Leaderboard

Eset was the only vendor to completely block the EternalRomance exploit attack vector in this incident: https://www.mrg-effitas.com/eternalromance-vs-internet-security-suites-and-nextgen-protections/

It turned out to be doable. We'll consider adding an option to prevent standby in future versions of Eset's products.

Hello forum users! Today we are announcing a brand new feature on our forum – Reputation ranks. For quite some time we wanted to have a system that would automatically mark content posted by reputable users, so that it would gain trustwothiness in the eyes of anyone who reads the posts. By launching Reputation ranks we not only achieve that, but they also serve as a motivation for you, our users, to reach higher levels and have a more prestigious rank next to your username. The ranks are awarded automatically based on the number of Kudos you have earned from other users (whether it was for posting an interesting link, or a solution to an issue somebody experienced). Thus, we also encourage you to use the voting system and award a Kudo when you see a quality post. There is no limit on the Kudos you may give and it lets the user know their post was interesting or helpful – it’s basically saying ‘thanks’ – and you may help somebody reach the next rank as well! With that being said, here are the actual ranks and their Kudo ranges: Kudos Rank 2500+ Grandmaster 1000-2499 Master 500-999 Wiseman 250-499 Senior Advisor 100-249 Advisor 50-99 Consultant 20-49 Senior Contributor 10-19 Contributor 6-9 Rising star 2-5 Trainee 1 Novice 0 Newcomer After some time, we will evaluate the usefulness of this feature and we may also ask you to provide your feedback in a short survey. We hope you enjoy this new addition to our forum! Regards, Tomas

There is also a man-in-the-middle technique know as "dual forking." Your encrypted traffic can be intercepted an decrypted on one "fork" while the original encrypted traffic is held in suspense by the other fork. This allows the hacker to extract for example, your logon and password data. Once the desired data is extracted, the suspended encrypted traffic is released. This technique bypasses any SSL encryption tampering validations since the original SSL encrypted traffic is never manipulated. Below is an excerpt from an article on the subject of public Wi-Fi use. I recommend you read the entire article here: https://www.howtogeek.com/178696/why-using-a-public-wi-fi-network-can-be-dangerous-even-when-accessing-encrypted-websites/ Malicious Hotspots Most dangerously, the hotspot you connect to itself may be malicious. This may be because the business’s hotspot was infected, but it may also be because you’re connected to a honeypot network. For example, if you connect to “Public Wi-Fi” in a public place, you can’t be entirely sure that the network is actually a legitimate public Wi-FI network and not one set up by an attacker in an attempt to trick people into connecting. Is it safe to log into your bank’s website on public Wi-Fi? The question is more complicated than it appears. In theory, it should be safe because the encryption ensures you’re actually connected to your bank’s website and no one can eavesdrop. In practice, there are a variety of attacks that can be performed against you if you were to connect to your bank’s website on public Wi-Fi. For example, sslstrip can transparently hijack HTTP connections. When the site redirects to HTTPS, the software can convert those links to use a “look-alike HTTP link” or “homograph-similar HTTPS link” — in other words, a domain name that looks identical to the actual domain name, but which actually uses different special characters. This can happen transparently, allowing a malicious Wi-Fi hotspot to perform a man-in-the-middle attack and intercept secure banking traffic. The WiFi Pineapple is an easy-to-use device that would allow attackers to easily set up such attacks. When your laptop attempts to automatically connect to a network it remembers, the WiFi Pineapple watches for these requests and responds “Yes, that’s me, connect!”. The device is then built with a variety of man-in-the-middle and other attacks it can easily perform. Someone clever could set up such a compromised hotspot in an area with high-value targets — for example, in a city’s financial district or anywhere people log in to do their banking — and attempt to harvest this personal data. It’s probably uncommon in the real world, but is very possible.

SSL certificates can be obtained by anybody. I'd say there are still many users who don't even check the padlock icon in the address bar for https connections and even less those who check which CA actually issued the certificate. A green padlock does not automatically indicate 100% trustworthiness as it's easy to obtain a certificate for anybody these days (let's mention just "Let's encrypt" CA issuing certificates used by many scam websites). On the other hand, EV certificates can be generally trusted; they are mainly issued for bank institutions and it's not that easy to obtain one.

