Leaderboard


Popular Content

Showing content with the most kudos since 02/23/2017 in all areas

  1. 7 points
    Marcos

    ESET v9 sucks - remember NOD32 v2

    ESET is actually very light on system resources. In the era of v2, there wasn't much malware that required more advanced technologies, such as HIPS with AMS and EB or improved advanced heuristics which has always played a key role in detection of new borne threats. The situation has significantly changed and nowadays we are seeing hundreds of thousands pieces of new malware emerging on a daily basis. A lot of them is advanced malware like Cryptolockers / Filecoders. If you were to use v2 nowadays, it would detect only a small portion of the malware that is detected and blocked by current versions. As for gui, it's obvious that not 100% users can like it no matter how it changes. It was same with v2 and newer versions; some people liked gui and some not. It's a matter of personal preference. The point is that the aim of antivirus software is to protect the system; a common user should never need to open gui and the av program should just sit in the background and do its job.
  2. 3 points
    I wanted to let ESET Security Forum users know about this new version released by ESET, as it provides a great amount of fixes and a few new features that might interest other macOS users. In particular, you can now: Hide the menu bar icon, so you can set your preference between using the Dock icon, menu bar icon, or no icons at all Thank you to the developers for fixing a large number of major and minor issues. Changelog Added: Keep alive feature to ensure the ESET service does not stop Added: GUI notification when the ESET service is not running Added: Ability to hide the ESET icon in menu bar extras Added: OpenSSL replaced by Apple's native security framework Added: Apple's signed application has allowed access to network Added: DMG is now signed for macOS 10.12+ Fixed: A vulnerability issue with the esets_proxy file Fixed: SSL certificate vulnerability issues Fixed: A vulnerability with the old POCO XML parsing library Fixed: Installer vulnerability Fixed: pam.d issue Fixed: An issue that would cause “Zero Files Scanned on Hard Drive” errors during a computer scan Fixed: An issue where Web access protection would block virtual machines Fixed: Web protection - esets_proxy crash on nod_lmutex_destroy Fixed: mac OS crashes when opening http://localhost:57856/ Fixed: esets_proxy crash (LoopSocket()) if internet connection is disabled during threats downloading Fixed: The error 'no executable path found' causing apps to not load or block connections Fixed: The error ‘cannot write to socket errors’ Fixed: A firewall issue that blocked users from opening WordPress web pages Fixed: An issue where FaceTime is blocked by firewall (default configuration) Fixed: Shut down computer after scan - executed after 1 second Fixed: Incorrect module name in about dialog Fixed: Additional minor bug fixes and stability improvements Download You can download it on the ESET website. Apologies to the ESET team if this is against the rules, I know @foneil usually does this, however this update is quite important for resolving a large number of issues that would benefit being announced on the forum (and you have already listed the changelog and version on the ESET website and KB article).
  3. 2 points
    Clark

    Online Training Missing File

    The link was updated last week and should be fixed in the training now. If you'd like to get directly to the PDF you can click: https://cdn2-prodint.esetstatic.com/usweb/training/netropolis/embeds/ESETCybersecurityEducationTips.pdf Thanks for letting us know!
  4. 2 points
    Marcos

    Zero-Day Exploit

    1, In order to inject a fake verifier dll, one would have to modify values for ekrn.exe and egui.exe under IFEO but these have been protected by self-defense since v4.2. 2, We are aware that some non-crucial processes are not currently protected by self-defense, however, in order to modify the registry an attacker would have to gain admin rights. Even if that happened, it wouldn't make much sense to spend time injecting a malicious dll into an unprotected less important process just to disable protection for instance, as this could be done directly via gui once an attacker gains admin rigths. Needless to say, that in such case he or she can do much more damage to the system or data then just disabling the AV. 3, They claim: "Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago." Really? On systems with ekrn running as a protected service, unprotected processes have no access to it.
  5. 2 points
    Marcos

    Warning when LiveGrid is disabled with 6.5

    LiveGrid is a crucial protection functionality. By default, checking file or url hashes against both the local LiveGrid dabatase and cloud LiveGrid servers is enabled in ESET's products. Disabling LiveGrid completely (ie. even checking hashes against the local and cloud LiveGrid database) has adverse effect on protection and substantially deteriorates detection and protection capabilities of the ESET product when it comes to newly emerging threats. Disabling LiveGrid completely will cause that a detection of a particular malware (e.g. ransomware encrypting files) will be added with the delay of several hours instead of ESET being able to detect and protect you from it virtually instantly. In environments with a strict policy where no submission of statistics or files is allowed, the following policy is recommended: As for submission of samples, this setting should be kept enabled in order for automated systems or malware analysts to generate smart detections for suspicious (malicious) files and to improve cleaning. Sensitive files, such as documents, are excluded from submission by default. Even if you decide to turn off LiveGrid completely (not recommended) and take the risk, you can disable changing of the protection status in the Applications statuses setup in the Tools section.
  6. 2 points
    MartinK

