Leaderboard

We've nailed it down. A legit tool was backdoored and loads a malicious dll with zero detection at VT which loads the following encrypted payload: I expect the detection to be available momentarily via streamed/pico updates. Also please confirm that you have enabled the LiveGrid Feedback system for maximum protection.

The issue is caused by an older version of the Translation support module. On Monday we should start with upgrade, however, it will require a restart of the ESET PROTECT Cloud instance.

This forum is not intended for disputing blocks or detections. Since the malware has been removed, the website was unblocked but the applications will continue to be detected. Having said that, we'll draw this topic to a close.

the world is rocked by the horrifying news of how despotic authoritarian governments and their agencies have used the spyware pegasus made by NSO from israel to intrude the phones & privacy of journalists/opposition leaders/judges/activists etc. from all accounts, it is now becoming clear that the two primary operating systems on phones, android & ios by google & apple have intentional backdoors disguised as security bugs to allow the security agencies to snoop into any smart phone worldwide. my question is, as a responsible antivirus vendor, will eset ever be able to protect the users from such illegal intrusions ? is it ever possible, considering that the OS itself has been laid bare to such intrusions by incorporating "security bugs". phones, especially the smart phones are are no longer secure, but the stunning silence of all AV vendors is even more cause for concern.

The bug is just visual and should not have any noticeable effect on memory consumption. Will be fixed in v15.

Tell me, Eset - are you insane? A few days ago you released version 8.0.2039 . We started a rollout for a few thousand endpoints and now you releasing 8.1.2031??

Hi, the problematic domain you reported has been already removed from the cloud blacklist. The quickest way to solve such cases is to send the email sample to nospam_ecos@eset.com (https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab#spam) as those are handled almost immediately. Also based on the sample we have identified a problem in the algorithm that selects the sender's address from email headers in some cases (Return-path: header), and it will be also addressed by an automatic update. Regards, Matej

Component upgrade task upgrades only ESMC/EP components, as is ESET Management Agent, ESMC Server and ESMC WebConsole, but it does not upgrade other, especially third-party components as is Apache Tomcat, Apache HTTP Proxy or MS SQL Server. Thus benefit of performing manual upgrade using all-ine-one installer for Windows, or performing upgrade ot EP/ESMC Appliance using "migration" to new version, is that also third-party and and possibly other support tools are upgraded. Also note that manual upgrade is less prone to failures caused by environment issues, as are those network related, but also those caused by missing dependencies (for example minimal supported version of OS or database itself). My recommendation would be to perform manual upgrade, as it is fairly simple from users perspective, and it offers more control. Also I would recommend to perform database backup before doing so, but hat should be case also for automatic upgrade.

We are in the process of finalizing a new version of Endpoint with all system extensions compatible with Big Sur 11.2. It should be released towards the end of March.

Hello. Please add 2FA feature on my.eset.com. Thanks.

Hello @Kostadin_k, EFDE for mac utilizes FileVault because there is no other way to FDE macOS. Apple prevents its system to use FDE from 3rd party vendors. EFDE for win is a different story. Microsoft allows for vendor´s proprietary encryption and we have this covered. So we are pretty much covered on both macOS and Windows. But yes, adding Bitlocker management to ESET Protect (Cloud) is an option, but even if we go this direction in the future, it will not work as seamlessly as you described. Taking over management of an already encrypted machine is more than complicated because of recovery password that belongs to a particular encrypted system. Migration of these recovery passwords from Active Directory (where Bitlocker stores them) to our console followed by a seamless "takeover" of the machines by the console is very complicated (if even possible). At this moment, adding management of Bitlocker to our EFDE/EP(C) solution is not on our roadmap. Ervin Rendek PM for Encryption solutions

When we update our ESET Agents we find that we need to have all our machines reboot. With the reboot option in the management console the machines just reboot with no warning. Any open work is lost and the user is confused, thus generating a call to the help desk. Would it be possible to have a reboot notification when pushing a reboot on a machine. ESET is finishing an update and will reboot in 30min. Reboot later or reboot now. I reached out to support and was told to post this request here.