Hello Ford, the connection between your Client and the Target Homepage is SSL encrypted. But if u use Public WLANS, ur Traffic could be manipulated. Before the Signal reaches the Internet. https://en.wikipedia.org/wiki/Man-in-the-middle_attack So the Attacker just can replace ur SSL Certificate and redirect your Traffic. Are you Safe with ESET? The Phishing Filter will help you a lot. If the Router gets replaced by a MITM Router your Client will " Auto reconnect" and ESET will warn you about this. But, if you connect to every Random WIFI there is a possibility your Traffic gets manipulated. So always proof to which WIFI u try to connect

You will have to temporarily disable firewall using command: service iptables stop It is also possible, that user you will be using to acces database is not configured for acces from outside of appliance. For example there is no root@% available in appliance by default. If you encounter this problem, you will have to create new account or modify existing, using command line MySQL client. For example existing root@localhost user may be updated using: UPDATE mysql.user SET host = '%' WHERE host = 'localhost' AND user = 'root'; FLUSH PRIVILEGES;

This is very common problem with upgrade of ERA 6.4 -> ERA 6.5. Most probable cuase is that upgrade process was interrupted (service restart, appliacne reboot,...). Please follow steps described in documentation.

Hello, thank you for pointing on this, we know what is causing it and it should be fixed by affected module update soon.

@Phoenix A new version 10.1.219.0 has been released today which has what you want.

ESET Smart Security Premium, ESET Smart Security, ESET Internet Security, and ESET NOD32 Antivirus versions 10.1.219 have been released. Update to the new version is now available to all users in-product with an older version 10 and installers are available from https://www.eset.com/download/home/ Changelog Improved: Screen reader improvements including product user interface text-to-speech and tab key navigation Improved: Ability of in-product upgrade to install cross-line products to support Smart Security to Internet Security migration Fixed: Minor bug fixes and localization updates Internal improvements and fixes (e.g. "Pause protection" option is back in the tray icon menu) Known Issues Update progress indicator does not refresh automatically. This is a known issue of the current v10.1 but it will be fixed once you upgrade to v10.1.219.

Like @TomFace has said above , this topic has frequented every security forum since the start of time and there is no definitive answer to the testing methodology. They don't even give the names of the samples used in the tests. Wilders was a good place as it was "numerous" personal experiences which added up to a more informed and collective point of view. Bit more like security "politics" and personally i think there is more information drawn from a large user base of different products than a single pdf/spreadsheet written up by 1 person/organisation. Just because 1 person likes orange juice on their test, does not mean everyone will. Give the orange juice to 20000 people and you get back a less biased result. Seen it happen before when people see a datasheet of some test results and jump ship to another product and then regret it. Not just in the security world, but it happens with phones , tv's , cars too. There is probably very little difference in the capability of the top AV suites out there if it was all looked at from a balanced point of view. Hence why all vendors offer a free trial period to allow all people from all places to evaluate the software before making a choice to purchase. If you install something and use it for a long period of time and it's trouble free and does the job it was intended to do and works the way you want it to, then there really is no need to look for alternatives. This rule goes for any vendors product and not just for users of ESET products in case you think i am biased in any way. If at any point along the way that my system was infected and i found out that another product could have prevented it then i would certainly re evaluate my position. Plus i would also consider the way my system was compromised. If i opened an email that had an attachment that promised me $/£1,000,000 , i should really blame myself. Realtime "User Interaction" protection will never be available and still the biggest threat by far if you want to go down the barchart/piechart/stats route.

I think "real world experiences" paint a better picture than any tests can ever achieve. From my own personal experience i have never been infected by anything major since using ESET's products, which i have done since their first version of NOD32. Then again the weak point in any security app is more likely to be the user. From opening an email with a pdf/word document attached or trying to download pirated products, or visiting bad sites/links. Back when everyone was a member of Wilders Security Forums it was easier to draw a conclusion as to what performed better as you had users of every security product giving opinions and feedback to a wider audience in one place. Then on top of detection, you have to look at other matters that affect each product. Like false positives , system impact, borked updates, bad definitions including flagging of windows files as bad. ESET has done consistently well in these area's too and should always be taken into consideration when making a choice/purchase. I don't doubt that Microsoft is improving as you now have forced telemetry built into your o/s that was never there before. In addition to them now trying to draw more attention to their own security products. But i still get a feeling that you won't beat a company who's sole business is in security and have been in that business for a long time.

If you click on "Action for listed threats" and select "Clean," Eset will removed the ask.com toolbar and leave the rest of the application alone. This is what I would recommend.

Hi CraigB, one thing is strange to me, why you had to setup a new CA & certificates? There were any in the Azure VM? Because during the installation, those should be created automatically.

