[KB3725] Deploy ESET products on a "ghost" or master image that can be cloned to multiple computers (6.x)


ESET business product no longer supported

This content applies to an ESET product version that is currently in End of Life status and is no longer supported. This content is no longer updated. 

For a complete list of supported products and support level definitions, review the ESET End of Life policy for business products.

Upgrade ESET business products.

Steps may vary by environment

The steps below are recommended based on common use cases. However, this process might vary depending on your environment. This process will not work for environments in which workstation images are dynamically cloned after each reboot.

  1. Install a pre-configured ESET Remote Administrator Agent (ERA Agent) on the master image.

Deploy the ESET Remote Administrator Agent (6.x)

  1. Perform a manual, standalone installation of ESET Endpoint Antivirus or ESET Endpoint Security 6.x on the master image.

Install ESET Endpoint Security or ESET Endpoint Antivirus (6.x)

  1. After installing an ESET endpoint product on the master image, restart the master image machine to complete the driver integration process.
  2. Disable the Host-intrusion Prevention System (HIPS) module in the ESET endpoint product installed on the master image:
    1. Open ESET Endpoint Security or ESET Endpoint Antivirus. Open my ESET product.
    2. Press the F5 key to access Advanced setup.
    3. Click Antivirus → HIPS.
    4. Click the slider bar next to Enable HIPS to disable it and then click OK.

      Figure 1-1
      Click the image to view larger in new window

  3. Restart the master image machine.
  4. Verify that the agent is communicating back to the ESET Remote Administrator Server (ERA Server). If you are experiencing issues, visit the Troubleshooting ERA Agent connection guide.
  5. After the master image machine checks in to the ERA Server one time, disable the Agent service or power down the master image machine. Now the master image machine cannot reconnect to ERA Server.
  1. Create a snapshot of the master image. When you restore from the master image, we recommend that you send the cloned machines a "reset cloned agent" task to ensure that the ERA Agents installed on those machines do not have the same Security Identifiers (SID). For more information about sending this task, visit the Reset Cloned Agent Task Online Help article.
Determine ProductInstanceID to reset Cloned Agent:

You can retrieve your Agent's ID locally and open that machine directly in the Web Console.

  1. Log in locally and copy the ProductInstanceID which is located:
    • on Windows: Run regedit.exe and look for HKEY_LOCAL_MACHINE\SOFTWARE\ESET\RemoteAdministrator\Agent\CurrentVersion\Info where you find ProductInstanceID and its value.
    • on Linux: /ect/opt/eset/RemoteAdministrator/Agent/config.cfg
    • on macOS: /Library/Application Support/com.remoteadministrator.agent/config.cfg
  2. ​Log in the ERA Web Console, navigate to Computers and then click on a computer > Show Details.
  3. The URL in the address bar of your web browser contains the address of your ERA Server, some code, and ProductInstanceID of selected computer. 
    For example;u=44a3cc90-5168-46ae-bdc1-9bdaaf0ad58e - replace the part after u= with the value you have obtained in step 1 of this note and confirm.

You will now see the details of the desired machine. Click Actions > Run Task and choose Reset Cloned Agent Task to be run on this computer.

  1. Modify your primary client workstation policy so that HIPS is enabled and enforce this policy on the cloned machines. For instructions to modify and enforce policies, visit the Create a HIPS rule and enforce it on a client workstation (6.x) Knowledgebase article.
  2. Once the cloned machines have received this policy change, send a restart task to those machines to ensure that the HIPS module is fully functional.