Today (February 25) we plan to release a Detection engine update with expected size around 12,2 - 12,4 MB. We expect that the update will be available on the update servers for the clients to download at around 14:00 CET (+/- 30 minutes). This change will optimize the way how we store the data and will reduce the Detection engine size, it's memory footprint and also will make further updates smaller. The Micro updates scheduled on February 26 will have the weekly update package around 13 MB in size and the monthly update package up to 15 MB. Peter on behalf of the teams involved

Problem fixed. Windows server updates had reactivated a couple of services which had nabbed port 80. Simply disabling them negated the issue. I'm now planning on moving the EEE server onto a different port to resolve the issue permanently during the downtime over the weekend.

Hello ESET Endpoint Security / Antivirus users, It’s been quite a while since we released the 7th generation of our Endpoint solutions, so naturally you may ask when the generation 8 will be released. We have good news to share, as we are approaching the final stages of development and preparation for the release, we would like to share it with you so you can try it before it gets released officially and give us feedback on it, which is very valuable for us. I guess the first question, which comes to mind is what will be the new features of it. Let me briefly name some: Secured browser bringing additional security to the browsing experience as it protects the browser’s memory, restricts the extensions and protects the keyboard inputs as well. Micro Program Component Update which will be manageable from the management console as a practical solution to keep the product up to date with ease. Installed endpoint can wait for its application, without affecting the protection level. Moreover the updates are differential, thus much smaller than standard installation packages. WMI Database and System registry scans added as a scan targets, allowing the users / administrators to initiate on-demand scans on them. Unified exclusions for IDS bringing the unified UX to those exclusions as well. To find out more and try it yourself, join the BETA program… I hope the described features and improvements made you interested, you sign up here by a reply, or by sending me or TomasP a private message. By joining the BETA you agree with our BETA Program agreement. We are looking forward to your feedback. Thank you in advance, Peter Randziak on behalf of teams involved

Hi Thomas, My solution is the following: 1.: - I created a dynamic group for collect the computers with error message "Restart required" : 2.: - Then I defined a CRON triggered task for send a pop-up window message into the affected computers: "Hello Collegue, please restart your computer as soon as possible because an ESET software update...bla..bla" or something like this You can configure the CRON for example launch the message hourly, every 10 minutes or as you want It works pretty fine

Avast blog article here: https://blog.avast.com/cybercapture-protection-against-zero-second-attacks . Detail on configuration options here: https://support.avast.com/en-us/article/54/ Of note is this feature exists even in Avast free version. Time Eset "get with the program" and offer same like capability for their home use products.

The fact is Eset has all the internal mechanisms in place to accomplish this. All they have to do is block the process until LiveGrid black list determination processing has completed. As to the false positive element, I say "to hell with that." Most home users would not be significantly impacted by such process blocking. This could be also further refined by adding Trusted Publisher, signing, etc. criteria to Eset Reputation scanner. Failure on reputation coupled with suspected malicious activity should be enough to block until LiveGrid initial scanning is completed.

We are aware of the problem with Windows applications and the changing path with each update. There is a plan to come with up a solution to this in long term. Also I can assure you that we value any constructive feedback or suggestion and it's discussed with product managers and developers.

This was in Cloud Administrator topic but should be here too Description: A new task/setting to reboot computers with a popup message warning,Detail: Add the possibility to notify user that computer will be restarted when reboot computer task is triggered and let them for example 5 minutes to save/close programs/data.

It had been discussed again and again. but I still want to say: with endpoint 8.0, Please give up stupid MySQL and use MariaDB. check current system requirement it is really funny: MySQL ODBC driver versions 5.3.11 and later, 8.0.0 – 8.0.15 and 8.0.18 and later are not supported.

Yes, v14 is going to be released later this year. It will be announced here as well as via other marketing channels.

Next time this updating issue occurs, use a network connections monitor to ensure ekrn.exe has a solid connection to port 8883. You can use Eset's Network Connections tool or TCPView. I prefer TCPView since it will show if there are sync issues with the connection to port 8883, ekrn.exe is trying to establish. Eset uses port 8883 with fallback to port 443 for Push Notifications. If there are issues with getting that connection, it will cause this bork Eset updating behavior some are experiencing.

