Jump to content


Popular Content

Showing content with the most kudos since 04/25/2020 in Posts

  1. 4 points

    "pyrate", Behavior Blocker Bypass POC

    It's been a slow forum posting weekend and it appears this thread has run its course. We have all had the opportunity to "rant and rave" about Eset Home version protection features we all wished we had and in reality, probably never will have. So it is time to expose this Python POC for what it is - fake ransonware. Err ..... what, you say? The POC encrypted files. Well so does a lot of legit encryption and other apps including user created ones. So lets get into this. A few years back, the NextGen security software vendors were trying "to get traction" against the established AV vendors with their supposed superior behavior detection methods. Corresponding to this was the appearance a proliferation of ransomware "simulators" where one was encouraged to test their existing AV solution with. The most infamous of these was RanSim produced by KnowBe4: https://www.knowbe4.com/ransomware-simulator . I wrote a thread about the methodology used by this product and similar ones here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ . Eset subsequently commented upon Ransim tactics in their own publish article on Eset ransomware protection: https://cdn1.esetstatic.com/ESET/INT/Docs/Others/eset-vs-crypto-ransomware.PDF So let's get into some details on the POC. First, note this from the POC's author posting about it at malwaretips.com: Next is why no vendor on Virus Total detected the POC initially and I believe presently. That one is pretty straightforward. The ransomware portion of the POC never ran. The POC pauses program execution waiting for user input to continue. VT's automated sandbox analysis timed out waiting for input it does not respond to. In summary, I am not 100% ruling out that techniques used in the POC could bypass existing Eset ransomware detection methods. However, a POC must be developed deploying real world ransomware deployment and execution methods with the most important being the program runs uninterrupted and encryption activities performed against all existing files in C:\Users\xxxx\Documents\*, etc. directories.
  2. 3 points

    License Activation Issue

    ESET NOD32 Antivirus for Linux desktop is a legacy product. Legacy products do not support activation but require a username and password for update.These are not usually included in the license email since current products require only a license key for activation but can be provided by customer care on request. I'm gonna send you a personal message with your U/P momentarily.
  3. 2 points

    IObit Constantly Triggering ESET

    The PUA detection is correct. It's optional. For more information what PUA are, please read https://support.eset.com/en/kb2629-what-is-a-potentially-unwanted-application-or-potentially-unwanted-content. If you think that benefits of using a particular PUA outweigh possible risks, you can exclude the PUA from detection.
  4. 2 points
    ESMC should be installed only on server systems. We do not recommend nor guarantee that installing it on Windows 10 home will work. Is the Tomcat service running? Please check this out: https://support.eset.com/en/kb6752-apache-tomcat-is-not-running-service-could-not-starthow-do-i-fix-this-problem-esmc-7x Does it work if you access it via http?
  5. 2 points

    Eset blocked twitch ?

    Yes. The domain in question has began to resolve to an IP address that was blocked 2 years ago due to malware.
  6. 2 points

    Eset blocked twitch ?

    The FP will be fixed in a few minutes. The IP address has been blocked since 2018.
  7. 2 points
    I'm stating two issues here in one topic. First, ESET has two types of installers, one is an online installer and the other is offline. But both are totally misleading. The offline installer is merely a 53 mb file which only installs the product but the all the modules data is downloaded after installing. Then the online installer which should do what the name suggests but it doesn't. All it does is downloads that 53 mb installer and install and of course downloads all the modules data after installing. Why even say it an online installer while it's definitely not! Highly misleading. Literally every AV I ever tried, all of their online installer download the whole product including modules and signatures, etc. ESET is the only exceptional one. Same goes for which is supposed to be ESET's offline installer. Almost all AV who still provides an offline installer installs the full product and only download the required new updates after installing unlike ESET. I don't understand! If you want to give users the option for an offline installer then that should contain every modules, updates till the day of creation and for the online installer it must download everything first then install the product. The second issue is, ESET update downloading speed right after installing is always very slow for me. Most of the time it only use 10-20% of my bandwidth even when there is no other internet activity. I started using ESET when version 12 came out and so far it has always been this way. My internet is already pretty slow so only using 10-20% bandwidth makes the process extremely annoying. Update download speed is always slow I guess but since the daily signature updates are only a few kilobytes, those are not noticeable but the first update is. Why does this happen? Why can't ESET make use of the rest of the free internet bandwidth?
  8. 2 points
    Ok Live installer it is. Just a synonym but the meaning should be the same. The live installer can still determine the OS and install the full product from online and then install it. Maybe it would be even possible to implement something like multi-threaded download so that the download speed should be fast unlike the in product download speed which is terribly slow for me which is also I mentioned above. Is 85 mb would be the size of the installer for the whole package? I see that ESET currently downloads around 150 mb during the first update. So if the compressed version in an offline installer is only 85 mb then I think that's not big at all. That's probably the smallest I've seen. Even with my not so good internet it would only take over a minute to download that. Even a 150 mb installer shouldn't be considered huge and many other AVs have a lot larger ones. Also like you said, the live installer's job is to download the product without worrying about OS versions, etc so most people are likely to download the live installer anyway so a 85 mb or even a bit larger optional offline installer is fine and seems more appropriate than the current one.
  9. 1 point