It's already possible to prevent notifications about activation of presentation mode from being displayed to the user or in the ERA console. All you need to do is to disable the appropriate notifications via a policy (User interface -> Application statuses (Edit) -> General:

Hi there 1. We have a feature called IP range whitelisting where you can define IP ranges from which second factor is not required (see product guide for more details) 2. Importing phone numbers is up to the AD capabilities. ESA just utilized the AD functionality. I presume, AD has an option to import data in bulk. 3.We internal product logging for (product logs) some of the user login activities. But there is not a dedicated UI for accessing such information. Also administrator can find last successful login and last failed login per each user in the AD tab of dedicated user (see attached screenshot). 4. Not sure if I understand. ESA has a security mechanism to lock user after certain amount of unsuccessful login attempts. ESA does not have a capability to set policies. 5. ESA has an API. please find details in product documentation. User guide API guide regards vladimir

No problem SCR (we're good!).... I appreciate someone/anyone looking out for me. peteyt, as far as I know, there is no setting for questionable certificates and I (for one) would not want one. As you implied, we need to separate the good from the bad.

Thank you, planet, for reporting these issues. I have fixed them so they should be OK now. T.

@rekun Since Endpoint 6.6 + (to be released during July), we will no longer use a network particular driver type (NDIS/LWF) on Windows 8+, so it won´t affect network connectivity. However, for Windows 7, situation will remain without change.

Only v10 contains anti-ransomware protection. We strongly recommend upgrading to the latest v10.1 or better uninstalling v7 first and then installing v10.1 from scratch.

Hello @cindyatgreenacres and welcome to the ESET Security Forum! The first thing I would check is your "Webcam Protection Rules". If you do not know how to do this follow these steps: Right-click the ESET tray icon and click "Advanced setup". In the left-hand panel, click "DEVICE CONTROL". In the main panel, click "WEBCAM PROTECTION". To the right of "Rules", click "Edit". A new window appears which will list all webcam rules that you have created, if any. See if the application that is being blocked from accessing your webcam is listed. If it is not, click "Cancel" to exit the "Rules" window. Click "Cancel" again to exit "Advanced setup". If it is, click on that rule and the click "Remove" (bottom left). Click "OK" to exit the "Rules" window. Click "OK" again the exit "Advanced setup". I hope this helps ... Report back as to what you find...

ESET is tracking an outbreak of malware detected as the Diskcoder.C Trojan that has been referred to as a Petya variant in some previous communications. ESET LiveGrid has blocked the threat since ~13:30 CEST 6/27. Solution Best practices against Diskcoder.C | If a fake CheckDisk scan is displayed | If your files are already encrypted All ESET Users—best practices to defend against this infection If you do not have an existing SysRescue Live CD/DVD or USB medium for your system, download ESET SysRescue Live and create a rescue disc. Turn off all computers in your network. Boot individual systems from a SysRescue Live medium and scan each computer for malware with detection of potentially unwanted and unsafe applications enabled. How do I use ESET SysRescue Live to clean my computer? If Diskcoder.C is detected, skip to step 3 of If a fake CheckDisk scan is displayed. If the scan completes without detecting a threat, exit SysRescue and boot into Windows. Open an administrative command prompt (right-click the CMD application and select 'run as administrator') and run the following commands: echo.>%windir%\perfc echo.>%windir%\perfc.dat echo.>%windir%\perfc.dll attrib +r %windir%\perfc attrib +r %windir%\perfc.dat attrib +r %windir%\perfc.dll If possible, disable SMB version 1. Disable SMBv1 via Group Policy Disable SMBv1 on a single server If a local administrator account exists on a computer, change the password to a more sophisticated one. Use at least 10 characters, 2 uppercase, 2 lowercase, 2 numbers, 2 symbols. Do not use conventional words from the dictionary. If your computers belong to a domain, change the domain admin passwords to more sophisticated ones. Avoid using the same administrator credentials on workstations and servers. Disable default ADMIN$ accounts and/or communication to Admin$ shares. Make sure that all hotfixes available for the OS are installed and that your system is patched against EternalBlue. If you are not sure of this, use our free tool to scan your system. If you are using an older OS which is no longer supported by Microsoft, consider upgrading to the latest version. Make sure that the latest version of your ESET product is installed and modules are updated. If you are using ESET Endpoint Antivirus or ESET NOD32 Antivirus, we recommend you to swich to ESET Security product version. ESET Security products contain firewall with the Network protection module capable of blocking EternalBlue exploit in SMBv1. Make sure that only 100% clean and patched computers are connected back to network. For best practices to protect your computers against ransomware continue here. If a fake CheckDisk scan is displayed Turn off your computer. Boot the system from a SysRescue Live medium and scan it for malware with detection of potentially unwanted and unsafe applications enabled. How do I use ESET SysRescue Live to clean my computer? Check if the disk has not been encrypted. There are multiple ways to do this: Using Windows Boot your computer to the Windows Recovery Console from a Windows installation CD. Restore MBR by running fixmbr command. Using Linux Boot your computer from a Linux Live CD/USB. Use TestDisk to fix MBR. If your files have already been encrypted: If you do not have any important data on your discs: Re-image the system. Follow the best practices. If you have important data on your disk that is already encrypted: Use ESET Sysrecue Live to create a 1:1 copy of the disk. Re-image the system. Follow the best practices. Check this alert regularly for more information.

