Leaderboard

Hi All, Had many alerts from 4 clients (out of 500) this morning. Seems to be an unwanted application, rather than a virus, but I'm guessing something new in the definitions means it's finding it. Spotted someone else who had this also https://www.bleepingcomputer.com/forums/t/656585/eset-on-all-clients-suddenly-finding-mindspark-today/ Just checking if anyone else has this, should we be concerned? Thanks

This is by design. We had to change the way egui starts in order to comply with Microsoft certification.

Tests are tests and reality is often different. There's nothing like 100% threat detection that you see in tests which are always performed on a very limited set of samples out of which ESET users have never encountered. Besides the score and numbers, you should also be familiar with the methodology and understand how tests were performed and how they are relevant to everyday use. E.g. measuring the time of installation of a particular software; even if it takes a few seconds longer with an AV but all subsequent scans are extremely quick, who cares. Also ESET scans installation packages of popular apps thoroughly while some other vendors skip a lot of files inside. Here you trade off performance for security, although the chance of infection in popular software installers should be low.

First of all, you made this conclusion without knowing all facts. We don't know how ESET was configured, if the user had a recent version of the program installed, if it wasn't disabled by an attacker or malware due to being run with administrator rights, etc. Believing that there's a security solution that detects 100% of malware is utopia. You could search for such AV until the end of life and you'd always got disappointed that every AV failed to detect some threat.

What version of Windows was used; Win 7, 8, or 10?

CCleanup: A Vast Number of Machines at Risk https://blogs.cisco.com/security/talos/ccleanup-a-vast-number-of-machines-at-risk File: https://www.virustotal.com/en/file/6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9/analysis/ Malwarebytes, ClamAV and Kaspersky(cloud detection) could detect a malware. CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised. If you use CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 you must update a program and scan the system with Malwarebytes (free).

Hello, what is the version of your ERA? Also, are you the administrator with full access rights? Or was it set for you by some MSP Administrator? If ERA 6.5 than you can see the notifications in Admin -> Notifications section. But ERA does not send any notifications on its own, only those that are set in the Notifications section.

Based on the following, it could have "mapped" your device/network. https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

ESET has detected it since update 16099: Win32/CCleaner.A, Win32/CCleaner.B. At that time KAV didn't detect it at VirusTotal yet.

HIPS remains active until a computer restart on purpose.

Clark_10 ...There are many of us like you who have been using ESET products for years. The topic of test results just won't go away. Like Marcos and cyberhash said, test results (which CAN be skewed one way or the other) and real life results are 2 very different realities. Daily "seat of the pants" experiences are what counts. Or if you have unlimited time and resources, you can be chasing test results "till the cows come home" and still not find satisfaction. As far as price is concerned, look around for seasonal sales either on the ESET website or other vendor websites (i.e...Amazon). I always keep a couple spare licenses by shopping around (especially during Black Friday/Cyber Monday sales).

Hi Both things could work.

@Clark_10 The proof is really in the pudding so to speak. I think someone that uses an application over years has a better understanding and more knowledgable about any products quality than another entity that spot tests numerous products within a single working day. From cat food to headphones , mobile phones , computers and cars. Everyone has a different experience when using something over a longer period of time. What appears to be great at the time of review might not even be to your taste, or might not prove as such a great purchase within days/weeks/months of use.

It is a known issue in EPv6.6. It is also listed in the KB with known issues at http://support.eset.com/kb5949. As for EPv6.5, the issue is currently being looked at.

Hey Edmund129, Follow my above steps clearly, it's guaranteed to work. So far I've resolved at least 20 computers with this issue.

It is not possible to change the executing user. For the second question, it is like it is in the OnlineHelp:

The solution I found for this exact message was to open Chrome prompting the JS/Mindspark message leaving it open - Then drag this to the corner of your screen out of sight, Now.... 1)Chrome>More Tools>Removing all extensions except for Google related ones. 2)Clear cookies & cache under advanced settings 3)Drag the prompt back on screen and select "Clean" for all prompts.. You'll then be notified to restart the computer, select yes.. When the computers back up and running open Chrome and these messages will be gone. If you then choose to do so, you can re-add the extensions later.

Today we've released an update of the Advanced heuristic module which is bigger than usual and thus may cause load on update servers (e.g. when there's morning in the USA and many users try to attempt at the same time). The situation should get better relatively quickly.

