I attended a COMODO CESM webinar recently, signed up for the free trial, and have begun a learning and test phase of the product.
Please give some guidance as to whether I am doing things correctly.
CESM 3.0.61203.19 installed on a Windows Server 2012R2
Database is SQL Server 2012 (full version) running on same machine
Only two clients installed so far so database size or contention should be a non-issue.
After installing CESM, downloaded package for CES/CAS 6.4.295621.2943
I pushed CES with “all components” but have not yet adjusted the defaults for the firewall (off) or HIPS (off) services.
I imported a new policy from one of those first two machines and changed nothing but the proxy settings and enabled the system monitoring.
When I setup CESM, I enabled the proxy server. In my policy definition I told the clients to use the proxy for updates and pointed it at the CESM machine with port 8080. Without changing anything else, this means the first client causes the proxy to retrieve from Comodo and subsequent clients will get them directly from the cache - am I understanding that correctly? Or does the CESM have a function somewhere to download the updates and I would point the clients to it?
I have so far pushed CES to two machines. One is a Windows 8.1 ProWMC, the other is a Server 2012 R2 Standard remote desktop server, actually it’s a virtual machine on a Hyper-V host. Both machines rebooted at the appropriate time and the wizard said it was successfully installed. Both of them are enforcing the policy and groups that I setup on the server. But the CESM console shows the Server 2012 has no CES/CAS installed. It otherwise seems to be communicating with the Agent with no problems. In fact, I can drill down the applications list for that machine and it shows “Comodo Antivirus for Servers 6.4.33477.2943” - why would it not be able to tell the console it is there?
Are Windows 8.1 and Server 2012 R2 “officially supported” or otherwise known not to have issues?
Never mind on question 2. After a few hours, it is detected properly.
Question 4. How to make it not place the icons on the desktop when CES is installed?
Question 5. What is the purpose of the “Shared Space” icon?
The Caching Proxy tab allows administrators to specify the proxy server settings for storing cache content. The proxy server will store antivirus updates. CES/CAS on endpoints that are configured to connect to this proxy server will receive the latest updates.
In the policy that is applied on the endpoint, CES settings->Proxy and Host settings->check the box use proxy and fill in the ip or hostname and port 8080(by default).
Yes, that’s correct.
Try to restart the Esm agent on the target machine.
This is the list with the compatible operating systems:
Unfortunately there isn’t yet an option to hide or disable the creation of CES/CAS and shared icon on the endpoint’s desktop. The feature will be available in a future release.
The Virtual Kiosk is a sandboxed operating environment inside of which you can run programs and browse the Internet without fear that those activities will damage your real computer. Applications running in the kiosk also leave no cookies or history behind on your real system, making it a secure environment for Internet banking and online shopping. It is also ideal for visiting any risky websites/links and for testing out beta/unstable software.
The Virtual Kiosk creates a folder Shared Space in the location “C:\Documents and Settings\All Users\Application Data\Shared Space”, which can be shared by your host operating system and the Virtual Kiosk.
You can open an application or file from your host system in the Virtual Kiosk.
Thanks for those answers. That helps me make some sense of it.
As it happens, I have some more questions.
Question 6. I have some clients in a remote location. There is an IPSEC VPN established between the routers here and there, all network traffic flows normally between the two subnets. It is the same Active Directory domain. If I try to deploy to those machines, they copy the files and then fail with “Cannot start remote service”
Question 6a. I have run into one machine so far, a Surface Pro 8.1, which I could not deploy anything to until I manually installed the agent locally. Nothing particularly different about that machine from others where I did not have to do this.
Question 7. With Kaspersky, which I am migrating from, I installed the Agent on everything, and machines where the AV product wasn’t installed did not count against my licensing. Comodo appears to consume a license for an Agent-only install. I guess I need more licenses than I originally thought?
Question 8. If I press the help button in the KES local interface, I get a browser window to help.comodo.com which displays nothing but “invalid operation” - not very helpful.
Question 9. On the home screen of the local interface, I see a notification that Realtime Protection is disabled, advanced settings says it’s enabled. Who’s telling the truth?
What method have you used to do the agent installation?
ESM auto-discovery for active directory->select unmanaged endpoint and then click on manage.
Does the same issue happen if you try to add the endpoint by ip using add->network address?
Is there any third party security software running on the endpoint(Kaspersky)? Please try removing Kaspersky manually from the endpoint, restart and check if the issue happens again.
If the files have been copied, you should have on the endpoint a folder created c:\windows\ComodoESMHELPER. Agent logs too.
Did it display the message ‘deployment failed’?, have you clicked on the deployment failed status and follow the suggestions from the displayed window?
The license key is per device(endpoint). 1 slot/license is used when you are managing 1 endpoint(agent is installed on the endpoint), even if CES is installed or not on the managed endpoint.
