Leaderboard

We have pinpointed a memory leak in the memory dumper. A fix is being reviewed and will be released through an automatic module update next week.

Today we've released a fixed version of the Antivirus and antispyware module 1552.3 which addresses cleaning issues on Mac. Could you please check if PUAs are now cleaned properly?

Some "free press" courtesy of bleepingcomputer.com: Windows 10 Apps Hit by Malicious Ads that Blockers Won't Stop https://www.bleepingcomputer.com/news/security/windows-10-apps-hit-by-malicious-ads-that-blockers-wont-stop/

I have always been very leery of comparison tests. Sorry if I came across as a bit snarky. Regards, Tom

Here we go again. Windows Defender had a whopping 74 false positives in this test. Refer to the below screen shot that clearly shows that WD "block-at-first-sight" was set to aggressive setting level; basically blocking execution of any process without established reputation. Whereas this might be acceptable to advanced security level professionals, it certainly isn't so for the average user; especially for corp. users. -EDIT- Also 55 of the WD 74 false positives were user dependent block/allow action. It is a no-no to have the user decide if a process is malicious or not: Ref.: https://www.av-comparatives.org/tests/real-world-protection-test-february-may-2019/ Finally and most important, note the following. A-V C does not factor false positive scoring into its protection scores for its realtime tests as is done for its more comprehensive malware protection test series. Using the above false positive scoring criteria of 50% of user decisions are wrong, WD would have scored 27/752 or 96.4% placing it at the bottom of the protection scoring heap.

Refer to wilderssecurity.com that has multiple postings on this issue. In summary, Win 10 will try it's darnedest to keep Edge always running. Since I don't use Edge as my browser, I just block its start up with an Eset HIPS rule. This has resolved the issue for me.

This behavior is normal. If you press Shift+Esc in Chrome, the Chrome task manager will open. It shows more processes than the number of open tabs, however the number of the processes is not exactly same as the number of processes seen in the system Task manager.

Are you looking for protection for Windows or Linux? For Windows we have ESET Internet Security and ESET Smart Security Premium (which is basically EIS with disk encryption and password manager added). Both will protect you at various layers in the system as described at https://www.eset.com/int/about/technology/. You can download EIS from https://www.eset.com/int/home/internet-security/download/. For Linux we have ESET NOD32 Antivirus for Linux desktop. It can be downloaded from https://www.eset.com/int/home/antivirus-linux/.

A-V C is "very creative" when it comes to finding samples for its Realtime test series. It's not uncommon for it to slip in a few samples that are geographically restricted to one country and/or region within with an "in-the-wild" dispersion of < 10. The odds of encountering one these samples in close to zero.

Thank you Marcos. I looked at that page several times and just overlooked that part. Guess I need to read the docs and not just skim them.

Please read https://support.eset.com/kb3690/. The ESMC release 7.0.72.2 contains the version 7.0.577.0 of the ESMC Server for Windows and version 7.0.471.0 for Linux.

MacOS Catalyna is to be released in the fall. We officially support only final versions of operating systems, not betas since a lot can be changed under the hood before the new MacOS is released which could break ESET's functionality. At the time of the official release of the new MacOS, we should have a compatible version of ESET CyberSecurity and ESET CyberSecurity Pro at your disposal.

I believe this article sums up the differences nicely: https://wtop.com/tech/2018/06/is-windows-10-safer-than-windows-7/

don't know if your system is used by others, but if it is not, then I would not worry about this issue. the security hole from the article can only be exploited locally, as in sitting at the machine. Unless you are going to be performing DDOS attacks or hacking into your own system, then your safe. If it's your own system, your should already have Admin level access to the OS available to you. the only way for to be vulnerable is if you allow access to your machine to a untrusted remote user using Remote Desktop, Teamviewer or other similar software.

Hello, It's possible CloudFlare incorrectly caches some parts of configuration editor and returns out-of-date data causing this. Please create HAR log @PavelP mentioned it might help us determine whether issue is with CloudFlare or webconsole itself. Ideal would be to have tomcat access log paired with this log to determine which requests made it to server and which did not. Thanks.

Also don't forget about AMSI and protected services which were not available prior to Windows 8.1. With the help of AMSI script malware can be more efficiently detected. New script malware may be undetected on systems that don't support AMSI.