Hello m4v3r1ck, as far as I know there should be a brand new GUI as well ;-) I hope it will meet your high expectations :-) Regards, P.R.

ERA 6.5 appliance (based on CentOS7) uses apache http proxy available from official CentOS repositories. Configuration file enabling http proxy with ERA specifics is located in file /etc/httpd/conf.d/proxy.conf. It should be possible to enable authentication as is described in Apache 2.4 documentation but it was not tested, nor it is documented by ESET. Could you also ask customer for his reason to require authentication? Apache proxy distributed in ERA appliance is configured so that it forwards requests only to ESET servers. This significantly reduces risk of proxy misuse.

Hi This antivirus is blocking my usage and if I go to someone else house I have to turn eset off to be able to connect . Why has eset started blocking ! How can I stop this I have been a loyal eset customer for years but this is ridiculous . Please Help

hello I just installed eset on my windows 10 pc. On the home tab there is a Security alert which says "virus signature database out of date". When I click update it says "virus signature database up to date" but there still is the red security alert on the home tab. In the update tab there is a message "Last successful update: Update has not been run yet". How do I run the update or what setting am I missing?? Regards Popa

MS from what i can see are just playing catch up against other vendors and not really bringing anything new to the table. Looked at a few things after they announced they will be upping the stakes with protection in the fall update. Lets be honest, there are about 12 security patches for office per month and at least 2 for windows itself. If you cant code something secure to start with, then doing the cleaning up operations are going to be a bit more messy. Who's going to entrust a whole system to the master at failing in the first place ?? Just don't think that having all your eggs in one basket is a good idea.

Those are either potentially unwanted or unsafe applications, or archives that also contain other than detected files. In such case, action selection is required in the standard cleaning mode. If you want to clean PUAs automatically, set strict cleaning mode for web access protection, real-time protection and startup scans. As for on-demand scans, I'd be cautious with using strict cleaning as it would also remove archives that also contain other than detected files, or files infected with a virus that cannot be cleaned at the moment. For instance, if you have an archive with tools of which some may be detected (e.g. tools for finding serial numbers), the whole archive would be removed. If you run an on-demand scan with strict cleaning, it's a good practice to review what files have been removed / quarantined.

Upgrades-v2.pdf contains a link to a non-existing domain with phishing. Since it doesn't pose any risk any more, we'll unblock it as well as the link blocked in the other PDFs. In less than 30 minutes the files should not be detected. In case you come across possible FPs, please report them to samples[at]eset.com.

When creating installer, it is required to include CA certificate of currently used SERVER certificate - seems that this fails in your environment. During this operation, SERVER certificate that is currently used is loaded from SERVER settings and appropriate CA certificate is searched. I would recommend to check what certificate you are actually using - as list you provided (peer certificates) is not used during installer creation -> there may be completelly different certificate used in SERVER settings, especially in case you generated multiple SERVER certificates. Also ERA 6.5 changed security model -> in case you are using non-Administrator account in ERA, please check whether user has "read" and "use" access right for CA certificates and "read" access rights for SERVER settings.

Hi Superzpy, Yes, Windows 10 and Server 2016 are supported by EVS for NSX. I'd recommend you to do some POC with our partner to help you onboarding with ESET Virtualization Security

Hi Eduardo, i managed to sort it out by updating the proxy http server details on server settings

Hi, With the help of the ESET support, we finally found the source of the problem: In our ESET policy, under "Advanced Setup -- Update -- Outdated Virus Signature Database Alerts", the EAV setting "Set maximum database age automatically" was set to FALSE, because we wanted a shorter maximum database age than the default of 7 days. As soon as the setting "Set maximum database age automatically" was set to TRUE, Windows 10 1703 did not report EAV as being out of date anymore. However, this appears to be a bug in ESET, as the problematic behaviour is caused by a legitimate ESET configuration setting and does not appear with Windows Versions earlier than Win 10 1703.

