ESET NOD32 Antivirus¶
ESET NOD32 Smart security¶
There are a few ways to make StaffCop agent Eset Nod32 cooperate.
The first way¶
Open the program by clicking the Eset Nod icon in the right part of the Windows task bar
Open “Settings”
Open “Web-access protection → Advanced setup”
Turn off HTTPS checking (option Enable checking HTTPS protocol).
The second way¶
This way is more preferable as it makes the antivirus and StaffCop agent cooperate without any conflicts.
You should adding the root certificate of Staffcop agent to the antivirus.
Download the root certificate for the driver-version:
The certificates are to be copied to the workstation with the access to the central administrative server managing the anti-virus settings or to a local workstation if it must be imported there at the same time.
Then you should import the certificate to “List of known certificates” as shown on the picture below.
When the certificate is imported it’s better to reload both the service of the StaffCop-agent and the internet browser.
To reload the agent you need to open the command line interface with Run as administrator run the following commands:
c:WindowsSysWOW64TimeControlSvcvmnetdrv64.exe stop c:WindowsSysWOW64TimeControlSvcvmnetdrv64.exe start
Then check the work of the web-sites on your browser once again.
Note
The paths to the required setting may vary in dependance on the version of the software.
ESET NOD32 Endpoint 5.x¶
If you are going to install StaffCop agent on a workstation you should first turn off antivirus so it couldn’t delete agent before it’s installed.
To add exclusions for anti-virus you should open “ESET Endpoint Security”. Then press F5.
Open “Computer -> Antivirus and spyware protection -> Exclusions” and add the following exclusions:
Files:
c:\windows\auxiliaryservice.exe
c:\Windows\System32\TimeControlSvc\dpinst_32.exe
c:\Windows\System32\TimeControlSvc\vmnetdrv32.exe
c:\Windows\System32\TimeControlSvc\vmnetdrv64.exe
c:\Windows\System32\TimeControlSvc\sysprotect.exe
c:\Windows\System32\TimeControlSvc\Proxy\NtControlSvc.exe
c:\Windows\System32\TimeControlSvc\Proxy\PCController.exe
c:\Windows\System32\TimeControlSvc\Proxy\ProxyConfigurator.exe
c:\Windows\System32\TimeControlSvc\Proxy\RegisterLSP.exe
c:\Windows\System32\TimeControlSvc\Proxy\RegisterLSP64.exe
c:\Windows\System32\TimeControlSvc\Proxy\RunHiddenConsole.exe
c:\Windows\SysWOW64\TimeControlSvc\dpinst_64.exe
c:\Windows\SysWOW64\TimeControlSvc\vmnetdrv32.exe
c:\Windows\SysWOW64\TimeControlSvc\vmnetdrv64.exe
c:\Windows\SysWOW64\TimeControlSvc\sysprotect64.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\NtControlSvc.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\PCController.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\ProxyConfigurator.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\RegisterLSP.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\RegisterLSP64.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\RunHiddenConsole.exe
C:\Windows\SysWOW64\TimeControlSvc\*.*
C:\Windows\System32\TimeControlSvc\*.*
C:\windows\installer\*
c:\Windows\SysWOW64\TimeControlSvc
c:\Windows\System32\config\systemprofile\AppData\Roaming\TimeSvc3
c:\Windows\SysWOW64\TimeControlSvc
c:\Windows\System32\config\systemprofile\AppData\Roaming\TimeSvc3\
c:\Windows\Winexesvc.exe
c:\Windows\agent.msi
C:\Windows\SysWOW64\TimeControlSvc\Drivers\FileMonitorDriver\CaptureFileMonitor64.cat
C:\Windows\SysWOW64\TimeControlSvc\Drivers\FileMonitorDriver\CaptureFileMonitor64.sys
C:\Windows\SysWOW64\TimeControlSvc\Drivers\FileMonitorDriver\FileMonitorInstallation64.inf
C:\Windows\SysWOW64\TimeControlSvc\ProcObsrv.sys
C:\Windows\SysWOW64\TimeControlSvc\ProcObsrv64.sys
C:\Windows\System32\drivers\ProcObsrv64.sys
C:\Windows\System32\drivers\CaptureFileMonitor64.sys
Note
To get rid of the conflict with antivirus at agent installation on a workstation you should disable antivirus. Or run the remote installer on a workstation with antivirus disabled.