    Dashboard report permissions in 6.5

    It seems user has no access to report templates that are shown on dashboard. In ERAv6, two security-related configuration must be set to have access to report templates: user must have functionality access to "Reports and Dashboard" with USE rights (Admin -> Access Rights) user must have access to static group that objects are assigned to. By default, report templates are assigned to group All (see Access Group information in report templates view). In order to share them with other users, you will have to move report templates to different access group - accessible by all users. To move report templates, open context menu of "report template category" and use Access group -> Move. It seems moving only specific report template is not possible (most probably bug). You may find more details in documentation.
  7. 2 points
    I guess you are using AD synchronization task configured so that it removes computers that are no longer available in AD. Matching of computers is based on name, where name must match exactly. For example if you have in AD computer name "computer.mydomain.com" but computer with name "computer" is found in synchronized group, it is considered as different device and thus removed. It will also create new non-managed computer named computer.mydomain.com. Regarding name of computer, there are two possibilities -> computer was either named by reverse-DNS lookup of its IP address, or FQDN reported by AGENT itself was used. Please check this specific client's details view, section "Device identifiers" whether it reports correct FQDN. If so, you may use computers renaming task to rename computer. If reported FQDN is not correct, please check configuration of this client as it is highly probable that operating system reports wrong hostname.
  8. 2 points
    It's not a false positive but WebBar potentially unwanted application. This forum is not meant for disputing PUA detections. We can only recommend to contact ESET as per the instructions at http://support.eset.com/kb141. Having said that, we'll draw this topic to a close.
  9. 2 points
    I wanted to let ESET Security Forum users know about this new version released by ESET, as it provides a great amount of fixes and a few new features that might interest other macOS users. In particular, you can now: Allow all software that is signed by Apple to access the network automatically in the Firewall; and Hide the menu bar icon, so you can set your preference between using the Dock icon, menu bar icon, or no icons at all. They have also fixed the 'no executable path found' and 'cannot write to socket' errors. Thank you to the developers for fixing a large number of major and minor issues. Changelog Added: Keep alive feature to ensure the ESET service does not stop Added: GUI notification when the ESET service is not running Added: Ability to hide the ESET icon in menu bar extras Added: OpenSSL replaced by Apple's native security framework Added: Apple's signed application has allowed access to network Added: DMG is now signed for macOS 10.12+ Fixed: A vulnerability issue with the esets_proxy file Fixed: SSL certificate vulnerability issues Fixed: A vulnerability with the old POCO XML parsing library Fixed: Installer vulnerability Fixed: pam.d issue Fixed: An issue that would cause “Zero Files Scanned on Hard Drive” errors during a computer scan Fixed: An issue where Web access protection would block virtual machines Fixed: Web protection - esets_proxy crash on nod_lmutex_destroy Fixed: mac OS crashes when opening http://localhost:57856/ Fixed: esets_proxy crash (LoopSocket()) if internet connection is disabled during threats downloading Fixed: The error 'no executable path found' causing apps to not load or block connections Fixed: The error ‘cannot write to socket errors’ Fixed: A firewall issue that blocked users from opening WordPress web pages Fixed: An issue where FaceTime is blocked by firewall (default configuration) Fixed: Shut down computer after scan - executed after 1 second Fixed: Incorrect module name in about dialog Fixed: Additional minor bug fixes and stability improvements Download You can download Version 6.4.128.0 of ESET Cyber Security Pro on the ESET website. Apologies to the ESET team if this is against the rules, I know @foneil usually does this, however this update is quite important for resolving a large number of issues that would benefit being announced on the forum (and you have already listed the changelog and version on the ESET website and KB article).
  10. 2 points
    @m4v3r1ck I will provide you with a newer version that should address the issue on Monday. Try it then with default settings and automatic mode first and if you're unable to reproduce it switch to interactive mode.
  11. 2 points
    You will not "get banned". You'll be fine.
  12. 1 point
    Thank you for your feedback. Understood. Solution for your use-cases is planned for ERA V7 in Q4/2017. Currently, there is no "quick fix".
  13. 1 point
    janoo

