple
Certification Authorities, you can apply a filter to sort them.
Create a new Certification Authority
Import Public Key
Export Public Key
243
4.7.2.1 Create a new Certification Authority

To create a new authority, navigate to Admin > Certificates > Certification Authority and click Action >
New at the bottom of the page.
New..., or
Certification Authority
Enter a Description of the Certification Authority and select a Passphrase. This Passphrase should contain at least 12
characters.
Attributes (Subject)
1. Enter a Common name (name) of the Certification Authority. Select a unique name to differentiate multiple
Certificate Authorities.
Optionally, you can enter descriptive information about the Certification Authority.
2. Enter the Valid from and Valid to values to ensure that the certificate is valid.
3. Click Save to save your new Certification Authority. It will now be listed in the Certification Authority list under
Admin > Certificates > Certification Authority, and is ready to be used.
To manage the Certification Authority, select the check box next to the Certification Authority in the list and use the
contact menu (left-click the Certification Authority) or the Action button on the bottom of the page. Available
options are Edit the Certification Authority (see the steps above), Delete it completely or Import Public Key and
Export a Public key.
4.7.2.2 Export a Public Key

Export a public key from a Certification Authority:
1. Select the Certification Authority you want to use from the list and select the check box next to it.
2. From the context menu select Export Public Key. The public key will be exported as a .der file. Type a name for
the public key and click Save.
NOTE: If you delete the default ERA Certification Authority and create a new one, it will not work. You also need
to assign it to your ERA Server machine and restart the ERA Server service.
Export a public key as Base64 from a Certification Authority:
Select the Certification Authority you want to use from the list and select the check box next to it.
From the context menu select Export a public key as Base64. You can also download the Base64 encoded certificate
as a file. Repeat this step for other component certificates as well as for your Certification Authority.
244
NOTE: If you are using custom certificates that are not in Base64 format, they will need to be converted to Base64
format (alternatively, you can export these certificates as described above). This is the only format accepted by ERA
components to connect to ERA Server. For more details about how to convert certificates see http://linux.die.net/
man/1/base64 and https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/
base64.1.html. For example:
'cat ca.der | base64 > ca.base64.txt' a 'cat agent.pfx | base64 > agent.base64.txt'
4.7.2.3 Import a Public Key

To import a 3rd party Certification Authority, click Admin > Certificates > Certification Authorities. Click Actions and
then click Import Public Key.
Choose file to upload: click Browse and navigate to the file you want to import.
245
Enter a Description for the certificate and click Import. The Certification Authority is now successfully imported.
4.8 Access Rights

Access Rights let you manage ERA Web Console users and their permissions. There are two types:
1. Native Users - user accounts created and managed from the Web Console.
2. Mapped Domain Security Groups - user accounts managed and authenticated by Active Directory.
Optionally, you can set up Two-Factor Authentication for Native Users and Mapped Domain Security Groups. This
will increase security when logging into and accessing ERA Web Console.
Access to items from either category must be granted (using Permission Sets) to every ERA Web Console User.
IMPORTANT: The Administrator native user account has access to everything. We do not recommend you using
this account on a regular basis. We strongly advise that you create another 'admin' account or use Administrators
from Mapped Domain Security Groups with the Administrator Permission Set assigned to them. This way you have a
fallback should anything happen to the admin account. Also, you can create additional accounts with narrower
access rights based on your desired competences. Use the default Administrator account only as a backup option.
Users are managed in the Users area of the Admin section. Permission Sets define the level of access to different
items that different users have.
246
4.8.1 Users
ERA Web Console can have users of various Permission Sets. The user with the most permissions is the
Administrator, with full rights and permissions. To ease usage in Active Directory, users from Domain Security
Groups can be allowed to log into ERA. Such users can exist next to ERA Native Users, however, the Permission Sets
are set for the Active Directory security group (instead of for individual users, as in the Native User case).
User management is part of the Admin section of the ERA Web Console.
NOTE: A fresh ERA installation has the Administrator (Native User) as the only account.
4.8.1.1 Create a Native User