OK I found the it!!! In my server side I use proxy server, and my other site not using it, and not allowed to use from this site. The cluster applied the proxy for the other side too. I was more than 3,5Million blocked activation connection / hour to the proxy. Because of it was my processor usage very high, and freez the eset service. Its all good now! Varga Csaba

This is a bit dated but since you mentioned WinRAR, this three part series by Carbon Black might help. You might be able to do something equivalent w/Eset: https://www.carbonblack.com/2014/07/08/bitcoin-mining-malware-101/ https://www.carbonblack.com/2014/07/18/how-to-investigate-a-bitcoin-mining-malware-infection/ https://www.carbonblack.com/2014/07/24/investigating-bitcoin-malware-infections-using-carbon-black/ -EDIT- You also might want to checkout this current CodeFork bitcoin miner malware described here: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/codefork-malware/ . This is a real nasty one. Runs entirely in memory by injecting multiple Win system processes. The only way to detect it is to search for the two registry keys it uses for persistence. The first is a key containing the encrypted malware; most likely stored in a key located in HKCU as noted below. The next key is a Run key containing this code:

First of all, you have enabled logging of blocked operations in the advanced HIPS setup. This is intended only for diagnostic purposes when troubleshooting issues with HIPS, otherwise the setting should be kept disabled. Enabling it will not only have adverse effect on performance due to extensive logging but it may also generate unnecessarily huge HIPS logs.

So I do my best to protect my data by using common sense and use top of the line home computer security. Meanwhile, Equifax allowed the world access to data that may be mine from May to July 29 and didn't get around to letting us know until September. Oops! Sorry about that but we, the executives at Equifax, needed the time to sell off our stock before the price dropped on this information.. But it's OK because Equifax is going to help me protect my credit by offering free credit reporting protection, provided by them, "if" I go to their website and provide more information to them. In addition they will provide information on steps consumers can take to protect their personal information.... Yeah right... Why do I have to go give them more data to protect me? If it's been breached just send me a letter telling me they are "now" protecting my data. Oh never mind, from what I hear their protection isn't working very well these days. I guess the best way to protect your credit is not to have any.. Take your money out of the bank stuff it in your mattress and pay cash for everything. But then capitalism would collapse because it won't work without people being in debt. Things are going a bit faster on that slippery slope. hxxps://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628 {Ends Rant and walks away mumbling obscenities.}

I spoke to ESET support, and they say it's either a new threat or a change in classification that's now flagging it up. Not a virus though, just an unwanted app.

Be sure to post future improvements here: https://forum.eset.com/topic/51-future-changes-to-eset-smart-security/?page=26

As shown In previous posts AV charts can be problematic. One company will show one thing and another will show another. It depends on many factors e.g. what samples are used. In my opinion all AVs are pretty similar in the end in most cases. If one misses something it will probably find something else the other ones didn't. All I can say is as an eset user ive never been infected as far as I know/remember but I also take security into my own hand, regularly make sure eset is working fine etc.

That's a US license. You can get US based support but you'll have to figure out how to contact from your location, by phone or live chat is available. Maybe, use a proxy to access https://www.eset.com/us/support/contact/s3/?seg=home#/home-support Live Chat: https://helpus.eset.com/ Phone: +1 (619) 630-2300 Hours of phone support: 6:00am - 5:00pm Pacific Time [GMT-8], Monday - Friday

Follow the instructions in http://support.eset.com/kb2289 to remove ESET in safe mode.

Probably you meant Endpoint 6.6. It's a known bug in Endpoint 6.6 which will be fixed in the next version.

Exactly. You could move to one AV because it finds something another misses but that A/V could miss something the other finds. No AV product is perfect.

We still don't know if the stuff detected by MBAM is really subject to detection. It could be a false positive, innocuous registry remnants or files, etc.

Don't waste your money. The report you referenced is 3 years old. MBAM has slipped considerable in protection in recent years. See this recent test of it to see how much so: https://www.mrg-effitas.com/wp-content/uploads/2017/08/MRG-Effitas-360-Assessment_2017_Q2_wm.pdf