    ERA Administration Guide

    Hello bbahes, The documentation is growing together with the product so sometimes there can be an inconsistency. Thank you for pointing this out, we will try to improve it. I agree, if you read the PDF document from start to end, some topics may look inconsistent. This is because we did not intended it to be read like that. The PDF document you have is exported from Online Help which has a different conception. What would you suggest to change in the documentation? (except those chapters 3.3.2/3.3.1)
  14. 1 point
    The version of your ESET NOD32 Antivirus or ESET Smart Security matters. As I wrote, if you use v7 or older, once these versions reach end of life further updates will not be guaranteed by ESET. With v8 installed, the upgrade notification window can be suppressed for the next few months until some time before the end of its end of life which is likely to happen next year. The main reason why users should use the latest version of a security program is that only this way they can be protected to the maximum extent against newly emerging threats. Needless to say that new versions bring other fixes and improvements under the hood, such as much lower memory consumption and performance improvements introduced in v10.
  15. 1 point
    We strongly recommend restarting the OS as soon as possible after upgrade. Otherwise old drivers will remain loaded until the next restart which might cause issues with a new ekrn. E.g. on servers the system could hang because the new ekrn could not verify older drivers due to a change in the signature a few months ago. On Windows 10 a shutdown with "Fast start" enabled is not an actual shutdown but a kinda hibernation (https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html).
  16. 1 point
    Marcos

    Sophos Intercept X and ESET Endpoint

    ESET leverages HIPS in conjunction with Advanced memory scanner and smart DNA detections based on application's behavior to recognize and block new malware, including ransomware. The system has evolved to Ransomware protection which was first included in home v10 and is being further developed for the inclusion in Endpoint products as well. See https://www.eset.com/int/about/technology/ for more information about our technology. To be honest, I can hardly remember cases with encryption reported by users with a current version of Endpoint v6 who had all protection features enabled. It's mainly users with older versions of ESET products and those who don't have it configured for maximum protection (e.g. have LiveGrid disabled) who get hit. Another category are servers with unsecured RDP which enables attackers to remote it, disable the antivirus and execute ransomware. Protecting the settings with a password would make it more difficult for the attackers to evade detection.
  17. 1 point
    I would also add, that this behavior (automatically marking "handled" threats as resolved) will be added in ERA 7.
  18. 1 point
    Policies selected during installation are used to change default configuration of EES/EAV or AGENT. They are not consider as applied policies. Also configuration applied during installation (selected policies) should not lock settings. Changing default settings during installation is useful in case special configuration is required to be applied immediately and not after AGENT connects to SERVER -> suitable for offline environments, environments where password-protected installation of EES/EAV is required and also in AGENT-less (non-mananged) environment. Once AGENT connects to SERVER (or PROXY) it will start to use only policies that re assigned to it in Webconsole. Settings used during installation (extracted from selected policies) will remain used until another policy assigned to AGENT will override them. It is recommended to assign policies to client computers, as install-time configuration may be lost during re-installation of EES/EAV.
  19. 1 point
    @MartinK - Always stealing the spotlight buddy ;-)
  20. 1 point
    The last digits denote a language build or re-packed build (e.g. if modules were replaced after compilation). Not sure what's the difference in determining the version number in the mentioned cases but since the last digits are not important I wouldn't consider it an issue.
  21. 1 point
    @Marvin - Assuming it may be related to the auto computer renaming task that runs under server tasks. which does the correction every now and then. Or perhaps your AD synchronization task find those computer objects as a duplicate to the names it has in the AD OU and moves them to lost and found. You should use the rename computers task to correct all computers to a single convention, and remove duplicates keeping only the objects with Agents\AV installed and copying them over to the right place in the AD OU (while those who exist with the duplicate name should be deleted) also, deny ERA from keeping computers with duplicate names, thus eliminating the possibility of having duplicate computers where one is related to the AD while the other related to the lost and found.
  22. 1 point
    Probably you mean Endpoint v5 which had ERA settings stored in plain text and connected to ERA v5 directly. As of ERA v6, it's agent which communicates with ERAS and mainly for security reasons its settings are not stored in plain text. As I have already written, if you plan to change just the IP address of the server, just apply the appropriate policy with multiple ERA servers listed in the agent's policy before the original server is moved from the original IP address and that's it. Since you have already moved the server to a new IP address, the only solution is to re-deploy agent with correct ERAS and proxy server settings, e.g. using the ERA Deployment tool introduced with ERA v6.5.
  23. 1 point
    Marcos

    High Memory Usage?

    Download and run ESET NOD32 Antivirus Live installer from https://www.eset.com/int/home/antivirus/#download.
  24. 1 point
    MartinK

    Relative file path - Generated reports

    Relative path means that you won't be able to save reports outside of mentioned directory (or it's alternative on different platforms). You dont have to use timestamp, for example if you specify audit/audit_report it will generated report in file C:\...\Data\GeneratedReports\audit\audit_report.pdf
  25. 1 point
    itman

    how can I tell if livegrid is working?

