[RFC] multiple changes requested in the EA Console

[wpn]

I have started this thread to improve the EA product. This improvement wish comes from several points:
1) Improve the product with new features, making the product more effective
2) Improve the product with new features, because its missing but really needed in an ENTERPRISE environment where administrators run the IT farm and need to have more control or comply to company policies
3) Improve the product by changing present functions because they dont function effictively or otherwise
4) Improve the product with any other reason

Everybody is welcome to join this thread for input (some already did), but please keep the layout the same as i did so its easy to read and clear which request starts/ends. I will try to edit this thread to keep the RFC postings in this posting so its easy to read and find.
Start with a bold header with the RFC and number and the title for the change, explain what you want change and why, and possibly even give a suggestion on how the implement it.

RFC 1: Free choice mirror location URGENT
Since this is an ENTERPRISE product I as the administrator NEED to have control over the product installation. I need to be able to control where the program places the mirror location (user data) and separate it from the program location and OS partition. This issue has been addressed in the SBC forum to a big extend and build with arguments. It was present in the SBC console, now in the BIG brother its gone.
Its needed to be able to comply to company policies on where to store program data, user data and such.

RFC 2: Change the start window of the console
I would like to see that the start screen directly after logging in shows information that is useful:
- Mirror information like last time update, server receiving updates from, program version clients, VPS version, and reason for failing, streaming update status?
- Total licenses, modules that are licensed and expiration date of the licenses,  ammount licenses in use
- Last computers with infection, or a counter with the days free of infection (this is just a bonus)
- notification of program updates for clients and console
- Anybody has other suggestions? The idea comes from the SBC product which has such sort dashboard

RFC 3: Active Directory integration for user access to the console
I do not need to maintain several lists with passwords and access rights when i have a central database that can do this for me (Active Directory). Make AD integration possible so that we can appoint AV administrators that can access the console with there AD username/password. POssibly even set drilldown rights on just logs or only deploying stuff like that.

RFC 4: Logfile display consistency, inside the console
Right now there are at least two ways of opening logfiles from the menu, one opens the file directly in notepad, the other opens IE first, downloads the logfile and then opens in notepad.
This should all be possible to show within the console with an option to save the logfile and date/time filtered when the administrator wants to save the file.


RFC 5: Link the help to an actual file, or remove it
I clicked on the HELP... option in the HELP menu and it opend a freaking website !! Seriously?
Link to help

Either delete the HELP... option or create a complete manual with all options and possibilities documented and link it there.

RFC 6: Protected the Endpoint with password from uninstall URGENT
Customers request this because every one can remove the endpoint from Server and PC or change the antivirus with the other cracked antivirus brand
or some one can make a joke by uninstall the endpoint antivirus and complain that they not have antivirus on the PC.
Today (20-07-2012) I (WPN) have been replacing some clients with the newest from the AEA, I had two different versions of the managed software running namely 4.8 from ADNM and 6.x from SBC. Both of those versions were password protected for settings and also for removal from the computer. To test I tried to remove a 7.x client from my own computer which is also password protected for settings, but with the removal it didnt ask for a password. So this option used to be present in previous versions

RFC 7: Autorefresh
Every time you change something, run a task/job, move a machine… you have to press F5 to refresh the info from the database.

RFC 8: Find computer (task)
What about to discover machines using IP discovery?

RFC 9: Automatic program updates
Currently you only have the manual or ask options to update the program. In ASOA you have an automatic option too.

RFC 10: Remote access to AEA.
In the consumer products: avast! Free/Pro/Internet Security you have a great feature: Remote Assistant. We need something like this to connect with our AEA customers and give support, review installations, maintenance… In most customers is not easy to open ports in their firewall to allow remote connections to AES.

RFC 11: Client-Side & Server-Side tasks
Sessions are ordered by name, not by date. I think that is better order the sessions by date, as we have in ADNM 4.8 (I refer about sessions in the folder structure).

RFC 12: MS Windows 8 Support.
Machines using MS Windows 8 are not identifying with this OS.

RFC 13: Installation package .exe
If you create an install package for your client and you distributed it, on a shared folder, when you execute it locally (you are in front of the machine), you don't have any information about what it happening or even if the installation ends successfully. I think that we are running the installation in "silent mode". I think we need, at least, a progress bar.

RFC 14: What machine is infected?
In Sessions –> Resident Modules you have the information about the path where the infected file is, but you haven’t the machine name. This is something that works properly with ADNM 4.8

RFC 15:  Generate MSI package instead of EXE package
ADNM used to create an MSI package which in turn could be use in AD group policy to deploy. Although the preferred way to deploy is via the console, in some cases this is not possible or wanted (design by company security policy).
Then deployment via grouppolicy or other deployment tools like SCCM can be used to deploy the MSI. The EXE probably needs some tweaking/editting before being able to be deployed by external tool, with GP deployment an exe is not possible to deploy.