Hello, We checked multiple browsers to identify which one produces this error (seems like you posted chrome error), However for future reference (and potentional improvement) can you please answer following? browser(s) (in case of IE ideally export security settings for security zone console is in) - you already said you tried multiple, however platform/browser still matters for reproduction. webconsole behind reverse proxy/application firewall ESET (or other) product with TLS filtering enabled installed on computer connecting to console Any "uncommon" setup you can think of This issue can arise in case _some_ https requests on same site (in this case as Pavel said seems like js script) is blocked from download. Which in case of TLS (to my knowledge) requires MITM interception (product/WAF/RP/actual attack) or extremely restrictive browser rules. Thanks, M.

We have identified a problem when upgrading a Windows 10 system with ESET Endpoint Encryption installed to the 1903 feature update. Installing the update can cause the system to crash (blue screen) when booting. We are currently investigating the cause and recommend not upgrading an encrypted system to 1903 until further notice. Systems that have been affected will need to be decrypted using our recovery tool (if full disk encryption was enabled) and then repaired using the Windows recovery console. See this knowledgebase article for more details: https://support.eset.com/kb7309/

You must have an older v6.6 installed (6.6.0.0 – 6.6.2063 are affected) so upgrade to v7 will surely fix it and the notice will go away then.

Hi yardstudio, Releasing of spam from mail quarantine should work even if you don't report the false positive. The message is resent using replay directory and antispam is not evaluated again. If the email was marked as spam again, it means that it was routed through SMTP agent and tested for spam again - this is not the usual case. Do you have more Exchange servers in your environment? If yes can you describe routing of mail? Information about delivery of the message can be seen in "Received" headers (in the detail dialog) of the message that returned to quarantine. Please post the "Received" headers. BTW, which version of EMSX do you use?

1. Open "Services" and for "NVIDIA Telemetry Container" stop service and set startup type "Disabled" 2. Run AutoRuns and in "Task Scheduler" section disable: + NVIDIA telemetry monitor + NVIDIA crash and telemetry reporter (2 instances) 3. You may also want to remove Telemetry logs: C:\ProgramData\NVIDIA\NvTelemetryContainer.log C:\ProgramData\NVIDIA Corporation\NvTelemetry\events.dat C:\ProgramData\NVIDIA Corporation\NvTelemetry\nvtelemetry.log C:\Users\user\AppData\Local\NVIDIA Corporation\NvTmMon\NvTmMon.log C:\Users\user\AppData\Local\NVIDIA Corporation\NvTmRep\NvTmRep.log Who needs an additional spy in your own PC?.. Awesome my friend, I forgot about those other bits We need to send a clear message to Nvidia that we will NOT tolerate their spying on us via telemetry, and we will every workaround we can think of in order to defeat it. It's bad enough that windows 10 is virtually one massive spyware collecting agency Rather than do all of the above, you can simply install nVidia drivers as normal. Once installed open an elevated command prompt and run the following: rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer This will remove all telemetry, logs, services and tasks. I use it all the time now and it's a very clean way of removing nVidia telemetry. https://forums.geforce.com/default/topic/1056140/geforce-drivers/defeating-nvidias-telemetry/post/5830317/#5830317 Personally, I just disable the Nvidia Telemetry service and leave it at that. I haven't seen any outbound Nvidia traffic after that. I also can't vouche the the above rundll32 method since I never used it. As far as blocking GeForce Experience outbound activity, the best way to stop it is never install it or uninstall it. Also according to this article, nothing Nvidia Telemetry or Geforce Experience does is supposedly nefarious: https://www.howtogeek.com/280101/relax-nvidias-telemetry-didnt-just-start-spying-on-you/

Since it appears you want to still use GeForce and not uninstall it, you can download the latest non-vulnerable update here: https://www.geforce.com/geforce-experience/download . That should eliminate the update alert you have been receiving. As far as your other nVidia drivers, you have a problem. For any drivers less that release 390.65, you're vulnerable to the Spectre and Meldown vulnerablities noted here: https://nvidia.custhelp.com/app/answers/detail/a_id/4611/~/security-bulletin%3A-nvidia-driver-security-updates-for-cpu-speculative-side . I would serious considering updating your graphics card.

To begin with, there is a serious security vulnerability in regards to Nvidia GeForce versions prior to 3.18. You can read about that here: https://www.bleepingcomputer.com/news/security/nvidia-patches-high-severity-geforce-experience-vulnerability The article also refers to Nvidia driver vulnerabilities that have been recently discovered. So you have to verify if your Nvidia drivers have been have recently updated. As far as your screen shot goes, your Nvidia software is indicating that a GeForce software update is available. In light of the above posted, you probably want to perform the update. BTW - you don't need the GeForce software for your Nvidia drivers to function properly. It's primary purpose is to inform you that NVidia driver updates are available. It can be uninstalled via Control Panel -> Programs option.

can we stop the scan every time the modules are updated?