    AMTSO web site is back online. So anyone wanting to perform the "cloudcar" test can now do so. What should be displayed is shown in the below screen shot:
  26. 1 point
    Marcos

    how can I tell if livegrid is working?

    Amtso.org only hosts cloudcar.exe which is an innocuous file used to test LiveGrid's functionality. Whether the website is up or down has no effect on LiveGrid.
  27. 1 point
    Upgrade to 6.5 may take more time than 30 minutes in case of slower HW configuration or larger amount of stored data (logs). This error was most probably caused by interrupted upgrade procedure you mentioned. Unfortunately we are not able to provide workaround until we know what exactly got corrupted. Please restore DB backup and try to upgrade again. If it won't work, contact ESET support for that more details could be provided for analysis.
  28. 1 point
    Marcos

    Win64/RecoverKeys.A Meaning

    Applications like this one which serve to find and display a license key for particular software or the operating system fulfill the criteria for potentially unsafe applications. This kind of detection is disabled by default in ESET's products. If you don't want to disable detection of pot. unsafe applications completely, expand "More info" and select to exclude the signature from detection.
  29. 1 point
    foneil

    Upgrade ERA from 6.4 to 6.5

    Thanks to @GCGfor the documentation links, but I recommend bookmarking the Online Help for ERA (and all others that are available via Online Help, you can see the list at help.eset.com) because we are constantly updating and expanding documentation, and the most up-to-date content will be on Online Help http://help.eset.com/era_install/65/en-US/index.html
  30. 1 point
    jdashn

    Upgrade ERA from 6.4 to 6.5

    @whitelistCMD - It's been my experience that when moving between 6.X versions (6.2 -> 6.3, 6.3->6.4) the transitions are seamless resulting in no loss of data, no issues with authentication, etc. It was only our transition from 5.X to 6.X that provided us with headaches. I'm certainly not one to suggest that you should not backup your virtual appliance regularly (and without a doubt before major changes). I would hope to ease your fears a bit, and make the thought of this update a little less nerve wracking in this situation. On my test server I initated the components update about 30 min ago without thinking about what else might be running, etc. It ran, updated me to 6.5, and there do not seem to be any glaring issues so far... i'd even venture to say that several of the features added are quite nice.. and might reduce my workload considerably! Jdashn
  31. 1 point
    rekun

    Upgrade ERA from 6.4 to 6.5

    Hi It is quite simple, you just need to send a "Remote Administrator Component Upgrade". For more info, please look under:Perform a Component Upgrade task from the ERA Web Console here: hxxp://support.eset.com/kb3668/?locale=en_US
  32. 1 point
    Yes, basically you should run the "component upgrade task" on your ERA server. IT should upgrade the Beta build to the GA build. Depending on the size of your infrastructure, you could upgrade your server at first (that will upgrade everything you have installed on the machine where server is (agent, server, webconsole, MDMconnector), and then proceed with the updates in the rest of the network.
  33. 1 point
    itman

    Is this Event ID 454 / 490 related to ESET?

    Check this folder permissions, C:\Users\Phoenix\AppData\Local\Microsoft\Windows\WebCache, and verify that System, yourself i.e. Phoenix, and Administrators have full control.
  34. 1 point
    Marcos

    about more useful functions

    The role of antivirus is to protect your system from malware and possibly other unwanted applications as well as to clean malware if your computer gets infected (which is quite unlikely to happen with ESET installed and all protection features active). To accomplish this, ESET leverages handful of protection modules, such as HIPS, Advanced memory scanner, Exploit Blocker, Botnet protection, Ransomware protection, etc. For more information about ESET's technology, see https://www.eset.com/int/about/technology/. The role of antivirus is not definitely to block ads, "shred" files, repair network, registry, etc.
  35. 1 point
    Marcos