Only with the ESM agent installed on the endpoint you can do the system management(installed applications, services, processes, remote file browsing, remote option, build reports(software, hardware), etc.)
You can delete the endpoint by selecting it and click on ‘-’ / delete from the computers area.
Do you encounter this by clicking on the question mark from the CES GUI from any window opened in CES(firewall advanced, firewall tasks,etc) ?
What security layers have been installed on the endpoint?
Click on the underlined ‘Disabled’ option - Realtime Protection in the local interface and check which security layers are disabled.
- I was trying to deploy from the wizard by selecting the machines from the Active Directory.
I tried using an IP address range to find one of them, and successfully deployed the agent. I went back and successfully deployed another using the AD search, where it did not work yesterday. Very strange. Still some of them are failing with “Cannot start remote service” and the technical details are “The remote procedure call failed status_remote_cannot_run_descent_service (1726)” Edit: maybe it is related to the number of simultaneous installs. It consistently failed with a group of 8, but a couple at a time seems to work. It’s still quicker than getting on a plane and going there, so I’m happy with it. I will probably at some point setup a local server there anyway.
Kaspersky is indeed installed on those machines, but was also installed on the local machines that had no install issues. I will uninstall Kaspersky when I’m ready to deploy the AV, but just to get the agent on there I would think it shouldn’t be necessary.
I found the folder. It contains CESMHelper.exe and an ini file which contains the server certificate and hostnames. Where would the Agent logs be?
6a. Doubtful that I can find any information at this point, since I have since installed Agent manually and then pushed CES to the machine. I guess I will uninstall everything Comodo on that machine, and try it again.
Looks like I will need more licenses, as I have more endpoints than would have AV protection. Some servers for example, I’m not necessarily going to deploy AV on for various reasons, but would still like to manage them.
Yes, that’s what I am doing. For example, if I click the question mark on Defense+ “View Logs” window, it tries to open Comodo Help which is slightly different than the url you gave me in my other thread Comodo Help - the 4-digit number in the filename is different.
Firewall is turned off, as I haven’t modified the settings for that yet (all features installed but firewall not enabled by default). Are you telling me that “Realtime Protection: Disabled” is simply a generic warning that “something” is turned off, like the big red X in the middle and the icon in the taskbar?
And a couple of new questions…
Question 10. As a network admin, I download various tools to make my job easier, things that can recover passwords from documents, retrieve the license keys from installed software, etc. CES is quarantining a lot of these, which is ok because it’s the sort of thing we wouldn’t want the normal users to be playing with. I’ll whitelist them locally but would like to see the reason Comodo quarantined in the first place. The quarantine lets me see what and where but no detailed description. Is there a place to lookup the names of these things, for example “Malware[at]#1sr3mc67c20us” or “ApplicUnwnt[at]#1aenxcwax1yjb” ?
Question 11. I see that there was a Windows Phone app for 2.0, is it worth trying to make it work, is there an update coming, or is it a dead end?
Clarification on Question 10:
The report looks like it contains no more information than is available in the console, except that it’s in a nice printable format. Further, the database link you gave me doesn’t seem to contain what I’m looking for, everything is too vague.
Where do I take the name of something such as “ApplicUnwnt@#1mq2d72hnrryn” and find out what it actually means?
I understand how to trust a file, once I decide I want to trust it. What I’m unclear on is how to tell whether it’s really safe, since I can’t tell from the quarantine information whether it’s a case of “this program retrieves passwords from protected system areas and displays them to the user” - which is exactly why I downloaded the thing; or “this program retrieves passwords from protected system areas, displays them to the user, and sends them to an external IRC server” which I obviously don’t want. I need more detail.
It seems that a detailed examination of entries in the Comodo database is not available, and the only useful designation is either Malware, or Something Else. I must make a determination on all the Something Elses on a case-by-case basis, by temporarily disabling AV to keep it from being instantly quarantined again, restoring the file, and examining it to determine what it is.
Examples from my current Quarantine:
- a VNC client, marked as malware. I will always delete these, unless I know beyond shadow of doubt that it’s a false-positive.
- a product key viewer, marked as unwanted application. That one, I downloaded and knew what it was and it is useful to me. Added to policy as Trusted.
- a “search protector” and a PDF generator, both marked as application (installer). These were downloaded by somebody else. I need to investigate to see if it is something they really need or want. If I’m really busy, I’ll just leave them in Quarantine indefinitely or until the user complains.
Just saying, all the stuff to the right of the “at” in the item description is useless, if I can’t look up what it means. In every other antivirus product I’ve used, the name of something would be clickable and would open a webpage with more detail about what it was, the specific behaviors, how dangerous, etc.
Unfortunately you are right, there isn’t a public detailed list regarding Comodo Database like you have described.
Thank your for your feedback, your suggestions have been forwarded to the concerned department.