To create a new Native User, from the Admin tab click Access Rights > User and then click Users or New at the
bottom of the page.
To create a second Administrator account, follow steps to create a native user account and assign the Administrator
permission set to this account.
247
Basic
Enter a Username and an optional Description for the new user.
Authentication
The password for the user should have at least 8 characters. The password should not contain the username.
Account
Leave Enabled selected unless you want the account to be inactive (if you intend to use it later).
Leave Have to change password deselected (selecting this will force the user to change their password the first
time that they log into the ERA Web Console).
The Password expiration option defines the number of days that the password is valid, it needs to be changed
after that.
The Autologout(min) option defines the idle time period (in minutes), after which the user is logged out of Web
Console.
Full Name, Email contact and Phone contact can be defined to help identify the user.
Permission set
Assign competences (rights) for the user. You can select a pre-defined competence: Reviewer permission set
(similar to read-only rights) or Administrator permission set (similar to full access) or Server assisted installation
permission set (similar to read-only rights) or you can use a custom Permission set.
Summary
Review the settings configured for this user and click Finish to create the account.
4.8.1.2 Mapped Domain Security Group Wizard

To acccess the Mapped Domain Security Group Wizard, navigate to Admin > Access Rights > Mapped domain
security groups > New or simply New (when the mapped domain security group is selected in the tree).
Basic
Domain group
Enter a Name for the group, you can also enter a group Description. The group will be defined by a Group SID
(security identifier). Click Select to select a group from the list and then click OK to confirm.
Account
248
Leave Enabled selected to make the user active.

The Autologout (min) option defines the idle time period (in minutes), after which the user is logged out of the
ERA Web Console.
Mail contact and Phone Contact are optional and can be used to identify the user.
Permission set
Assign competences (rights) for the user. You can use a pre-defined competence:
Administrator permission set (similar to full access), or you can use a custom permission set.
Server assisted installation permission set - (similar to read-only rights)
Reviewer permission set (similar to read-only rights)
Summary
Review the settings configured for this user and click Finish to create the group.
4.8.1.3 Map Group to Domain Security Group

You can map a domain security group to the ERA Server and allow existing users (members of these domain security
groups) to become ERA Web Console users.
Click Admin > Access Rights > Mapped domain security groups > New or simply New (when the mapped domain
security group is selected in the tree).
Basic
Domain group
Enter a Name for the group, you can also enter a group Description. The group will be defined by a Group SID
(security identifier). Click Select to select a group from the list and then OK to confirm.
Account
Leave Enabled selected to make the user active.
The Autologout (min) option defines the idle time period (in minutes), after which the user is logged out of the
Web Console.
Mail contact and Phone Contact are optional and can be used to identify the user.
249
Permission set
Assign competences (rights) for the user. You can use a pre-defined competence: Reviewer permission set (similar
to read-only rights), Administrator permission set (similar to full access) or Server assisted installation permission
set (permission to perform ERA Agent installation locally on a client computer ) , or you can use a custom permission
set.
Summary
Review the settings configured for this user and click Finish to create the group.
4.8.1.4 Assign User a Permission Set

Admin > Access rights > Permission Sets and then click Edit to assign a user to a specific permission set. See Manage
Permission Sets for more details.
In the Users section, edit a specific user by clicking Edit... and select the check box next to a specific permission set
in the Unassigned (Available) Permission Sets section.
250
4.8.1.5 Two Factor Authentication

Two-Factor Authentication provides a more secure method to log into and access ERA Web Console.
Only the ERA Administrator can enable Two-Factor Authentication (2FA) for other users' accounts. Once enabled,
a user needs to configure 2FA themselves before they can log in. Users will receive a link via text message (SMS)
which they can open in their phone's web browser to view instructions to configure 2FA.
Two-Factor Authentication is provided by ESET and its ESET Secure Authentication technology. You do not need to
deploy or install ESET Secure Authentication within your environment, ERA automatically connects to ESET servers
to authenticate users who are log into your ERA Web Console.
Users with 2FA enabled will be required to log into ESET Remote Administrator using ESET Secure Authentication.
NOTE: It is not allowed to use users with 2FA for Server Assisted installation.
4.8.2 Permission Sets