One more suggestion regarding the forum — I noticed ESET Smart Security & ESET Internet Security are merged into a single sub-forum. As ESET Cyber Security & ESET Cyber Security Pro are very similar (with only the Firewall & Parental Control different), would ESET consider merging the two sub-forums into a combined single sub-forum?

While slightly off topic I've noticed occasionally certificate alerts asking to block or deny when browsing. This could confuse users who might be unsure which to pick.

I am running the latest version of ERA (version 6.5.31.0) Following MartinK suggestions I changed a line in the file /var/opt/eset/RemoteAdministrator/Server/Scripts/UnixWindowsNetworkRemoteInstall.sh Specifically the line LANG= mount -t cifs -o "${mount_domain_option}username=$ERA_RD_WN_USERNAME" "$remote_cifs_share" "$local_cifs_mount" becomes LANG= mount -t cifs -o "${mount_domain_option}username=$ERA_RD_WN_USERNAME,vers=2.0" "$remote_cifs_share" "$local_cifs_mount" After that i run the command /sbin/restorecon -F -R -v /var/opt/eset/RemoteAdministrator/Server and I tried to deploy the agent to one of the Windows 7 machines. This workaround worked for me and I wish that a change will be made to the ERA webconsole interface, so that a user can tell that a windows computer has SMB version 2, before the agent can be installed remotely. Thank you very much for the help.

We don't know yet what is causing the internal server error. For some reason, the update server responded with a specific error code. The issue is being investigated, however, module updates should be downloaded alright.

Hello, as shown on the screenshot, the files are being detected in the Time machine backup files. Deleting the files would break the integrity of the backup. I would recommend you to make a backup from a clean state and delete the old backups with malicious files inside. Regards, P.R.

You do not say what version you are currently running. Could you please post a screen shot of the "error/message" you are receiving?

As TomFace and others have pointed out Eset does not license it's products by versions. Basically your Eset license will work for any version as long as its the right product so if your on smart security 9 it will work for 10 and so on. Also the updates older versions receive are generally only for defenitions and won't include actual updates to the antivirus engine itself. As well as adding new features the new versions generally contain improvements that older versions won't get. There are also bugs to consider. Often older versions of programs contain bugs that the newer versions have fixed. Obviously users can stay on the older versions if they prefer and TomFace's link shows when older versions will stop being supported. However it's always recommended to stay on the latest version and remember if you have a license this is free

To recover your "lost" license, visit https://www.eset.com/us/support/lost-license/ As Mr. Goretsky said, as long as you have an active license, there is no additional cost to upgrade to the latest version. It IS BEST to have the latest version. It is always best to download a program from the originating source (not a 3rd party "warehouse"). Here is a link to the various versions-review them carefully as there is now a Smart Security Premium version which IS AN UPGRADE over Smart Security. http://support.eset.com/kb2476/ You may also want to review the current EOL data. http://support.eset.com/kb3678/#ess So do as you please. Good luck.

There's a report called something like "Automation" - "Server tasks for the last 30 days"

KB Alerts newsletter is created see

Assume this is a variant of this: http://www.isthisfilesafe.com/sha1/D3B0B1F6473377C50D7C589B507849947C99824D_details.aspx Eset detects it with the assumption DNA signature would detect the V2 variant: https://www.virustotal.com/en/file/4be41e98628bac3a332789b5b40661b1743689876660f8af171fc4f9f95c2e65/analysis/