Besides the current Locky ransomware detail I posted previously, there are multiple massive spam Locky ransomware campaigns underway. Before I get into that, Eset's e-mail scanner is effective at detecting malware. Below Is a DHL malicious e-mail that it detected on my installation. Also and obviously, this one slipped through my ISP's e-mail scanner: An example of ransomware being delivered by one of these spam campaigns is given below: Ref.: https://blog.appriver.com/2017/08/locky-ransomware-attacks-increase/ -EDITED- to reflect the malicious script in question could have been was a .vba and .vbs script. Sorry, was rushing when I posted this. In theory, Eset should detect the above since it will scan archives to 10 levels deep. The question is if it had a signature for the downloader used in the attack. Also the .vba script could have been packed, encrypted, and obfuscated. Obviously if a .vba script was employed, the e-mail was a MS Word document. If the recipient opened the document in Protected View which I assume was the case, the script would not have run. If tricked into opening the document outside of PV or doing so by design, the script would not have run if the VBA option was disabled in Word's security settings, . Bottom line - VBA scripts are a real bugger since they only are used in the MS Office environment. If the malicious script was indeed a .vbs script and the target's installation OS was Win 10, then Eset would have employed AMSI to scan the script. However if the script was coded in such a way that it was not fully unobfuscated at time of Eset scanning or Eset didn't have a signature for it, then it could have slipped by Eset's scan of it. That then leaves the only detection mechanism AMS which is post-execution detection.

In regards to Locky ransomware, there is a new variant that does the follow: Ref.: https://www.bleepingcomputer.com/news/security/boobytrapped-word-file-installs-locky-ransomware-when-you-close-the-document/

Is it bad if they are so kind?:D

There's a grace period which gives users enough time to renew the license if they could not do it in time. Otherwise also Windows Defender would activate instead of ESET on the day of license expiry.

It was Locky ransomware that encrypts files. ESET is very good at detecting it as well as other Filecoders. First of all, there's no security solution that could protect users from 100% of threats. Especially if ransomware downloaders spread quickly and download payload from fresh urls. There are many variables and factors that may affect detection, such as old AV product, misconfigured AV, an attacker remoting in via RDP and disabling AV, etc. If possible, get ELC logs as per the instructions in the FAQ section at the right-hand side of this forum, run it on your customer's computer and provide me with the generated zip file.

Yes, but as I wrote, older products will not be able to create a mirror compatible with Endpoint v6.6 and newer. An updated version of the command line Mirror tool will support mirror for Endpoint v6.6+ but it's not available yet. Currently only Endpoint 6.6 can create a mirror from which other computers with Endpoint 6.6 can update. If possible, use an http proxy to cache update files which will also save a lot of traffic compared to using a mirror which downloads quite many often unneeded update files with each update. If you must update from a mirror for whatever reason and http proxy nor creating mirror with Endpoint 6.6 is not an option, wait with upgrade to Endpoint 6.6 at least until an updated version of the Mirror tool is available.

Although retired, I still build and repair computers for friends and family. Recently, while cleaning my office, I found a sealed copy of Smart Security 2014 marked "unused" by me. Can anyone tell me if this is still usable or not? It's a 1 computer, 1 year product. I know newer products will update to the current version during installation, b ut don't know about this one from 2014.

Hello, Assuming this is the US retail box package, Inside the ESET Smart Security 2014 box you'll find a CD in a sleeve, maybe a a sheet of paper with installation instructions (f they are not printed on the CD sleeve) and some cardboard to hold everything together. If that is the case, download the current version of ESET Smart Security from https://www.eset.com/int/home/smart-security/download/, install it, and use the key off the back of the CD sleeve to activate it. Given the age of the retail box, it's possible it used the "old" method of entering a username and password for activation. If that's the case, convert it to a "new" license key using the form at https://my.eset.com/convert. If you have any questions, just give ESET a call at +1 (619) 876-5400, as Jadinolf noted, and a customer service rep will be happy to get you squared away. Regards, Aryeh Goretsky

I have no idea where you are located but unless things have changed in the last few days, your software is still good to use, I am in the U.S. and I have called ESET customer service to verify license information and got excellent service. They are in San Diego and their phone number is 619-876-5400. Good luck

ESET is excellent in adware detection. https://www.mrg-effitas.com/wp-content/uploads/2017/08/MRG-Effitas-360-Assessment_2017_Q2_wm.pdf

Thanks itman. That pretty much falls in line with my thoughts as to the source of their funds. It also confirms my feelings toward the results of their tests. That is, read them, think a bit about them and then return to "my" own on going "Test." Test Status: Perpetual Method: Daily Use of two Windows 7 Computers and several prior versions of a Windows OS Product Tested: Nod32, ESS, EIS and several beta's of each Length of test to date: In excess of 10 years, probably 15 or more I can't remember. Number of Infections: Zero Number of False Positives: Zero Results to Date: Eset Products prevented infection to my systems 100% of Real World time. Conclusion: I'll continue to use the 100% effective Eset products.

