[KB8178] Sort your Endpoints using the Dynamic Groups in ESET PROTECT On-Prem

Issue

  • ESET endpoint machines managed from ESET PROTECT On-Prem are reaching End of Life or have other issues (for example, SHA-1 or other certificates)
  • You want to update endpoint machines managed from ESET PROTECT On-Prem to the latest version of ESET endpoint products

Details

Solution

  1. Prerequisites
  2. Create Dynamic Group templates for filtering the Windows version
  3. Create Dynamic Group templates for filtering the ESET endpoint product version
  4. Create Dynamic Groups for Windows versions
  5. Create Dynamic Groups for ESET endpoint product versions under each OS version Dynamic Group

I. Prerequisites

  • Ensure that all client machines are running the latest version of ESET Management Agent.
  • Update/upgrade all client computers operating systems to the latest available version. For client computers on Windows, we recommend using the latest version of the Windows 10 or 11 operating system. Avoid using operating systems that are not supported by their vendor, if possible.

Sort your (Windows) client machines in the ESET PROTECT On-Prem Web Console using the Dynamic Groups and update their ESET security products to the appropriate version. See the table below:

  Endpoint 5.x

Endpoint 6.0-6.5 (other than 6.5.2132.6)

Endpoint 6.5.2132.6 Endpoint 6.6 Endpoint 7.0-8.0 Endpoint 9.0
Windows XP Upgrade to 6.5.2132.6 Upgrade to 6.5.2132.6 No action needed - - -
Windows Vista Upgrade to 6.5.2132.6 Upgrade to 6.5.2132.6 No action needed Downgrade to 6.5.2132.6 - -
Windows 7 (no SP)
Upgrade to 6.5.2132.6 Upgrade to 6.5.2132.6 No action needed Downgrade to 6.5.2132.6 - -
Windows 7 SP1 Upgrade to 9.0 Upgrade to 9.0 Upgrade to 9.0 Upgrade to 9.0 Upgrade to 9.0 No action needed
Windows 8, 8.1, 10, 11
Upgrade to 9.0 Upgrade to 9.0 Upgrade to 9.0 Upgrade to 9.0 Upgrade to 9.0 No action needed

II. Create Dynamic Group templates for filtering the Windows version

To create a Dynamic Group template that includes only Windows XP, Windows Vista, and Windows 7 SP0 computers:

  1. Open ESET PROTECT On-Prem in your web browser and log in.
  2. Click More Dynamic Group Templates and click New Template.

    Figure 1-1
    Click the image to view larger in new window
  3. In Basic, type a Name and Description (optional) for the new Dynamic Group template. For example, Windows XP and Vista and 7 SP0.

    Figure 1-2
    Click the image to view larger in new window
  4. Click Expression and from the Operation drop-down menu, select OR (At least one condition has to be true) and click Add Rule.

    Figure 1-3
    Click the image to view larger in new window
  5. In the dialog window, expand OS edition, select OS name and click OK.

    Figure 1-4
    Click the image to view larger in new window
  6. Select the operator: contains and type the value: Windows XP.

  7. In the dialog window, expand OS edition, select OS name and click OK

  8. Select the operator: contains and type the value: Windows Vista.

  9. In the dialog window, expand OS edition, select OS version and click OK 

  10. Select the operator: has prefix and type the value: 6.1.7600 (this is Windows 7 with no Service Pack).

  11. Click Continue to see the Dynamic Group template Summary and Finish to create the Dynamic Group template.

    Figure 1-5
    Click the image to view larger in new window
  12. Repeat the above steps in this section to create other Dynamic Group templates based on the table below (you have already created the first one):

Refer to the table at the beginning of the Solution section:

Several Windows OS versions are together in one Dynamic Group template if you need to perform the same actions on them - see the table at the beginning of the Solution section.

Dynamic Group Template name Conditions and rules
Windows XP and Vista and 7 SP0
  • Operation: OR (At least one condition has to be true)
  •  Rules:
    • OS EditionOS namecontainsWindows XP
    • OS EditionOS namecontainsWindows Vista
    • OS EditionOS versionhas prefix6.1.7600
Windows Vista and 7 SP0
  • Operation: OR (At least one condition has to be true)
  • Rules:
    • OS EditionOS namecontainsWindows Vista
    • OS Edition → OS version → has prefix → 6.1.7600
Windows 7 SP1 and 8 and 10
  • Operation: OR (At least one condition has to be true)
  • Rules:
    • OS EditionOS versionhas prefix6.1.7601
    • OS Edition → OS name → contains → Windows 8
    • OS Edition → OS name → contains → Windows 10
Windows 7 SP1 systems need an additional patch

Before upgrading to the latest ESET Endpoint version, make sure your Windows 7 SP1 systems support SHA-2. Microsoft added the support for SHA-2 via security update kb4474419. ESET PROTECT On-Prem cannot detect if the update is installed.


III. Create Dynamic Group templates for filtering the ESET endpoint product version

To create a Dynamic Group template that includes only ESET Endpoint Antivirus 5 and 6.0-6.5:

  1. Open ESET PROTECT On-Prem in your web browser and log in.
  2. Click More Dynamic Group Templates and click New Template.