A permission set represents the permissions for users that access ERA Web Console, they define what the user can
do or see in the Web Console. Native users have their own permissions while domain users have the permissions of
their Mapped security group.
ERA Web Console permissions are divided into categories, for example, Native Users, Certificates, Policies and so
on. For each functionality, a given permissions set can allow for Read-only or Write/Execute access.
Read-only permissions are good for auditing users. They can view data but cannot make changes.
Write/Execute allows users with this privilege to either modify respective objects or execute them (when possible for instance Tasks can be executed).
Next to permissions to ERA functionality, there can be give access to Static Groups or User Groups. Every User can be
given access to either all or to subsets of Static Groups. Having access to certain Static Group automatically means
access to every of its subgroups. In this case:
Read-only access means listing of computers.
Write/Execute permission gives user ability to manipulate computers in the Static Group, as well as assign
Client Tasks and Policies.
251
4.8.2.1 Manage Permission Sets

To make changes to a specific permissions set, click it and then click Edit. Click Copy to create a duplicate permission
set which you can modify and assign to a specific user.
Basic
Enter a Name for the set (mandatory setting), you can also enter a set Description.
Functionality
Select individual modules for which you want to grant access. The user with this competence will have access to
these specific tasks. It is also possible to Grant all modules read-only and Grant all modules full access, but such
competences already exist - Administrator competence (full access) and Reviewer competence (read only).
Granting Write/Execute rights automatically grants Read rights.
Static Groups
You can add a Static Group (or multiple Static Groups) that will take this competence (and take over the rights
defined in the Modules section), grant all Static Groups read-only access or grant all Static Groups full access. You
can only add Static Groups, because the granted permissions sets are fixed for certain users or groups.
User Groups
You can add a User Group (or multiple User Groups) of ESET Mobile Device Management for iOS.
Users
All available users are listed on the left. Select specific users or select all users using the Add All button. Assigned
users are listed on the right.
Summary
Review the settings configured for this competence and click Finish.
Click Save as to create a new template based on the template you are editing. You will be required to enter a name
for the new template.
252
4.9 Server Settings

In this section, you can configure specific settings for the ESET Remote Administrator Server itself.
Connection
Remote Administrator port (requires restart!) - This is the port for the connection between the ESET Remote
Administrator Server and Agent(s). Changing this option requires restarting the ERA Server Service for the change
to take effect.
ERA Web Console port (requires restart!) - Port for the connection between the Web Console and the ERA Server.
Certificate (requires restart!) - Here you can manage ERA Server certificates, click Change certificate and select
which ERA Server certificate should be used by ERA Server. For more information, see Peer Certificates.
Updates
Update interval - Interval on which updates will be received. You can select a regular interval and configure the
settings or you can use a CRON expression.
Update server - Update server from which the ERA Server receives updates for security products and ERA
Components.
Update type - Select the type of updates you want to receive. Either regular, pre-release or delayed updates. We
do not recommend that you select pre-release updates for production systems as this is a risk.
Advanced Settings
HTTP Proxy - You can use a proxy server to facilitate internet traffic to clients on your network.
Wakeup - Allows your server to trigger instant replication of the selected agent.
SMTP server - You can use an SMTP Server to receive or send different messages. Here you can configure settings
for your SMTP server.
Syslog server - You can use ERA to send notifications and event messages to your Syslog server. Also, it is possible
to export logs from client's ESET security product and send them to the Syslog server.
Repository - Location of the repository where all installation files are stored.
NOTE: The default repository is AUTOSELECT.
Diagnostics - You can enable or disable transmission of crash reports to ESET.
Logging - You can set the log verbosity to determine the level of information that will be collected and logged from Trace (informational) to Fatal (most important critical information). The latest ERA Server log file can be
found here: C:\ProgramData\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs or var/log/eset/
RemoteAdministrator/Server/
Database cleanup - To prevent a database overload, you can use this option to regularly clean logs.
253
4.9.1 Syslog server