    EFS / Server 2012 R2

    A memory dump of ekrn can be created via the advanced setup -> tools -> diagnostics -> Create (dump). I'd recommend opening a ticket with your local ESET support.
  10. 1 point
    The trojan was not executed; it was scanned by the javascript scanner when you opened the compromised website and the connection was blocked.
  11. 1 point

    ESET Cloud Administrator

    The Endpoint / EFSW license doesn't have the ECA flag. It seems you have a trial license so I'd suggest contacting the license issuer and asking for a license for "ESET Endpoint protection advanced cloud" which is Endpoint Security for ECA.
  12. 1 point

    unable to connect all agents to ESMC server

    Please check C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html and trace.log on not connecting clients for possible errors.
  13. 1 point

    "pyrate", Behavior Blocker Bypass POC

    This is a ludicrous statement. Yes, python.exe is a trusted .exe. So no alerting will be done on the .exe. But its scripts certainly are not trusted. I find it a far stretch that no one is scanning Python scripts; especially un-obfuscated ones.
  14. 1 point

    "pyrate", Behavior Blocker Bypass POC

    Assumed here is the POC .exe at startup or upon user consent of the displayed prompt creates the My Documents\test directory. The program then copies all or part of existing My Documents files into the My Documents\test directory. The program code then proceeds to encrypt whatever files exist in the My Documents\test directory. Again, Eset will not detect this as ransomware. Tell the POC author to first manually create the My Documents\test directory and copy whatever files he wants to it. Remove the corresponding program code that does this. Now run the POC directly executing the encryption commands against all files in the My Documents\test directory.
  15. 1 point

    blocking government level spyware

    The problem is that everything is flawed. As Marcos himself had said no AV can ever be 100 percent. Flaws will always exist and if cyber criminals and governments find them they probably won't report them and actually use them. It all depends i suppose on the risk e.g. if a government agency finds a flaw that could put themselves at risk they may need to report it. Its one of the reasons I dislike the idea of backdoors purposely placed by organisations at the bequest of governments. People can say the if you've got nothing to hide but they tend to forget if a backdoor does exist there's nothing stopping other people finding it. I do also think some people however worry too much and also want stuff that needs information without giving information. Take live grid for example. If people avoid sharing information then it becomes harder for eset and other AVs to offer quick responses to things such as new malware because sometimes they have to see it in the wild first. Some want all these features but with a lot of things you need to make compromises. I've seen people wanting searches e.g. on mobile devices be more personalised e.g local results without giving personal information and that makes no sense
  16. 1 point

    blocking government level spyware

    A philosophical issue way beyond the scope of this forum here, but governments are made up of people, and are neither good or evil. It is the nature of the people that brings the problem. Typically greed or fear are the greatest driving forces of what a government or it's society becomes when they turn negative.
  17. 1 point
    I notice on all installs of ESMC that the message in Status Overview always comes up in RED! "Notifications containing in accessible objects. " and has number. This is referencing the Notifications which do not have email address added to notification. Why is this the default especially if the customer is not using SMTP server settings to send out notifications? It throws off reporting. Is there any way to resolve this outside of adding an email address to ever single notification which I usually highly recommend not doing as it creates to much noise for the customer getting the notifications.
  18. 1 point

    Installing Third Party App via Console

    There are technically two possible ways: Using "Software installation task" which can install arbitrary MSI installer files. IT has to be available locally on target system or via HTTP, which will be entered into task configuration. In case of network share, permissions has to be set in a way that local service can access shared installer (this causes most common issues). Using "Run command task". In this case it might be more complicated, as whole installation logic, including package download and execution has to be written as command. But If I recall correctly there are few powerhshell snippets to be found on the forum that might help.
  19. 1 point