Only applies to Windows 10 CU Enterprise versions: Mitigation with virtualization-based security Virtualization-based security (VBS) provided with Device Guard on Windows 10 and kCFG enhancements with Creators Update stop common exploitation techniques, including those utilized by ETERNALROMANCE and ETERNALBLUE. Stopping shellcode execution with W^X enforcement On systems that have Device Guard VBS enabled, writing and then executing shellcode—such as the ETERNALROMANCE backdoor—in the kernel is not possible due to W^X enforcement policies in the hypervisor. These policies ensure that a kernel memory page is never both writable and executable at any given time. Even if an attacker tries to attack page tables, the hypervisor is still able to force the execute-disable bit through extended page tables (EPT). This in turn forces attackers to rely on code-reuse methods, such as return-orientation programming (ROP). As a consequence, the shellcode implant library in the Shadow Brokers release is fundamentally incompatible with VBS-protected systems. Preventing use of corrupt function pointers with kCFG In Windows 10 Creators Update, we introduced a new security mitigation in the kernel space for VBS-enabled systems. The kernel is now compiled with Control Flow Guard (CFG)—a control flow integrity solution designed to prevent common stack-pivoting techniques that rely on corrupt function pointers or C++ virtual method tables. Control Flow Guard in the compiled kernel (also known as kCFG) aims to verify all indirect call targets before invoking them. This makes it harder for an attacker to execute code by abusing function pointers or other indirect calls. In the case of the ETERNALROMANCE exploit, the subverted function pointer would lead to a security fault when invoked, making the exploit non-functional in its current form. The same applies for ETERNALBLUE, which also relies on a corrupted function pointer to achieve code execution. On early Windows 10 systems before Creators Update and without Device Guard, it is possible to attack the page tables of the HAL region to turn it executable and gain code execution using the ETERNALBLUE exploit technique. Ref.: https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/

Hi, Restarting EES 6.5 was caused by firewall rules. Interestingly, EES 6.4 worked well on that firewall rules. I have policy base mode, and unblock specific ports and hosts the rest is blocked. Communication with ERA server was unblock, also DNS, HTTP and HTTPS was unblocked for all hosts. What other ports are required for EES 6.5 to work properly? When I applied the ALL in ALL out policy, EES 6.5 started normally and worked fine.

To begin with, WMI based malware requires a degree of sophistication not seen in your "run of the mill" malware. As such, it is usually reserved for advanced persistent threats. Below is an excerpt from a FireEye article about APT29 that I will refer to. Notable are the following: 1. To perform the WMI class registrations you referred to requires administrator privileges. If malware has acquired those, it can do much more than just manipulate WMI. 2. In the case of APT29, it used WMI to create a backdoor. Creating the backdoor itself was useless until it was utilized to execute a malicious PowerShell script/commands. On Win 10, Eset monitors Powershell script execution utilizing the AMSI interface. Something you might consider is to set PowerShell to only run in "Constrained Language" mode as described in this TechNet article: https://blogs.technet.microsoft.com/kfalde/2017/01/20/pslockdownpolicy-and-powershell-constrained-language-mode/ . Doing so not only will "lockdown" WMI command use of PowerShell but also .Net likewise use of the same. I also additionally monitor any Powershell startup execution with user created Eset HIPS rules. WMI permanent event subscriptions can be used to trigger actions when specified conditions are met. Attackers often use this functionality to persist the execution of backdoors at system start up. Subscriptions consist of three core WMI classes: a Filter, a Consumer, and a FilterToConsumerBinding. WMI Consumers specify an action to be performed, including executing a command, running a script, adding an entry to a log, or sending an email. WMI Filters define conditions that will trigger a Consumer, including system startup, the execution of a program, the passing of a specified time and many others. A FilterToConsumerBinding associates Consumers to Filters. Creating a WMI permanent event subscription requires administrative privileges on a system. We have observed APT29 use WMI to persist a backdoor and also store the PowerShell backdoor code. To store the code, APT29 created a new WMI class and added a text property to it in order to store a string value. APT29 wrote the encrypted and base64-encoded PowerShell backdoor code into that property. APT29 then created a WMI event subscription in order to execute the backdoor. The subscription was configured to run a PowerShell command that read, decrypted, and executed the backdoor code directly from the new WMI property. This allowed them to install a persistent backdoor without leaving any artifacts on the system’s hard drive, outside of the WMI repository. This “fileless” backdoor methodology made the identification of the backdoor much more difficult using standard host analysis techniques. Ref.: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

Still the same old story... I just installed 10.1.204.0 manually (because 10.0.390.0 still said "up-to-date") and again I had to reboot in Safe Mode, install the above mentioned drivers manually and then reboot. I have reported this last year and now, I'd really like to have information about the possible reasons for which these drivers do not install correctly in "normal" mode. Running Windows 10 Pro 64-bit 1511.

Every two hours approx. I hate that! When it's time for me to renew I only see the "x amount of days left" notification at boot ONE time, nothing after that. Not sure why you see it that often. And I can agree that the notification is displayed too often in your case, it would be interesting to find out why the interval differs so much though.