If you have a Syslog server running in your network, you can configure ERA Server to send Notifications to your
Syslog server. You can also enable Export logs to Syslog in order to receive certain events (Threat Event, Firewall
Aggregated Event, HIPS Aggregated Event, etc.) from client computers running ESET Endpoint security, for example.
To enable Syslog server, navigate to Admin > Server Settings > Syslog Server and use the switch next to Use Syslog
server. Specify the following mandatory settings - Host (IP address or hostname - destination for Syslog messages)
and a Port number (default value is 514).
Syslog messages will be sent to the Syslog server via UPD (User Datagram Protocol). If you also want to have client
computer logs/events sent to your Syslog server, use the switch next to Export logs to Syslog to enable it. Click Save.
NOTE: The regular application log file is constantly being written to. Syslog only serves as a medium to export
certain asynchronous events such as notifications or various client computer events.
254
4.9.2 Export logs to Syslog

ESET Remote Administrator is able to export certain logs/events and send then to your Syslog server. Events such as
ThreatEvent, Firewall Aggregated Event, HIPS Aggregated Event etc. are generated on a managed client computer
running ESET security product (for example ESET Endpoint security). These events can be processed by any SIEM
(Security Information and Event Management) solution capable of importing events from a Syslog server. Events are
written to the Syslog server by ESET Remote Administrator.
After you have enabled Syslog server, navigate to Admin > Server Settings > Syslog Server > Logging and enable
Export logs to Syslog. Event messages are formatted in JSON (JavaScript Object Notation) format.
Exported events
This section contains details on the format and meaning of attributes of all exported events. The event message is
in the form of a JSON object with some mandatory and some optional keys. Each one exported event will contain
the following key:
event_type
string
ipv4
string
Type of exported events: Threat_Event, FirewallAggregated_Event,

HipsAggregated_Event.
optional IPv4 address of the computer generating the event.
ipv6
string
optional IPv6 address of the computer generating the event.
source_uuid
string
UUID of the computer generating the event.
occurred
string
UTC time of occurrence of the event. Format is %d-%b-%Y %H:%M:%S
severity
string
Severity of the event. Possible values (form least severe to most

severe) are: Information Notice Warning Error CriticalFatal
ThreatEvent
All Threats events generated by managed endpoints will be forwarded to Syslog. Threat event specific key:
threat_type
string
optional Type of threat
threat_name
string
optional Name of threat

255
threat_type
string
optional Type of threat
threat_flags
string
optional Threat related flags
scanner_id
string
optional Scanner ID
scan_id
string
optional Scan ID
engine_version
string
optional Version of the scanning engine
object_type
string
optional Type of object related to this event
object_uri
string
optional Object URI
action_taken
string
optional Action taken by the Endpoint
action_error
string
optional Error message in case the action was not successful
threat_handled
bool
optional Indicates whether or not the threat was handled
need_restart
bool
optional Whether or not the restart is needed
username
string
optional Name of the user account associated with the event
processname
string
optional Name of the process associated with the event
circumstances
string
optional Short description of what caused the event
Firewall Aggregated Event

Event logs generated by ESET Personal Firewall are aggregated by the managing ESET Remote Administrator Agent
to avoid wasting bandwidth during ERA Agent/ ERA Server replication. Firewall event specific key:
event
string
optional Event name
source_address
string
optional Address of the event source
source_address_type string
optional Type of address of the event source
source_port
number
optional Port of the event source
target_address
string
optional Address of the event destination
target_address_type string
optional Type of address of the event destination
target_port
number
optional Port of the event destination
protocol
string
optional Protocol
account
string
optional Name of the user account associated with the event
process_name
string
optional Name of the process associated with the event
rule_name
string
optional Rule name
rule_id
string
optional Rule ID
inbound
bool
optional Whether or not the connection was inbound
threat_name
string
optional Name of the threat
aggregate_count
number
optional How many exact same messages were generated by the endpoint
between two consecutive replications between ERA Server and
managing ERA Agent
HIPS Aggregated Event
256
Events from Host-based Intrusion Prevention System are filtered on severity before they are sent further as Syslog
messages. Only events with severity levels Error, Critical and Fatal are sent to Syslog. HIPS specific attributes are as
follows:
application
string
optional Application name
operation
string
optional Operation
target
string
optional Target
action
string
optional Action
rule_name
string
optional Rule name
rule_id
string
optional Rule ID
aggregate_count
number
optional How many exact same messages were generated by the endpoint
between two consecutive replications between ERA Server and
managing ERA Agent
4.10 License Management