Guess I am not following you on this one. Each time you export your settings, a new .xml file is created. Just import the latest .xml file you created.

The block is correct. We informed that leaked licenses were published on it. In turn we were promised they would be removed so we unblocked it then. However, shortly after unblocking it the license and other illegal stuff was put back again and this repeated several times. We are not going to play cat and mouse.

See this thread: https://forum.eset.com/topic/19081-jsspigotb/ . Also refer to the Eset knowledgebase article link I posted in the thread.

I've found similar instances and attribute it to some form of agent corruption. I haven't found an easy way to repair the agent, but the majority of the time, simply uninstalling and reinstalling the agent resolves the issue. Not what I would consider a "fix", but does get things working again.

Here some more results: If consecutive scheduled daily scans can't run at the scheduled time, then the scan will only be done as soon as possible if the previous scan was at least 23 hours ago. If that is not the case yet, then EIS will wait until it is. If consecutive scheduled weekly scans can't run at the scheduled time, then the scan will only be done as soon as possible if the previous scan was at least 6 days and 23 hours ago. If that is not the case yet, then EIS will wait until it is. In my opinion this is not how it should be! For example: A scan is scheduled to run every Monday at 00:00:00, but it doesn't get the chance to run at that time. The computer isn't booted any earlier than Wednesday 20:00:00, but almost directly after booting the missed scan is executed. The next week again there is no chance to run the scan at the scheduled time, but now the computer is booted on Monday at 08:00:00. I would expect the scan to run then almost directly after booting, because it is scheduled to run every Monday at 00:00:00 and in this case 08:00:00 is as soon as possible, but instead EIS decides to wait until Wednesday 19:00:00, which is 6 days and 23 hours after the previous scan. In other words, if there is never a chance to run the scan at the scheduled time, then it will take many weeks to get the scan running on Monday again, because the time will only be advanced 1 hour a week.

It will be fixed in v12.2. I reckon the beta version has it already fixed.

It is needed to do the following steps to fix the issue because some of the modules are probably corrupted. The best way is to stop the service, clean update cache, delete the modules and download completely fresh update files and modules will be recompiled and added to /var/opt/eset/esets/lib - stop service - delete content of modules directory /var/opt/eset/esets/lib - clean the update cache directory /var/opt/eset/esets/lib/data/updfiles - clean logs direcotry /var/log/esets/ - run update manually deleted modules will be replaced for fresh /opt/eset/esets/sbin/esets_update --verbose - once update is successfully done you can start the service

Yep! All working fine now, just needed some time to update maybe. Thanks fro your promt replay! Case closed! Best regards PS/ Also got 30% off, we likes that...

If you have a paid license for an ESET product, please provide logs collected with ESET Log Collector for a start.

The website was compromised and still contains a malicious code.

You might want to refer to this latest A-V Comparatives Endpoint test and resign yourself to living with the issue of high false positives as far as TrendMicro is concerned: https://www.av-comparatives.org/tests/business-security-test-march-april-2019-factsheet/

You can synchronize computer names by running the following server task:

Any chance it resolved itself automatically after a time? We are currently experiencing issues with license synchronization, which is targeted by release that is rolling out this week.

To be 100% accurate in regards to telnet is the following. The telnet client is not installed on Win 10 by default: https://www.rootusers.com/how-to-enable-the-telnet-client-in-windows-10/ . As noted in the article if the telnet client is installed, any port can be used by it; not just port 23. When router's reference telnet, they are just referring to its default use of port 23. Disabling the telnet option on the router is just blocking all inbound/outbound WAN side port 23 TCP/UDP traffic to/from the router. When the router is set to bridge mode, you are instructing the router to pass all inbound and outbound traffic through the WAN side of the router. All firewall, IDS, and protocol filtering methods on the router are disabled. Additionally, both NAT and stateful transmission detection are also disabled on the router. As such, you are now relying 100% on Eset's firewall for port 23 protection. Whereas Eset's firewall will block an unsolicited inbound port 23 traffic by default, such is not the case for any outbound port 23 traffic. By default, Eset allows all outbound traffic.

Referring to the first two postings in this thread, browser ad and JavaScript blocking extensions and the like would not have prevented this activity. It appears something was installed manually. It could have be standalone software. If it was then the following were applicable: 1. The software was installed prior to Eset being installed. 2. Eset's PUA protection was/is not enabled. 3. Eset's PUA detection was ignored and the poster allowed the software installation. Another possibility is the poster either explicitly or inadvertently installed a browser extension that contains the javacript code being detected.