    "pyrate", Behavior Blocker Bypass POC

    All the ASR are available for Windows Defender too.
  20. 1 point
    Hello, Just to add to my colleague @Marcos suggestion, I would strongly recommend you back up any important information stored on the drive, as it sounds like it has begun to fail. SSD failure modes can be very problematic in terms of data recovery, so it is a very good idea to make sure any type of information you have on the drive which is valuable to y ou is saved in one (or more) backups. After you have gotten your important information backed up, check with the SSD manufacturer to see what diagnostic software they offer to check the drive, as that may provide you with additional information/insight into what is happening, as well as what options are available, such as replacing the drive under warranty, and so forth. Regards, Aryeh Goretsky
  21. 1 point

    HIPS Alert for Host process

    At this point, you will have to tract down what service is causing this and find out if its legit.
  22. 1 point

    Setting up HIPS/policy

    HIPS uses paths with file names. Hashes can be used only in exclusions or in ESET Enterprise Inspector to block files with specific SHA1.
  23. 1 point
    Moderators of this forum work either directly at the customer care in ESET HQ in Slovakia or ESET LLC in the US or they are experienced persons such as Aryeh who is a distinguished senior researcher from ESET LLC. Then there are users from the ESET staff group who help in this forum; they are typically developers who chime in to help especially with ESMC-related issues.
  24. 1 point
    For instructions how to collect logs with ELC, read How do I use ESET Log Collector? You can upload the generated archive here.
  25. 1 point
    The issue is fixed in the Internet protection module version 1396; currently it is available on pre-release update servers.
  26. 1 point

    EEA and Agent install script for Mac

    Hi Support, We are using ESET Endpoint Antivirus + File Security with ESET Cloud Admin that we planning to install EEA + Agent on 120pcs Macbook Pro via MDM solution JAMF. I got this (https://support.eset.com/en/kb7324-deploy-eset-endpoint-products-for-macos-using-jamf-pro) for EEA deploy,EEA looks working well. For the agent, i can't found any deploy script on ESET Cloud Admin. My question is : 1.: Can i have the agent deploy script for Mac? i can edit the script and update to you if work or not work and what is the problem. 2.: We are planning to using script to deploy agent for Mac, do ESET Cloud Admin support and where i can got it? 3.: If not support, how i can deploy agent on Mac, only create live installer and public it to the end users or task owner? Thanks Alex
  27. 1 point

    "pyrate", Behavior Blocker Bypass POC

    Here's a book, 'Creating a Ransomware With Python', in .pdf format for those wanting to get into the "nitty gritty": https://hakin9.org/product/creating-a-ransomware-with-python/
  28. 1 point

    "pyrate", Behavior Blocker Bypass POC

    Looks like someone just made things a lot easier for Python based ransomware: https://github.com/sithis993/Crypter#builder
  29. 1 point

    "pyrate", Behavior Blocker Bypass POC

    I was unable to find a download link for the PoC. It's still PoC, not actual malware so AV vendors had no chance to analyze it and possibly adjust detection. One can't expect 100% proactive malware protection, that doesn't exist and there's no AV detecting 100% of new malware and PoCs. One should keep that in mind and not 100% rely on that AV will always detect 100% of malware. Without analyzing the PoC it's impossible to comment on it.
  30. 1 point

    Ubuntu 20.04 64-bit support

    On the download page select the 64-bit version of the product:
  31. 1 point

    Microsoft Teams issues

    Does creating a permissive bi-directional firewall rule for the following app help? /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper.app
  32. 1 point


    Please elaborate more on the issue that you are having.
  33. 1 point
    Contact the seller and ask for a refund.
  34. 1 point

    Filecoder Stop

    I've found it submitted. Actually the problem is that on the website the ransomware note was inserted in a raw form without any html formatting (after <pre> and <code> tags) which triggered the detection.
  35. 1 point

    Microsoft Teams issues

    Same to me since a couple of days. 1:1 calls work fine. Meetings and Conferences not. By deactivating the ESET firewall, everything works normal. macOS 10.15.4 with Microsoft Teams an ESET Endpoint Security 6.8.400.0
  36. 1 point

    Update Error?