ESET Remote Administrator uses a completely new ESET licensing system. You can easily manage your licenses via
ESET Remote Administrator. By purchasing licensing for any ESET business product, you automatically receive access
to ESET Remote Administrator.
If you already have an ESET-issued Username and Password that you want to convert to a License Key, see Convert
legacy license credentials. The Username and the Password have been replaced by a License Key/Public ID. A
License Key is a unique string used to identify the license owner and the activation itself. A Public ID is a short string
used to identify the license to a 3rd party (for example, the Security Admin responsible for the Unit distribution).
The Security Admin can be used to manage specific licenses and is different from a License Owner. The license
owner can delegate a license to a security admin, authorizing that person to manage specific licenses. If they accept,
they receive license management privileges. We recommend that all license owners also create Security Admin
accounts for themselves.
Licenses can be managed from this section, or online by clicking Open ELA (ESET License Administrator) or using the
ESET License Administrator web interface (see the Security Admin section).
The License Management section in ESET Remote Administrator is accessible from the main menu under Admin >
License Management.
Licenses can be identified by their Public ID. In ESET License Administrator and ERA, each license is identified Public
ID, License Type and Flags:
License Type can be Full_Paid - Paid license, Trial - Trial license and NFR - license Not For Resale.
Flags include MSP, Business and a Consumer.
257
The security Product name for which its license is intended.

The overall Status of the license (if the license is expired, overused, or at risk of expiration or overuse, a warning
message will be displayed here).
The number of Units that can be activated with this license and number of offline units.
The number of Subunits of ESET server products (mailboxes, gateway protection, connections).
The license Expiration date.
The license Owner name and Contact.
License Status - displayed for the active menu item.

Green - your license is activated successfully.
Red - license is not registered via ESET License Administrator or the license has expired.
Orange - your license is still depleted or is about to expire (expiration is due in 30 days).
Synchronize licenses
ESET License Administrator automatically syncs once a day. Click Synchronize licenses to refresh license information
in ERA immediately.
Add License or License key
Click Add Licenses and then select the method you want to use to add your new license(s):
1. License Key - Enter a license key for a valid license and click Add License. The license key will be verified
against the activation server and added to the list.
2. Security Admin Credentials - Connect a security admin account and all its licenses to the License Management
section.
3. License File - Add a license file (.lf) and click Add License. The license file will be verified and the license
added to the list.
Remove Licenses
Select a license from the list above and click this to remove it completely. You will be asked to confirm this action.
Removal of the license does not trigger deactivation of the product. Your ESET product will remain activated even
after the license has been deleted in ERA License Management.
Licenses can be distributed to ESET security products from ERA using two tasks:
258
The Software installation task