RFC 15:  Manual update VPS instead of downloading them from the mirror server or internet
A question I have seen a lot in the ADNM forum and still here and there for the new business parts.
Make it possible to download a file that updates the VPS manually by executing that file. This file could be downloaded from the website OR what would be great, if the file could be generated by the console, the same way the installation package for client deployment works.
This is for specific situations as for example:

1) Infected computer doesnt have the latest updates, but you do NOT let an infected computer access your company production network to prevent more damage. Here it is useful if the latest VPS which might have the cure, could be installed via CD/DVD/USBstick  (in case of missing rescue cd)

2) remote locations that have no internet access or special (slow) access via different techniques then internet to the company network. Several customers have been calling this for ocean capable ships where they have a standalone network, but no internet access or access to the company network via tcp/ip technique.

RFC 16:  No tree expansion for tasks under session
At this moment if you run a task, the task itself is put under SESSIONS in the appropriate part for the task. This (for example CLIENT-SIDE TASKS) can then be tree-expanded by clicking the + sign. It also auto-expands when you run a task.
This tree-expansion is not needed since that when you click on the item, the tasks are shown in the top view window and if you click one of the tasks there, the (too limited) details are shown in the bottom view window.

RFC 17: Targeting specific Organizational Unit in Active Directory for computer discovery task
I'd like to have the ability to configure a task like the default "find computers" task in AEA to scan a specific OU in AD.  Since this is an enterprise solution, the option of scanning workgroups seems a bit out of place.  Evidently, it already has the ability to scan for new computers in a certain domain but what happens when you have all your users in one OU and all your servers in another?
I'd like to be able to create two tasks: one would scan an OU for clients and the other would scan for servers.  Each of these tasks would be able to dump the findings into different groups.

RFC 18: Set the client user interface language in the console
Since im the administrator of the software i am the one handling the software on the spot. I do not wish to see translated interfaces and error messages since there is always something lost in translation. When you surge for a local language error message the hits on google are far less present then the standard hits on english messages.
Therefor finding a solution when searching on the english message is far more effictive/quick/succesful.
I like to be able to have a setting in the GROUP settings where the computer object resides, which language the interface should be of the client.

[spi]

RFC 6: Protected the Endpoint with password from uninstall URGENT
Customers request this because every one can remove the endpoint from Server and PC or change the antivirus with the other cracked antivirus brand
or some one can make a joke by uninstall the endpoint antivirus and complain that they not have antivirus on the PC.

[nannunannu]

RFC 6: Protected the Endpoint with password from uninstall URGENT
Customers request this because every one can remove the endpoint from Server and PC or change the antivirus with the other cracked antivirus brand
or some one can make a joke by uninstall the endpoint antivirus and complain that they not have antivirus on the PC.

This isn't an avast issue.  Don't give end users admin rights on their local workstations. 

Seriously.

[Dewg]

While I whole-heartedly agree with Nan about not having admin rights, in some cases it is necessary.

My company, for example, is comprised mostly of independent contractors that own and operate their own computers and software.  The company simply provides them a network to work on, Internet access, and antivirus software.  Since we don't own their computers or software we cannot dictate what they can and cannot do on the system.  Think of it like a giant BYOD at my company - everyone brings their own device.  :-)

In that case, users can uninstall Avast if they so choose - however login scripts will simply detect that it's missing and re-install.

[MarKvi]

Thank you for your ideas and hints, all mentioned points will discussed during the DEV team meeting. I will keep you informed ..

[studio_two]

Hello,

Could the thread title be changed to "[RFC] multiple changes requested in the EA Console".

Kind Regards,
Stephen

[spi]

This isn't an avast issue.  Don't give end users admin rights on their local workstations. 

Seriously.

all user must have the admin right because of the application operation, this the issue. on ADNM user doing uninstall was protected by password.

[spi]

Thank you for your ideas and hints, all mentioned points will discussed during the DEV team meeting. I will keep you informed ..

Thanks Markvi, please keep update us about the point request

[wpn]

@Markvi  thanks for the reply and putting it into discussion with the dev team, in the other thread i asked if you could keep us informed and here you promised it thank you

@studio_two   changed, thnx for the good suggestion

@spi/studio_two  There is still bad written (not updated) software that require access to certain areas of the system which can only be done with admin rights. The question for SPI should be more:  what is the action of the software that needs the admin rights.  IF it is write access to a specific area that can only be accessed by admin rights to write files then its possible to consider to make a group with users and assign that group the WRITE rights on that specific directory so they dont need admin rights.
But that depends on a lot of factors of that (bad written) software.
I second the comment that regular users should not have admin rights, but unfortuanately there is still software around that is needed for businesses that require the local admin rights

[nannunannu]

For stubborn legacy apps, you can use task scheduler to run as admin with out UAC prompts.  Note:  THIS CAN BE A SECURITY RISK IF YOU "PUBLISH" A TOOL LIKE THE COMMAND PROMPT THAT CAN INVOKE OTHER PROCESSES, but it is the best I can come up with.

http://www.howtogeek.com/?post_type=post&p=1168

Despite having a poorly written legacy app that insists on self-updating (which registers .dll and .ocx files), we've sucessfully eliminated admin rights  in our organization using a combo the above task scheduler hack, desktop authority (which can launch processes at login under admin rights) and custom autoitv3 scripts.  Despite the admin overhead, it is the best thing we've done.

