Leaderboard

Hello @itman, the .exe itself is not malicious, it loads the .dll, which is being detected... Peter

Hello @mxp, we would like to identify the root cause of the problem. Can you please send me the license ID of the affected license via a private message? I will follow up with my colleagues. Indeed it should not take that long, so it´s either an one time issue, or a possible bug in the implementation.

Hello @Mr.Gains, thank you for your post, to resolve the issue you describe (I believe I understood correctly) I suggest to do the following in an EFDE Policy: set "Maximum uses" under "Recovery Password Uses" to 2 AND "Automatically generate new recovery password" under "Recovery Password Uses" to YES AND "Generate when (uses remain)" under "Recovery Password Uses" to 1 This way you will restrict use of one recovery password to 2 uses, and after the 1st use a new one will be generated and will become a valid recovery password AFTER EFDE connects with ESMC. With more attempts than set in a policy, it sounds like a bug. Could you please raise a tech. support ticket for this issue? we will investigate

In the EFDE policy we have total recovery password uses, and the recovery password reset when it reaches a number of uses left. The issue I see with this is that the user can reuse the same recovery password until they reach the auto-generate new password in policy, could we have this to where it could generate a new password after a number of use? For example in policy there's 20 recovery password uses, and it'll auto-generate a new recovery after every 2 recovery password used, and it'll warn the user when there's 4 total recovery password uses available before recovery data needs to be done. Another thing in entering incorrect password at the EFDE login screen, sometimes I get more attempts than I'm allowed and/or system reboot after 3 times. I'm thinking there's a bug in the password attempts, but it would nice for users to see how many more attempts until the current password is disabled. Thanks,

If you want only accessing of one category of urls to be reported to ESMC, it should be fine. The problem could be if you created a rule for every single url with the Warning severity. Since a single client could generate several such records per second, with hundreds or thousands of machines reporting them to ESMC could cause network and server performance issues and congestion.

You must use the "Warning" severity for the desired Web control rules to send the data to ESMC. However, be careful to not use it for rules that allow or block too many urls or it may have adverse effect on perfomance of the ESMC server if many clients start to send a lot of data.

The alert reads "Suspicious" detection which means the file was blocked by LiveGrid or EDTD. Detection of suspicious app would look like file.exe - a variant of Win32/Packed.VMProtect.AC suspicious application

But it is the machine learning that is triggering the detection , not the update database The way this program behaves is being triggered by AUGUR that is suspicious

That's what he did and I suggested to remove it from exclusions since the file is not detected with current modules.

It is your suspicious application setting that is triggering this detection , you can add this software to exclusions if you trust it so it won't be detected anymore.

Please post the information about installed modules (Update -> Show all modules).

The file is not detected by ESET: mofidtrader.exe » UPX v13_m8 - is OK Please remove the exclusions and re-scan the file(s).

It depends on the local seller. Unfortunately, we do not sell to Iran.

Itman doesn't work for ESET so he cannot know. I do and I don't know either because the module is being tested and no ETA is available. All we can say at this point that the module will be released soon, most likely within a couple of days.

1, Correct, the module will be downloaded automatically with engine and other module updates. 2, Under Update -> Show all modules you can check the version of installed module. The version of the fixed Cleaner module will most be 1213.

It solved my problem. When will I know that I can delete the files?

The patch solves the issue for Windows10 2004 with ESET Endpoint Antivirus 5.0.2271.1. Also RAM allocation and scan time looking way better (attached image).

never mind.. Sorry for the noise. [1] answered my question. [1] -

I turned on startup scan in normal mode and enabled AppVerifier in safe mode. When I returned to normal mode, ESET did not load into the system, and the issue cannot be triggered. I tried manually open ESET Security through Start Menu, but nothing happened after I clicked the icon.

Hello guys, Okay, I removed (from safe mode) EEA with esetuninstaller.exe, then reinstalled my usual 5.0.2272.7 x64 on my Win7. Then I go to > advanced configuration > computer > HIPS > [uncheck] Selfdefense, and I performed a virus database update, then I rebooted. With Selfdefense OFF, I tried to perform a procdump and it freezed Windows, no dump file was writen to disk, and I just totally lost control over operating system. I tried multiple times to generate a dump with selfdefense OFF, but it just totally freeze win7 (with / without "-e 1", "-ma", "32/64 procdump.exe", etc.) So I decided to enable again Selfdefense and start the command "procdump.exe -ma -s 10 -n 720 ekrn.exe" to have one dump every 10 seconds (because with selfdefense ON, I can't use "-e 1" unfortunatly). I also runned "process monitor", and wait the issue to reproduce. I feel that when the exception occurs, EEA is performing one of the startup scan because I can see the eset icon turning into taskbar, and overlib speak about startup scan, not virus database update. Could it be related to memory ? This startup task is eating a lot or ram (1.7 GB!), maybe there is one kind of infinite loop here. About dump, the bigger eea was using memory, the less dump file I could generate (See screenshot, "Error writing dump file: 0x8007000D"). Another information, once the ekrn.exe engine is broken, disabling AV from GUI is useless, but I can have internet access again with the following settings modifications: USELESS = advanced configuration > internet & mail > protection of web access > HTTP & HTTPS > [Uncheck] Activate control USELESS = advanced configuration > internet & mail > protocol filtering > [Uncheck] Activate content filtering FIXED = advanced configuration > internet & mail > protocol filtering > [Uncheck] System integration So finally, I was able to trigger the bug and have a 1.3 GB dump before and a 1.9 GB after freeze, let's hope it will help I also have one whole 4GB logfile from ProcessMonitor. Please find my complete debug session files (14GB) at the following URL (it's one ultra 1GB 7z file with 512MB dictionnary RAM compression): hxxp://tmp.zool.fr/tmp/eset/20200713_NoOutgoingPacket.7z Thanks !