The problem with the machine from which the latest logs were taken is that you have an old eamonm.sys driver from v4.5 running. Did you upgrade to EFSW v7 from EFSW v4.5? If so, a restart is needed after installation for new drivers to get loaded. Did you reboot the server? If so, please uninstall EFSW completely, make sure there is no eamonm.sys driver in c:\windows\system32\drivers and install EFSW v7 from scratch.

It's not a problem. The only reason why it occurs with v7 is that older version didn't support protected service, a security feature of Windows. In v7 it's possible to disable protected service at the cost of worsening protection, however, it wouldn't be worse than with v6.5 which didn't support it yet. With v7 you get also ransomware shield which can proactively protect the server from encryption by ransomware.

I'm not sure if this is possible from technical point of view. Anyways, this topic is monitored by people responsible for making decisions about future features so it will be noted.

Description: Prevent sleep during scan. Detail: Windows can put the computer to sleep before the scan is finished. That is very annoying. There should be an option to prevent that from happening. Oops, it's a coincidence that @zeromido asked someting similar here right above. Before I started typing, I first searched the forum for "scan prevent sleep".

Description: Prevent scheduled actions Detail: Prevent any scheduled actions that might interrupt a scan or any security related operation. For example, scheduled shutdowns, restarts, sleeps, log offs, hibernates, etc. I think this can be done using an option in settings. Maybe somebody got a better idea to do this?

A cleanup option for firewall rules when using the interactive mode, that deletes all rules that are pointing to applications that no longer exist on the computer, would be very helpful indeed. (I fully agree with JoMos here above.) Especially now more and more applications move to a new folder with every update, the number of useless firewall rules grows rapidly. Deleting them manually isn't a pleasant job and keeping them might slow the firewall after some time.

Hi, as marcos noted this error is logged when automatic exclusions for Microsoft SQL server are enabled. Automatic exclusions for Microsoft SQL server are using ADO API to read information from "sys.master_files" table to get list of files to exclude from scanning. The ADO API obviously loads a DLL that is not signed. As a workaround, automatic exclusions for Microsoft SQL server can be disabled.

That line looks like the example from: https://docs.microsoft.com/en-us/previous-versions/windows/hardware/code-signing/dn756632(v=vs.85)#user-mode-and-kernel-mode-code-troubleshooting With the signing levels being: 0x0: Unchecked 0x1: Unsigned 0x2: Enterprise 0x3: Custom 1 0x4: Authenticode 0x5: Custom 2 0x6: Store 0x7: Custom 3 / Antimalware 0x8: Microsoft 0x9: Custom 4 0xa: Custom 5 0xb: Dynamic Code Generation 0xc: Windows 0xd: Windows Protected Process Light 0xe: Windows TCB 0xf: Custom 6 It looks like you are requesting all DLLs to be higher than (or more likely equal to) 0x7 (Antimalware) and this DLL is actually 0x1 (Unsigned). THE FOLLOWING IS THEORY AND SHOULD NOT BE CONSIDERED ACCURATE To me, it looks like NOD32 is loading the DLLs into its own service when running as a Protected Service rather than scanning them without loading it into memory in a manner unlike a library (e.g. without running the code or injecting the DLL into the service). On top of this sqlnclir11.rll should be reported as 0x8 instead of 0x1 by Microsoft, which is in itself a problem. If we look at 0x4 (Authenticode) this would also trigger that error but could be legitimate signed code which gets blocked due to the way NOD32 is scanning when running as a Protected Service.

There is no way to solve it if Microsoft doesn't update the rll file with one with a valid signature except disabling Protected service in the HIPS setup which would enable unsigned dll files to be loaded in ekrn.exe. Of course, that would be a security hole and unnecessary risk so we don't recommend disabling protected service.

Another nice feature for the firewall component that would help a lot with maintaining the firewall rules: Description: Firewall rules cleanup of unnecessary / invalid entries Detail: I've set my firewall filter setting to interactive mode, meaning that I can define for every program what the firewall should do. Over the time, you have entries in the firewall rule set about programs that are not existing on the computer anymore. A button for an automatic cleanup of those rules (delete all firewall rules that are pointing to applications that don't exist on the computer anymore) would make it easier to keep the firewall rule list tidy and it also benefits the administration of the rule set.

Agreed. I even thought about the programming logistics of that when I posted it, but as the forum is about suggestions, I thought what the heck, let's put it in, as it is a nice idea (IMO) Andy