    Maybe a "Stupid" idea, but is the Windows time set correctly? There is by default a check in ESET application, that compares the date of the issue of the latest detection update, against the system time. If the system time is set in the future, it could trigger this notification, but it´s just a guess.
  37. 1 point
    gary11111, Please try to open B&P from the shortcut and go to your bank site, FF should work fine for you this way. With FF and ESET banking and payment a separate profile is created. You may set your personal security you wish FF to use with B&P in this profile by just opening B&P and choosing FF "options" while in the B&P window (you can use tighter security than normal browser for example). Personally I love this method of operation, I have just my secure payment sites in the B&P profile. I open B&P from the desktop shortcut when I want to have its extra level of protection while making payments. I even organize my favorites in that profile making the house finances very efficient. Getting every site to open as desired is quite a challenge with modern site design. If you supply your bank site the moderators may be able to pass that on to developers to see why it is not opening automatically. I hope this may help in your enjoyment of ESET, in my opinion one of the best -- ebill
  38. 1 point

    BOGUS local account reappearing

    You have activated Anti-Theft on "DO....Y-LAPTOP", the name of the phantom account is "zyssowmqbx". You can disable AT via the AT portal https://anti-theft.eset.com. On "DESKTOP-J.....J-R......p" the name of the phantom account is "fkiynygdck".
  39. 1 point

    vrius txt et qewe

    think you a lot off. I will try your solutions and afterwards we will discuss
  40. 1 point

    PiHole & ESET Smart Security

    While Windows is not officially supported, perhaps it runs on Windows as well according to this statement: It was originally designed to run on Raspberry Pis. So, unless you had a Raspberry Pi, or a computer running Linux, you were out of luck. However, it's now available for Docker. This means it can be installed on any device which will run Docker, such as Windows PCs or Macs. Anyways, ignoring the fact that it's Pi-hole, the DNS requests might have originated from antispam. Do you use MS Outlook or any of the supported email clients that ESET can integrate with?
  41. 1 point

    Dell Security Advisory Update?

    Yeaa, Hard to say what they actually did lol. Did they update the image itself to apply patches in the image? Iol or did they update the actual restore process itself? That seems unlikely as restoring typically occurs outside windows and is a bit by bit overwrite so I doubt permissions are needed. It's not a very informative update summary, so it's hard to say what they actually changed.
  42. 1 point

    Dell Security Advisory Update?

    https://www.dell.com/support/article/en-us/sln321036/dsa-2020-059-dell-os-recovery-image-insecure-inherited-permissions-vulnerability?lang=en Seems to be addressing this https://www.dell.com/support/article/en-us/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776?lang=en Either they're slow to patch it or it wasn't fully addressed in prior patching Or, likely adding the patch to the restore image, so it would be one less thing to have to address should restore be needed. Summary: Dell Windows 10 recovery images require an update to address an insecure inherited permissions vulnerability.
  43. 1 point

    System Cleaner: feature request

    This feature is intended for common users who have been hit by malware which changed some system settings and policies. Using the tool the user can reset particular settings and thus avoid reinstallation of the OS. The tool was in no way meant to be for experienced users who can fix possible issues themselves.
  44. 1 point

    Eset LiveGrid and Update Servers Down?

    It might just be a coincidence, but I just restarted the router and all of my devices and Eset is just fine now. Updates and LiveGrid connect okay. 😀
  45. 1 point
    It is. We have a dispute with both of our neighbors, Bulgaria on the east and Greece on the south. Bulgaria doesn't recognize our language/nationality, Greece doesn't recognize our country name/nationality They both kinda think we don't exist and we are either Bulgarians or Greeks... For things to be more interesting, we used to be a part of Yugoslavia until it got disbanded in 1990/1991 and Yugoslavia consisted of: Serbia, Croatia, Bosnia, Montenegro, Slovenia and Macedonia
  46. 1 point

    Install Eset File Server (error)

    Hi Mike, ESET File Security for Linux supports only UTF-8 & ANSI X3.4-1968 codeset. Probably codeset configuration of your machine is different. Changing locale settings to UTF-8 should resolve your issue. For example ,if you are using US english, this is an working locale "en_US.UTF-8" and this a non-working locale "en_US.iso88591". Peter
  47. 1 point
    Please check the hints at https://dontkillmyapp.com/xiaomi.
  48. 1 point
    This is an early announcement related to the end of life for ema.eset.com (EMA1). As we're completing the migration of MSPs to EMA2 (msp.eset.com), the aim is to phase out EMA1 completely by the end of the year. For more in-depth information and details, please consult the below links: ESET MSP Administrator V1 to V2 Migration Process FAQ: https://help.eset.com/ema/en-US/migration_faq.html ESET MSP Administrator versions feature comparison (EMA1/EMA2): https://www.eset.com/int/business/msp-administrator/ More about ESET MSP Administrator V2: https://help.eset.com/ema/2/en-US/ How to use EMA2 with your ESMC https://help.eset.com/msp_getting_started/en-INT/ There will be more detailed information about what this specifically means coming via the usual channels and you'll be informed about any action steps that may arise as part of this EOL initiative.
  49. 1 point