[Infratech Solutions]

RFC 7: Autorefresh
Every time you change something, run a task/job, move a machine… you have to press F5 to refresh the info from the database.

RFC 8: Find computer (task)
What about to discover machines using IP discovery?

RFC 9: Automatic program updates
Currently you only have the manual or ask options to update the program. In ASOA you have an automatic option too.

RFC 10: Remote access to AEA.
In the consumer products: avast! Free/Pro/Internet Security you have a great feature: Remote Assistant. We need something like this to connect with our AEA customers and give support, review installations, maintenance… In most customers is not easy to open ports in their firewall to allow remote connections to AES.

RFC 11: Client-Side & Server-Side tasks
Sessions are ordered by name, not by date. I think that is better order the sessions by date, as we have in ADNM 4.8 (I refer about sessions in the folder structure).

RFC 12: MS Windows 8 Support.
Machines using MS Windows 8 are not identifying with this OS.

RFC 13: Installation package .exe
If you create an install package for your client and you distributed it, on a shared folder, when you execute it locally (you are in front of the machine), you don't have any information about what it happening or even if the installation ends successfully. I think that we are running the installation in "silent mode". I think we need, at least, a progress bar.

RFC 14: What machine is infected?
In Sessions –> Resident Modules you have the information about the path where the infected file is, but you haven’t the machine name. This is something that works properly with ADNM 4.8

[wpn]

in addition to RFC 14:   indeed better information about infections. When there is an infection i want to know the time, date, machine, website location it was on, and the taken action at moment of discovery. If it needs extra action by admin, then give options.

[wpn]

RFC 15:  Generate MSI package instead of EXE package
ADNM used to create an MSI package which in turn could be use in AD group policy to deploy. Although the preferred way to deploy is via the console, in some cases this is not possible or wanted (design by company security policy).
Then deployment via grouppolicy or other deployment tools like SCCM can be used to deploy the MSI. The EXE probably needs some tweaking/editting before being able to be deployed by external tool, with GP deployment an exe is not possible to deploy.

RFC 15:  Manual update VPS instead of downloading them from the mirror server or internet
A question I have seen a lot in the ADNM forum and still here and there for the new business parts.
Make it possible to download a file that updates the VPS manually by executing that file. This file could be downloaded from the website OR what would be great, if the file could be generated by the console, the same way the installation package for client deployment works.
This is for specific situations as for example:

1) Infected computer doesnt have the latest updates, but you do NOT let an infected computer access your company production network to prevent more damage. Here it is useful if the latest VPS which might have the cure, could be installed via CD/DVD/USBstick  (in case of missing rescue cd)

2) remote locations that have no internet access or special (slow) access via different techniques then internet to the company network. Several customers have been calling this for ocean capable ships where they have a standalone network, but no internet access or access to the company network via tcp/ip technique.


RFC 16:  No tree expansion for tasks under session
At this moment if you run a task, the task itself is put under SESSIONS in the appropriate part for the task. This (for example CLIENT-SIDE TASKS) can then be tree-expanded by clicking the + sign. It also auto-expands when you run a task.
This tree-expansion is not needed since that when you click on the item, the tasks are shown in the top view window and if you click one of the tasks there, the (too limited) details are shown in the bottom view window.

[avastuser74]

[SOA] RFC 17 (or new Thread): Empty reports
Do not generate and send empty reports. An email with empty pdfs are useless. This was correctly implemented in the last business protection 6 but has been removed in v7 ..or forgotten!!?

[SOA] RFC 18 (or new Thread): Extended settings
Some new features are not changeable by the console, because of missing "inis" in the extended settings: "DontUseChrome = 0" and "MonthlyReports = 0"

[SOA] RFC 19 (or new Thread): schedule scan task
We have a schedule scan task for every client at lunch time, so the user will not to be disturb by a slow pc. But if the pc is not online or the user ist not in office, the task will repeat the next day after booting and slows down pc. So we need an option, that if the task cannot be executed he has not to make it up the next day.

[wpn]

@avastuser74
Welcome on the forum and thank you for your contributions.

I would however want to request you to create a separate thread for the SOA product since this the thread for the Enterprise Product. To keep things really clear, its better to keep those seperated since it is a different product.
That way you can also start at number 1 with the Request For Changes    

For what its worth about the scheduled scan:  I believe there is a limit to how long a scheduled job can run. I believe that its standard on 1440 minutes (24 hours). This is the case in the EA product so im guessing its also in the SOA product. If you lower the 1440 to lets say 600 minutes then the job can only run for 10 hours and then ends.
This theoretically should solve your problem