Hello Joy, the application is detected as Potentially unsafe application so you can enable detection of those on your ESET Endpoints. Regards, P.R.

Users may want to create different rules for an application. E.g. one may want to allow rundll32.exe to load legitimate applications and create allow rules for them and ask about everything else the executable would attempt to load.

That fixed our problem also. ERA_Installer_x64_en_US.exe --silent --accepteula --avr-disable I can now deploy this with our PDQ software silently. Testing this out with our MDT Server as I type this.

Welcome to the official ESET Security Forum! While here, you can ask questions or give feedback about ESET products and services, receive prompt answers from qualified support technicians and interact with the ESET community. Before posting, check out the video below and read the Rules of the ESET Security Forum VIDEO: If you get stuck, please check out our dedicated FAQ section and Help section.

Sorry for not same subject. i'm newbie cannot create new post. I have problem is my website buid wth domain .co.vu (same television.co.vu) but NOD32 warning VIRUS. but this domain not found virus on another antivirus. my website is: phone.co.vu cameras.co.vu cartools.co.vu mobilephone.co.vu etc. please help me. (all website create less than 2 week and .com .net .info from my created not found VIRUS)

The new forum looks very nice. I look forward to continue learning about your products and of course meeting new people.

Hello, Welcome to the ESET Security Forum, ESET's online community for assistance with our software and services. In this forum you will find dedicated support sections for every ESET product line. Additionally, there are sections to collect feedback from our users, such as new feature requests, as well as online assistance with malware removal. We also have plans to integrate this community with other ESET web sites, such as the ESET Knowledgebase, We Live Security blog and Virus Radar encyclopedia. For now, though, I'd like to give you a quick tour of the various top-level forums. In the ESET Announcements section, you will find general information and news from ESET about the company, significant malware threats and the like. In the Forum FAQ's and Rules section, you will find information about the rules and regulations for using the forum, as well as asking questions about the forum. In the ESET Home User Products section, you will find information about ESET's Windows, Mac, Linux and mobile software for home users, such as ESET Smart Security, ESET NOD32 Antivirus, ESET Cyber Security and ESET Mobile Security. You will also be able to ask questions here about those programs. In the ESET Business User Products section, you will find information about ESET's Windows, Mac, Linux and mobile products for businesses, including endpoint, server and remote administration programs. You will also be able to ask questions here about those programs. In the Malware Detection & Cleaning section, you will be able to to receive assistance in removing malware detected by your ESET software. In the ESET Beta Products section, you will be able to find out more about and participate in beta testing ESET's software. Once again, we look forward to your participation, and thank you for joining us here in the ESET Security Forum. Regards, Aryeh Goretsky

ESET Security Forum FAQs How do I register/join the new forum? To join the new forum, visit hxxp://forum.eset.com/ and click the blue [Create Account] button in the upper right-hand corner. Why didn’t I receive a registration email when I created an account? If you are not signed in immediately after registration, you will receive a confirmation email with a link to activate your account. If you do not receive the email, first check your spam folder as the email containing your registration information may have been accidentally redirected to a spam or junk email folder. If the email is not in your spam folder, click here to reset your account. Please mark noreply@eset.com as a safe sender in your email client or service. Can I sign in using my Facebook or Twitter account? Yes. To save time and to remember one less password, you can use your existing login information from Facebook or Twitter to link your account. Registration using this method takes only three (3) clicks and will return you back to the forum after you have authorized it. What are the different poster status levels? A variety of levels will be assigned to people due to the quantity and/or quality of of their contributions. We are currently in the process of creating these and will share them at a later date. What are the forum rules and code of conduct? For information about the ESET Security Forum rules and code of conduct, see the Rules of the ESET Security Forum announcement. Be sure to visit periodically to review any changes. How can I contact ESET for Forum suggestions and problems? For contacting ESET to suggest a forum enhancement or report a problem, please post a message in the appropriate section of the forum. How can I contact ESET directly? General contact information for ESET’s offices around the world is located at hxxp://www.eset.com/about/contact/. For technical support, visit hxxp://www.eset.com/support/contact/ or from inside the main program windows of your ESET product, select Help and support to access a Customer Care support request form, in-product and online help content. Last Revised: 10 May 2013.