    failed to create firewall rule

    I have recently been having the failed to create rule issue, so I tried a few things and eventually hit upon this. It seems that part of eset is trying to run with less than full admin level powers. 1- go to directory eset is installed into, such as "C:\Program Files\ESET\ESET Security" for smart security. 2- locate the gui interface, such as for smart security, "egui.exe". 3- right click on it / properties / compatibility / set to run as administrator. apply. ok. 4- right click on it again, copy. 5- find empty spot on desktop. right click. paste shortcut. 6- run the shortcut, to make sure it is running. 7- task manager, however you get to it, Ctrl-alt-del or right click task bar or whatever. 8- locate the eset gui in task manager and 'end task' on it, to make sure the process is ended. running the shortcut the first time makes sure it was running so that you can find it to end it. 9- run the shortcut again. now when it runs, you should be able to get the popups to create rules. and at least for me now, until eset updates again, I have to keep the gui running minimized in order to be able to get the popups to create rules. It is what I did and what works for me. posting here in case at a later point someone else gets the same issue and wants a possible fix to try. sometimes finding a part of a program component and selecting it to run as administrator in properties gets around windows hiccups.
  50. 1 point
    False positive reports To submit a possible False Positive see Submit a suspicious website / potential false positive / potential miscategorization by Parental control to ESET for analysis when you wish to submit via email or use Submit sample for analysis function from the program GUI of ESET product installed on your computer. Whitelisting ESET does provide a whitelisting service for software vendors by which you can submit your software to minimize the chances of false positives, e.g., when your software is being downloaded. This service is intended as preventive measure for trusted and undetected applications to minimize risk of future false positives. Whitelisting service is not a channel for removing existing detections, disputes or solving other unrelated problems. If you want to register your software for whitelisting, please follow the instructions in the KB article How do I whitelist my software with ESET? Requirement for False positive submissions When submitting false positive file(s) via email or via program GUI, it is necessary to send copy of falsely detected file(s) as well as description of the file. I will explain what information is needed and why it is important. 1) Name of the legitimate application the file belongs to. When submitting false positives you must be able to identify what is the name of application that is being falsely detected. No-name false positive reports (when information about the application name is missing) are harder/slower to examine and in many cases indicate correctly detected malware rather then false positive. Example of correctly provided information: “This file belongs to VLC media player 3.0.6.” When you provide the specific version number, it helps. Example how not to submit false positives: “I don’t know what it is and why I have it on my computer but I think it is a false positive.” If you don’t know what the file is, don’t report it as false positive. 2) Name of the application’s author, developer, vendor or website where you downloaded the software Each legitimate software have known author or there is known company who developed it. There is known source/origin where the software can be obtained and you can learn information about it. This information is needed in investigation process. Researchers need to verify whether the software is safe and they may need the full installer to evaluate the software properly. Researchers may need to investigate whether other versions of the same software were affected by false positive or not. It is important to know the source/website where you downloaded the software because some download websites provide different installers than original vendors. 3) Application's purpose Let the researchers know what the application is supposed to do, what value does it offer to you. This information is usually available on vendor’s website but there are many old applications where the website is no longer available, or software was distributed only on CD-ROM/DVD, or the software is custom/in-house developed and the description is not generally available. Examples how of application’s purpose: This is a picture viewer, video convertor, movie player, communication software, printing program, database program, web browser, accounting software, computer game, tool I use for programming, etc. Don’t hesitate to provide any additional information you deem important. You may add the specific detection name you saw when detection occurred. In case some specific circumstances are needed to reproduce the problem, tell it to the researchers how (For example it may happen that the file itself is not detected but it downloads/creates other files that trigger detection). You may submit false positives via email or directly from ESET product via Submit sample for analysis function. In order to use the function open GUI of ESET Internet Security, you will find following icon in Tools and clicking More Tools: Please select “False positive file” option and attach the file you want to submit. Please provide all necessary information (as described above) researchers need to process your false positive submission. Information you provide indeed significantly helps ESET laboratories in the identification and processing of samples. Thank you for your submission!
  • Newsletter

    Want to keep up to date with all our latest news and information?
    Sign Up
  • Create New...