As per the subject, once Detection engine 23963 is downloaded all links to O365 Safelinks are block Had to add *.safelinks.protection.outlook.com to the allowed websites

Appears there are multiple causes involved here. The ones mentioned are: 1. Windows update cache issues. 2. Eset update cache issues. 3. You name it ........... Eset needs to provide built-in diagnostic capability for problems like this and other issues. Think along the line of Windows 10 "Fix-It" wizards. I for one am tired of the constant requests for Eset logs to diagnose product issues.

Please raise a support ticket with your ESET UK. It's probably caused by the update of the Translation support module yesterday, however, I don't have this problem myself so there must be also something else that triggers the issue.

On August 25 we are starting to roll out the very first uPCU update to v8.0.2039 version for those with older Endpoint v8.0 versions. The rollout will be staggered and we expect it will take about 2 weeks to get downloaded by all users with an older version of Endpoint v8.0.

Eset revoked cert. detection is correct - see below QUALS screen shot. Note! Chryslercaptia.com URL cert. is OK. It is the cert. used for myaccount.chryslercaptial.com URL that has been revoked.

What I find funny is the people behind pegasus keep saying this person and this person etc. weren't being tracked by the software and the next thing they say they don't have access to customer data so can't see who/what their customers are spying on, which contradicts the previous statements

Still that's not good enough. Maybe we could ignore if it was one or maybe two. But 7 ransomware miss at the time of testing is a huge number. It shows again what the OP suggested that ESET's ransomware shield is very bad and almost not effective at all. ESET needs to improve.

Hi Gang, Components: ESET Protect (8.0.2225.0) ESET Endpoint (8.0.2039.0) As part of a task, we install a specific version, in this case Endpoint 8.0.2039.0. This let's us ensure that all nodes are at least on the same version and potentially avoid any niggles by always going on the latest. However, ESET Protect always sees the latest version? This is currently Endpoint 8.1.2031.0. Thus ESET Protect now shows in the status dashboard that all our Endpoint nodes are now out of date. My question, how do we baseline or set a static version so that ESET Protect is not always referring to the latest version? I'd rather us determine what level we deem is up to do. I thought I achieved this with the task for installing Endpoint but that seems not to be the case. This is what I am referring to: Thank you, Daniel

Please just try for a second and understand the problem we are having with Eset on Big Sur since November 2020. When installing it prompts the user to approve a network proxy. If they approve, and web and email protection is turned off: We loose network connectivity. If they approve and web and email is on: Our VPN etc breaks. If they don't approve they get a warning that their machine is not protected. But at least things keep working. There is a button to enable or disable web and email protection and it doesn't work. Wether that is a risk to take or not is not the point. Your answer is not very helpful when you are arguing against what your customer wants to do. Also, keep in mind that this is on a platform where most people do not run an antivirus at all. We are looking at this from completely different sides. And a lot of my peers are looking for other AV products.

After downloading the uPCU update, the product will turn yellow, informing the user about the recommendation to reboot the machine. The notification can be disabled for users in the Application statuses setup where you can choose only to report it to the EP console:

It's not yet supported that's why you cannot use it

This is not possible without downloading the whole msi installer. After a microPCU update has been applied, the Repair option changes to Export.

It was changed in the past. The thing is the last msi installer you may have locally stored may be v12 or 13 so repairing v14 would actually downgrade to v12 or v13 and you'll need to download upgrade to v14 again which is not desired.

I recommend contacting your local ESET distributor and asking for the feature while providing more information on the use case. The more users will request it, the higher chance we will consider adding it providing that the feature would be useful for many of our users. Since everything has been said and explained, we'll draw this topic to a close.