    Antivirus pop up

    The owner of the website must replace the certificate with a valid one as the current one expired on Feb 22:
  36. 1 point
    You mean "threat handled" or "threat resolved". "Threat handled" is a separate column, and "threat resolved" is the internal indication of ERA (they could be resolved only manually, by marking them as such). Could you please added here a screenshot? Also, it might happen, that detections are not "threats", but potentially unwanted / unsafe applications, which are not removed even with standard cleaning, and the popup is displayed.
  37. 1 point
    With default cleaning mode, threats are cleaned automatically. However, in case of archives that contain also clean files besides malicious ones or if a potentially unwanted or unsafe application is detected, a user intervention is required. To avoid this, set the cleaning mode for the desired scan profile to "Strict cleaning" and then run an on-demand scan task using that profile settings.
  38. 1 point
    thanks guys, pinned thread created
  39. 1 point
    No problem from me to post publicly available content. I was out on paternity leave for two months so I was unable to make the forum posts during this time, but I've gone ahead and made the pinned thread:
  40. 1 point
    Hi TomasP Thank you for pointing that channel out I wasn't previously aware it existed - am now subscribed to it.
  41. 1 point
    It is important to say that only v9 was affected by the broken validation issue and a fix addressing it was released as a module update a while ago.
  42. 1 point
    Why? Whether ekrn is 32 or 64-bit, it doesn't make any difference for users. Vendors have been successfully using 32-bit kernels on x64 systems for years without issues.
  43. 1 point
    MartinK

    Legacy Dynamic Group Templates?

    Functionality/Protection status: status of specific ERA components managed by AGENT, including Operating system status. This log will contain both OK and also RISK/MALFUNCTION entries. Functionality/Protection problems: basically it is subset of previous one, where only RISK/MALFUNCTION (non-OK) entries are listed, and they are listed with more details if available. Functionality/Protection status of computer: contains status of worst functionality problem detected. For example if previous logs were not reporting any issue, overall status of computer is OK. Otherwise it will be worst status from previous issues. My recommendation is to create report template (reports) with the same data fields and compare results for various computers.
  44. 1 point
    In home version it is not possible to change the update server whatsoever. We do not guarantee the availability of particular update servers,hence the autoselect option is best and the only available for home users who don't update from a mirror.
  45. 1 point
    It was running very well, once of the best version 6 builds so far, tested with the latest version of macOS and minimal third-party apps, however. Noticed a few minor bugs with the interactive firewall and profiles, but nothing that affects anything too much (as the "error 'no executable path found' causing apps to not load or block connections'" bug has been resolved).
  46. 1 point
    itman

    Is Eset Smart Security Corrupt

    Geocerts, if you review the web page carefully, is a web site for web developers to validate if they have correctly installed applicable root certificates on their server. If you observe carefully when you enter www.eset.com/uk the url is changed to www.eset.com/ . What happens is Eset when receiving web traffic at www.eset.com does an automatic redirect to the applicable Eset country web site. The server assigned to that site is the one being used for SSL/TLS communication. Because of this, you can't use Geocerts. FYI - I encountered the exact came behavior when I tested using QUALS SSL Server test. Additionally, I manually verified that the thumbprint for the Thawte root certificate used by www.eset.com/us matches that of the corresponding cert. stored in my Windows/IE11 root CA cert. store. Again, test with an end destination URL such as your bank's web site or the like.
  47. 1 point
    itman

    Ver. 10 - Driver Hash Error

    OK. Finally got this straightened out. Secure Boot feature of Win 8/10 only applies if your motherboard has UEFI and not a BIOS. My old MB is BIOS based. Secure boot uses ELAM driver to validate driver hashes and the like. The primary use of ELAM excluding the above on WIN 8/10 is noted in this PC Mag ref.: http://www.pcmag.com/article2/0,2817,2411464,00.asp . Regardless of whether you are using Windows Defender or a different anti-malware product, Windows 8 has tweaked its load process so that security software runs first. Early Launch Anti-Malware (ELAM) insures that the first software driver loaded into Windows 8 is a driver from the user's anti-malware software. Eset uses its ELAM driver to early load its kernel as Level 0 protected process.
  48. 1 point
    petersonal

    uninstall from ERAC task failed

    I am unistalling from erac, using "Stop Managing (Uninstall ERA Agent). I see, i understand, thank you for your information. Maybee in future development this could be somehow fixed, because at first i though the task was not successfull at all, the messeage is confusing.
  49. 1 point
    BPS

    ERA6 SMTP Settings "From Address" option

    We are trying to set up email notifications on ERA 6, however I do not see the option to change the "From" or "Sender" email address. I am looking on the webGUI under Admin->Server Settings->Advanced Settings->SMTP Server, but there does not appear to be an option to change this setting. This is a necessary setting for our environment since we are using SMTP relay to Office 365 Exchange Online for notifications and 365 requires we specify the sender as a known address in our enterprise in order for it to be accepted through the relay. Most other applications sending notifications allow us to specify an email address as the sender, but I cant find the option in ERA6...
  50. 1 point
    Thomas2z

    ERA6 SMTP Settings "From Address" option

    To use with Office 365, I used a distribution email for both "User" fields. The remaining settings work with this setup.