An odd bug was in the last release and this one when installing cis
When you click Tools > Install Products cis will install normally.
When you right click a node and select install > package (in my case 4.0.143855.850_x86) it does not install firewall, only AV D+
I have not looked at the documentation yet but I do not see a difference in “Internet Security” and “Endpoint Security”
The endpoint security profile applies successfully though
The antivirus profile does not work yet
As etaftm and I talked about before the global firewall rules don’t appear to work.
Apply endpoint profile
Add network 10.0.0.0 255.0.0.0 as zone
Add global rule allow ip from zone to zone port any
Move new rule to top
Attempt to use remote desktop and then system and svchost ask permission to receive connections.
That may be by design I don’t know, most likely I will disable the firewall and stick to AV and D+
I have only been working with this version for about an hour this morning, I will let you know more as I work with it.
Here is a issue I have been running across on the installation of CIS to a remote machine. When it finishes the install and restarts, in order to send a config to that machine a user have to login to the machine or it gives an error. That’s a problem because the install activates AV / D+ / FW which causes me to not be able to connect to that machine via remote desktop or gencontrol.
Another issue is I can’t seem to get the offline installer agent to connect to the CESM.
Also, has anyone got the remote desktop feature in CESM to work? Mine never connects.
The problem is after a remote install of CIS, it starts up with everything on. I am unable to remote to the pc to login to pass the config. I would request that when we push CIS that it is auto set to disable on everything. The current method defeats the whole purpose of remote installs if a users is not around to login.
etaftm, you can build an install cfg file that will be disabled. However, you don’t have to remote in to the PC to check the config. Once you have pushed out the Agent to a Managed system, and subsequently installed the CIS package, you can right-click the system (which should be green now), go to Internet Security / Configuration / Custom and adjust settings to your heart’s content. Once you click OK/Apply at the bottom, it’s done for that system.
It’s that “PREDEFINEDPROFILE=” bit that you’d be interested in. I saw something in the instructions or manual for it, about doing that, but didn’t pay too much attention to it yet. I was too excited about the ability to update the config directly from the system’s icon in the tree…
CIS does not disable all after install.
Try our Product Installation Wizard - it install CIS and apply configuration after installation.
Is you computer green if ESM Console after CIS install?
If so, that means ESM Agent can connect to ESM Server, so CIS does not block all.
Insufficient system resources exist to complete the requested service. - this message was in all previous version of ESM/CIS. This is CIS limitation at the present time. It will be fixed in later version of CIS.
I don’t think the CIS is liking the CIS Config. I am still getting alerts for Sandbox and Firewall even though the config disables both. I just got a message on my machine saying the Firewall detected a new network, what to do. Also in the CESM I am getting message from users about applications wanting to run in sandbox.
By default settings, any “unknown” apps will automatically be run in the Sandbox, so you will see those kinds of alerts. The Sandbox does appear to have some issues, such as that it doesn’t “remember” when apps are specified to NOT run inside the Sandbox, which will generate a lot of alerts.
Depending on the end-user and the applications they are running, it probably will not matter that applications are sandboxed, nor that the alerts are not responded to from the console, since CIS won’t remember the settings anyway (until that bit is fixed).
The new network alerts will also occur, and from the CESM side, I am not sure how to turn those off (only able to do so from local side, not server, and these one-off settings from Local mode do not seem to perpetuate to the console). If you have VMWare on the endpoint, you will constantly get those. In general, they should not be a problem unless you need to make the endpoint completely visible to other systems on the network. In that case it is probably best to set a Trusted Zone for the endpoints in question.
The only reason I am concerned is I work with software engineers. I don’t want CIS automatically throwing their programs into sandbox because it doesn’t recognize it. I thought the Disable feature turned off the Sandbox completely.
Also, I still cannot get the offline to find the CESM. There needs to be a option during the install to find CESM server.
And I never got a response on why the My Trusted Vendors isn’t in the CIS config. If you do a custom config on a user it automatically places all the trusted vendors into the config. I would hate to have to type all that into the Trusted Config.
I hate to be a pain here. I know everything works like a charm in a test lab, but not in the real world. I am hoping by asking the questions can make the product better for others.
Sorry I don’t have all the answers for you, etaftm; some of the devs or other users who have done what you’re trying to do will need to provide some more detailed assistance there.
As far as your software engineers, I understand the need to not have apps sandboxed… You would think the “disable” would take care of it, but that may not be the case. I can’t recall off the top of my head, and don’t have CESM open at the moment, so I don’t know if you can do this from CESM or if only from the endpoint (Local admin mode), but I think that prior to Disabling Sandbox, you will want to uncheck the box so that it won’t “Automatically run unrecognized programs inside the sandbox”. Then Disable.
Not sure what you are referring to with the offline systems finding the CESM server during install. When you install the Agent, which is the first part of installing CIS on an endpoint, that Agent automatically connects to CESM, and should do so with every reboot (although I have seen some issues there from time to time, which I think may be related to limited user accounts but am not 100% certain of that). I’m not sure how that factors in if you are trying to do custom install w/custom config file. I noted that one time I tried a local install with the extracted package (which has a config file created by my CESM, for default settings), and it could not communicate with CESM afterwards; for some reason, CESM said the Agent was trying to communicate to a different CESM server, even though the details in the config file seemed to be correct. There may be an issue there as well.
I was under the impression the offline install can setup the agent and cis/cde. How does the agent talk back to the CESM server? I thought with the offline install I could install on machine that did not want to work with the remote install. For example: I have a machine or remote user that is either having a issue with remote install of agent or off the network at the time. I install the CESM Offline install. It installs the agent / CIS / CDE. How does that agent talk back to the CESM? I ran across this today with a machine that didn’t take the agent install from CESM. I install the offline package with agent. This leads to something else I was talking about. The CIS starting up Firewall / Defense / AV / Sandbox. I did this offline install remote and it automatically restarted the machine before I could manually turn off the firewall and defense. Now I can’t connect to that machine at all because the firewall is blocking me. Now… if that offline agent was able to connect back to the CESM I could atleast get back into the machine either uninstall the CIS or remote.