The Product activation task
4.10.1 Activation
Navigate to Admin > License Management and click Add Licenses.
Type or copy and paste the License key you received when you purchased your ESET security solution in to the
License Key field. If you are using legacy license credentials (a Username and password), convert the credentials
to a license key. If the license is not registered, it will trigger the registration process, which will be done on the
ELA portal (ERA will provide the URL valid for registration based on the origin of the license).
Enter the Security Admin account credentials (ERA will display all delegate licenses later in ERA License Manager).
259
Enter the Offline license file - you need to export using the ELA portal and include the information about
product(s) ERA is able to manage. You will need to enter a specific License file token into ESET License
Administrator portal when generating an offline license file, otherwise the license file won't be accepted by ESET
Remote Administrator.
Click the document symbol
260
to save the offline license file.
Go back to ERA License Management, click Add licenses, Browse for the offline license file you've exported in ELA
and then click Upload.
261
5. Diagnostic Tool
Diagnostic tool is a part of all ERA components. It is used to collect and pack logs that are used by developers to
solve problems with product components. Run the Diagnostic tool, select a root folder where the logs will be saved,
and then select the actions to be taken (see Actions below).
Location of the Diagnostic Tool:
Windows
Folder C:\Program Files\ESET\RemoteAdministrator\<product>\ , a file called Diagnostic.exe.
Linux
Path on the server: /opt/eset/RemoteAdministrator/<product>/ , there is a Diagnostic<product> executable (one
word, for example, DiagnosticServer, DiagnosticAgent)
Actions
Dump logs - A logs folder is created where all logs are saved.
Dump process - A new folder is created. A process dump file is generally created in cases where a problem was
detected. When a serious problem is detected, a dump file is created by system. To check it manually, go to the
folder %temp% (in Windows) or folder /tmp/ (in Linux) and insert a dmp file.
NOTE: Service (Agent, Proxy, Server, RD Sensor, FileServer) must be running.
General application information - The GeneralApplicationInformation folder is created and inside it the file
GeneralApplicationInformation.txt. This file contains text information including the product name and product
version of the currently installed product.
Action configuration - A configuration folder is created where file storage.lua is saved.
262
6. FAQ
Q: V5 has a Custom Client Info field. This is helpful for our MSPs to determine which client belongs to each of their
customers. Does this exist in v6?
A: Dynamic Groups, which are little bit different (evaluated on agent level) do not allow for the creation of custom
parameters / tagging". You can, however, generate a report to display custom client data.
Q: How do you resolve the error Login Failed, Connection has failed with the state of 'Not connected'?
A: Check if ERA Server service is running or MS SQL Server service.If not, start it. If it is running, restart the service,
refresh web console and then try to log in again.
Q: What is the group "Lost and Found" used for?
A: Each computer that connects to ERA server and is not a member of any static group is automatically displayed in
this group. You can work with the group and the computers inside it as with computers in any other static group. The
group can be renamed or moved under another group but it can't be deleted.
Q: How do you create a dual update profile?
A: See our ESET Knowledgebase article for step-by-step instructions.
Q: How do you refresh the information on a page or in a section of the page without refreshing the entire browser
window?
A: Click refresh in the context menu at the top right of a section of the page.
Q: How do you perform a silent installation of the ERA Agent?
A: You can use a GPO as a Startup script to achieve this. At this time it is not possible to perform a silent installation
from Web Console.
Q: Rogue Detection Sensor does not detect all clients on network.
A: RD sensor passively listens to network communication on the network. If PCs are not communicating, they are
not listed by RD Sensor. Check your DNS settings to make sure that issues with DNS lookup are not preventing
communication.
Q: How do I reset the Active threats count shown in ERA after cleaning threats.?
A: To reset the number of active threats, a full (In-depth scan) needs to be started via ERA on the target
computer(s). If you have cleaned a threat manually, you can mute the appropriate alert.
Q: How do I set up CRON expression for the ERA Agent connection interval?
A: P_REPLICATION_INTERVAL accepts a CRON expression.
Default is "R R/20 * * * ? *" which means connecting at random second (R=0-60) every random 20th minute (for
example 3, 23, 43 or 17,37,57). Random values should be used for load balancing in time. So every ERA Agent is
connecting in different random time. If an accurate CRON is used, for example "0 * * * * ? *", all Agents with this
setting will connect at the same time (every minute at :00 second) there will be load peaks on server in this time.
Q: How do I create new Dynamic Group for automatic deployment?
A: See our Knowledgebase article for step-by-step instructions.
Q: When importing a file containing a list of computers to add to ERA, what is the format required for the file?
A: File with following lines:
All\Group1\GroupN\Computer1
All\Group1\GroupM\ComputerX
All is the required name of root group.
Q: Which 3rd party certificates can be used to sign ERA certificates?
A: The certificate has to be CA (or intermediate CA) certificate with the 'keyCertSign' flag from 'keyUsage' constraint.
This means that it can be used for signing other certificates.
263
Q: How do I reset the Administrator password for Web Console (The password entered during set up on Windows
Operating Systems)?
A: It is possible to reset the password by running the server installer and choosing Repair. Note that you may require
the password for the ERA database if you did not use Windows Authentication during creation of the database.
NOTE: Please be careful, some of the repair options can potentially remove stored data.
Q: How do I reset the Administrator password for Web Console (Linux, entered during set up)?
A: If you have another user in ERA with sufficient rights, you should be able to reset the administrator account
password. However, if administrator is the only account (as it is created upon installation) in the system, you cannot
reset this password.
You reinstall ERA, search for the DB entry for the Administrator account, and update the old DB according to this
entry. In general the best practice is to back up credentials for Administrator in a safe location and create new
users with upir desired set of privileges. The Administrator account should ideally not be used for purposes other
than creating other users or resetting their accounts.
Q: How to troubleshoot if RD Sensor is not detecting anything?
A: If your OS is detected as a network device, it won't be sent to ERA as a computer. Network devices (printers,
routers) are filtered out. RD Sensor was compiled with libpcap version 1.3.0, please verify that you have this version
installed on your system. The second requirement is a bridged network from your virtual machine where RD Sensor
is installed. If these requirements are met, run nmap with OS detection (http://nmap.org/book/osdetectusage.html) to see whether it can detect the OS on your computer.
264
7. About ESET Remote Administrator