ESET Security Managment Center 7¶
To add exclusions to the default policy open :”ESET Security Management Center:
Then switch to tab Polices - ESET Endpoint for Windows and choose policy Antivirus Balanced, click the gear icon and choose Edit
Add exclusions to DETECTION ENGINE
Open SETTINGS - DETECTION ENGINE - BASIC.
Choose section EXCLUSIONS and click - Edit
In this dialog you should add the following lines one by one or import them from the file:
c:\windows\auxiliaryservice.exe
c:\Windows\System32\TimeControlSvc\dpinst_32.exe
c:\Windows\System32\TimeControlSvc\vmnetdrv32.exe
c:\Windows\System32\TimeControlSvc\vmnetdrv64.exe
c:\Windows\System32\TimeControlSvc\sysprotect.exe
c:\Windows\System32\TimeControlSvc\Proxy\NtControlSvc.exe
c:\Windows\System32\TimeControlSvc\Proxy\PCController.exe
c:\Windows\System32\TimeControlSvc\Proxy\ProxyConfigurator.exe
c:\Windows\System32\TimeControlSvc\Proxy\RegisterLSP.exe
c:\Windows\System32\TimeControlSvc\Proxy\RegisterLSP64.exe
c:\Windows\System32\TimeControlSvc\Proxy\RunHiddenConsole.exe
c:\Windows\SysWOW64\TimeControlSvc\dpinst_64.exe
c:\Windows\SysWOW64\TimeControlSvc\vmnetdrv32.exe
c:\Windows\SysWOW64\TimeControlSvc\vmnetdrv64.exe
c:\Windows\SysWOW64\TimeControlSvc\sysprotect64.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\NtControlSvc.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\PCController.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\ProxyConfigurator.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\RegisterLSP.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\RegisterLSP64.exe
c:\Windows\SysWOW64\TimeControlSvc\Proxy\RunHiddenConsole.exe
C:\Windows\SysWOW64\TimeControlSvc\*.*
C:\Windows\System32\TimeControlSvc\*.*
C:\windows\installer\*
c:\Windows\SysWOW64\TimeControlSvc
c:\Windows\System32\config\systemprofile\AppData\Roaming\TimeSvc3
c:\Windows\agent.msi
c:\Windows\Winexesvc.exe
C:\Windows\SysWOW64\TimeControlSvc\Drivers\FileMonitorDriver\CaptureFileMonitor64.cat
C:\Windows\SysWOW64\TimeControlSvc\Drivers\FileMonitorDriver\CaptureFileMonitor64.sys
C:\Windows\SysWOW64\TimeControlSvc\Drivers\FileMonitorDriver\FileMonitorInstallation64.inf
C:\Windows\SysWOW64\TimeControlSvc\ProcObsrv.sys
C:\Windows\SysWOW64\TimeControlSvc\ProcObsrv64.sys
C:\Windows\System32\drivers\ProcObsrv64.sys
C:\Windows\System32\drivers\CaptureFileMonitor64.sys
This exclusions will help agent to work on a workstation and not being deleted by antivirus.
Note
If you want the polices to work correctly click the lightning icon in the line with name of edited module in the policy.
When you are done editing click FINISH. The changes in policy will be applied on all the workstations where it’s used.
By default this policy is applied on all workstation running Windows.
Note
This exclusions setting were checked on ESET Endpoint of version 7.0.2100.46.55.0.2272 and ESET Security Management Center Version 7.0 (7.0.577.0), perhaps on other versions of ESET Endpoint AntivirusESET Management Center - additional actions may be required. If you meet any troubles contact our support team (support@staffcop.com), tell them the type of the error and your version of Management Center and Endpoint Antivirus.
Warning
If an endpoint agent was installed before the exclusions were added agent, re-installation is required otherwise some modules can operate incorrectly.
Note
If your antivirus continues to delete StaffCop agent after configuring the exclusions, make sure that they were applied on workstations. To do that, open your antivirus settings and see current exclusions.
If you don’t want to add C:\windows\installer\ to exclusions, you can exclude the following:
Win32/KeyLogger.StaffCop.E
Win32/KeyLogger.StaffCop.D
Win64/KeyLogger.StaffCop.E
Win64/KeyLogger.StaffCop.D
The resulting exclusions list shoudl look like:
Note
This exclusion works only for Antivirus of version 7.x and older! Specify disk C:\ as the path mask.