    Figure 2-1
    Click the image to view larger in new window
  3. In Basic, type a Name and Description (optional) for the new Dynamic Group template. For example, Endpoint Antivirus 5 and 6.0-6.5.

    Figure 2-2
    Click the image to view larger in new window
  4. In Expression, select the operation AND (All conditions have to be true) and select Add Rule.

    Figure 2-3
    Click the image to view larger in new window
  5. In filter, select Installed softwareApplication name and click OK.

    Figure 2-4
    Click the image to view larger in new window
  6. Select the operator: has prefix and type the value: ESET Endpoint Antivirus.

  7. Click Add Rule and in filter, select Installed softwareApplication version.

  8. Select the operator: is one of (string mask) and type these values (click Add to add a new one):

    • 5.*
    • 6.0.*
    • 6.1.*
    • 6.2.*
    • 6.3.*
    • 6.4.*
    • 6.5.*
  9. Click Add Rule and in filter, select Installed softwareApplication version.

  10. Select the operator: ≠ (not equal) and type the value: 6.5.2132.6.

  11. Click Continue to see the Summary for the Dynamic Group template. Click Finish to create the Dynamic Group template.

    Figure 2-5
    Click the image to view larger in new window
  12. Repeat the above steps in this section to create Dynamic Group templates based on the table below (you have already created the first one):

Dynamic Group Template name Conditions and rules
Endpoint Antivirus 5 and 6.0-6.5
  • Operation: AND (All conditions have to be true)
  • Rules:
    • Installed softwareApplication namehas prefixESET Endpoint Antivirus
    • Installed software → Application version→ is one of (string mask)
      • 5.*
      • 6.0.*
      • 6.1.*
      • 6.2.*
      • 6.3.*
      • 6.4.*
      • 6.5.*
    • Installed software Application version≠ (not equal)6.5.2132.6
Endpoint Security 5 and 6.0-6.5
  • Operation: AND (All conditions have to be true)
  • Rules:
    • Installed softwareApplication namehas prefixESET Endpoint Security
    • Installed software → Application version→ is one of (string mask)
      • 5.*
      • 6.0.*
      • 6.1.*
      • 6.2.*
      • 6.3.*
      • 6.4.*
      • 6.5.*
    • Installed software Application version≠ (not equal)6.5.2132.6
Endpoint Antivirus 6.6
  • Operation: AND (All conditions have to be true)
  • Rules:
    • Installed softwareApplication namehas prefix ESET Endpoint Antivirus
    • Installed software → Application version → has prefix → 6.6.
Endpoint Security 6.6
  • Operation: AND (All conditions have to be true)
  • Rules:
    • Installed softwareApplication namehas prefix ESET Endpoint Security
    • Installed software → Application version → has prefix → 6.6.
Endpoint Antivirus older than 9.0
  • Operation: AND (All conditions have to be true)
  • Rules:
    • Installed softwareApplication namehas prefix ESET Endpoint Antivirus
    • Installed software → Application versiondoesn't have prefix 9.0.
Endpoint Security older than 9.0
  • Operation: AND (All conditions have to be true)
  • Rules:
    • Installed softwareApplication namehas prefix ESET Endpoint Security
    • Installed software → Application versiondoesn't have prefix 9.0.
No Endpoint installed
  • Operation: AND (All conditions have to be true)
  • Rules:
    • ComputerManaged products maskis not one of ESET protected: Desktop

IV. Create Dynamic Groups for Windows versions

Create all the new Dynamic Groups under the All Static Group!

Create all the new Dynamic Groups for OS editions under the All Static group to ensure that the Dynamic Groups include all applicable managed computers.

To create a Dynamic Group template for computers:

  1. In Computers, click the gear icon next to All and select New Dynamic Group.

    Figure 3-1
    Click the image to view larger in new window
  2. Type a Name of the new Dynamic Group. For your convenience, use the same name as the name of the applicable Dynamic Group template, for example, Windows XP and Vista and 7 SP0.

    Figure 3-2
    Click the image to view larger in new window
  3. Click TemplateChoose Existing.

    Figure 3-3
    Click the image to view larger in new window
  4. Select the Windows XP and Vista and 7 SP0 Dynamic Group template and click OK.

    Figure 3-4
    Click the image to view larger in new window
  5. Click Finish to create the Dynamic Group.

    Figure 3-5
    Click the image to view larger in new window
  6. Repeat the above steps in this section to create the following Dynamic Groups and assign the respective Dynamic Group template to each (you have already created the first one):

    • Windows XP and Vista and 7 SP0
    • Windows Vista and 7 SP0
    • Windows 7 SP1 and 8 and 10

V. Create Dynamic Groups for ESET endpoint product versions under each OS version Dynamic Group

  1. Under Dynamic Group created in the previous section, create the following Dynamic Groups (as subgroups) and make sure to assign the respective Dynamic Group template to each.

    The resulting Dynamic Group structure looks like the following:

    Figure 4-1
  2. Proceed to upgrade or downgrade ESET endpoint products remotely using ESET PROTECT On-Prem.