This window provides details about the installed version of ESET Remote Administrator and the list of installed
program modules. The top of the window contains information about your operating system and system resources.
Also, you'll see a license which is used by ERA to download module updates (the same license used to activate ERA).
NOTE: For instructions to find out which version an ERA component is, see our Knowledgebase article.
265

Eset Era 63 Era Admin Enu

Uploaded by

Copyright:

Available Formats

Eset Era 63 Era Admin Enu

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Eset Era 63 Era Admin Enu

Uploaded by

Copyright:

Available Formats

ESET

ESET REMOTE ADMINISTRATOR 6

2016 by ESET, spol. s r.o.

2.7 Working with ESET Remote

Group - a security product is installed

4.1.6.3.2 Dynamic Group - a specific software version is

4.1.6.3.3 Dynamic Group - a specific version of a software is not

4.1.6.3.4 Dynamic Group - a specific version of a software is not

4.1.6.3.5.1 Dynamic Group - installed but not activated version of

computer is in Dynamic Group?

Create a Policy for ERA Agent to connect to the new

Create a Policy to enable ERA Agent Password

Create a Policy for iOS MDM - Exchange ActiveSync

Create a Policy to enforce restrictions on iOS and add

Create a Policy for MDC to activate APNS for iOS

2.1 Opening the ERA Web Console

2.2 The ERA Web Console login screen

2.3 Getting to know ERA Web Console

2.4 Post Installation Tasks

Before you start

2.6.1 Add client computer to ERA structure

2.6.1.1 Using Active Directory synchronization

2.6.1.2 Manually typing name/IP

2.6.1.3 Using RD Sensor

2.6.2 Agent deployment

2.6.2.1 Deployment steps - Windows

The folder c:\temp\ must exist prior to executing this command.

2.6.2.1.1 Agent Live Installers

3. Use your own URL (instead of the one shown below):

4. Edit line 80 to replace " ^& packageLocation ^& "

5. Save the file.

2.6.2.1.2 Deploy Agent locally

2.6.2.1.3 Deploy Agent remotely

Select clients, click OK and proceed to the Trigger section.

2.6.2.2 Deployment steps - Linux

Installation will not ask user for license agreement confirmation

Local path to Agent's Certificate file

Path to the Server's Certification Authority file

Must match the Agent certificate password

To verify a correct installation, run the following command:

2.6.2.3 Deployment steps - OS X

2.6.2.4 Agent protection

2.6.2.5 Troubleshooting - Agent deployment

Package not found in repository

3. Follow the appropriate troubleshooting steps according to the possible cause:

where servername is the name of the ERA Server

Linux and Mac OS

2.6.2.6 Troubleshooting - Agent connection

2.6.3 Agent deployment using GPO and SCCM

2.6.3.1 Creating MST file

<peer certificate in Base64 format>

<exported public key of the Certification Authority in Base64 format>

Export Public Key

<path to the exported Public Key of the Certification Authority>

6.1.265.0_x64.msi /qn TRANSFORMS=AgentSettings.mst

TRANSFORMS=AgentSettings.mst /L*v! log.txt

2.6.3.2 Deployment steps - GPO

8. Click Open and choose the Advanced deployment method.

2.6.3.3 Deployment steps - SCCM

2.6.4 Product installation