Hello @Ufoto As of now, this is indeed not possible. I assume, that you are a reseller, and you have more than one customer, that has their own EPC instances. As of now, you will have to have a different aliases for every such instance, as one "EBA USER" can be linked only to one EBA instance, and one EPC Instance. We are working on a new reseller focus portal, which will allow you to have a "service level login" to all your customers EPC instances. So yes, there is plan to add multi instance access, however I can´t confirm exact timeline at this moment. But our target experience is similar to the one you are referring to. Regards, Michal

Hi Jeffry, Thank you for your message. The best way to exclude this detection would be to create an advanced exclusion. Below an example of an advanced exclusion to exclude code injection triggered by a legitimate process: <definition> <operations> <operation type="CodeInjection"> <operator type="and"> <condition component="CodeInjectionInfo" property="CodeInjectionType" condition="is" value="ApcQueue" /> <condition component="FileItem" property="FileName" condition="is" value="ppwatchersvc64.exe" /> <condition component="FileItem" property="Path" condition="is" value="%PROGRAMFILES%\path\app\" /> </operator> </operation> </operations> </definition> Change the FileName and Path accordingly. As mentioned above, this is an example, you can add or remove some conditions if needed. Then Select the rules being triggered and this should exclude the detections. I also noted that you location is the Netherlands. If you are looking for Dutch support or have any further questions please don't hesitate to contact us via https://techcenter.eset.nl/nl/new-ticket Best regards,

Hello guys, thank you for your reports, I checked it with the QA and Dev, they are aware of this issue. Once the upgrade fails, can you please collect the logs as described at https://support.eset.com/en/kb3404-use-eset-logcollector-on-macos-and-send-the-logs-to-eset-technical-support?ref=esf upload them to a safe location and send me a private message with the download details and reference to this forum topic? Once you do, the work-around is to disable the Web access protection to apply the upgrade. We apologize for the inconvenience caused, Peter

Same problem here (Dropbox v111 - the lastest stable to the date). On the second computer, no problem with Dropbox v112 (early updates enabled). It's apparently a problem on Dropbox side since they have release the version 112 fixing this issue: https://www.dropboxforum.com/t5/Dropbox-desktop-client-builds/Beta-Build-112-3-254/td-p/476277 If you cannot update to Dropbox version 112, you can temporarily set Dropbox client to ignore in SSL/TLS filter.

The FP should be already resolved. You can enforce update of the blacklist by rebooting the machine.

Hi everone, I found the solution to this topic on a German speaking thunderbird forum. For all non-german speaking people, here the translation with the action plan which solves the issue. At least for me. Not sure though if all menu names are correct, as I only have German versions. But you get the point I assume. Open ESET NOD32 Antivirus -> Setup-> Advanced setup -> Web and E-Mail -> SSL/TLS Here disable the SSL/TLS-protocol filtering -> deakctivate Open Thunderbird -> Tools -> Options -> Privacy &Security -> Certificates Check if there still is an Eset certificate and in case it is remove it. Restart the PC Now without open any other programm or application go back to ESET NOD32 Antivirus -> Setup-> Advanced setup -> Web and E-Mail -> SSL/TLS There you activate the protocol filerting again -> activate Now open Thunderbird and go to ools -> Options -> Privacy &Security -> Certificates Now check if there is an Eset certificate now. There should be one dated with current day and time. Now Thunderbird worked as ususal again for me :)

According to https://support.eset.com/en/news7604-eset-support-of-macos-11-big-sur, a version compatible with Big Sur that will include a firewall is planned for Dec 2020:

Yes, that was a false positive. Updates were already stopped a while ago and a fix is being prepared. It should be available within a few minutes. We apologize for the inconvenience.

I am pretty sure I was not presented with this information when I set up the new extension 😕 Is there any other way of getting the key?

We can't change what happened and you're unlucky that a non-authorized seller sold you a pirated license 2 years ago. Now if you're still reluctant to buy from your local ESET website then you may go to one of the authorized partner by yourself and buy a physical copy of it from there and this time make sure to register the ESET license to your ESET account. An account isn't needed but it lets you see if the license you is being used on a PC or not. https://www.eset.com/lt/platintojai/

Also since this invalid license issue keeps arising in the forum, I will say this. Eset and every other company I know of will not assist in any way for a misappropriated product. For what it is worth, I believe Eset "goes out of its way" in these situations. It is repeatedly stressed in this forum to only purchase a license directly from Eset or one of its in country authorized distributors.

Ok, Solution found: LC_ALL was not set. "export LC_ALL=en_US.UTF-8" did the trick. Regards Daniel

I already have, and they pretty much gave me the option of hiding the GUI entirely or upgrading. I just hope the feedback received makes the decision makers behind these decisions re-think this next time.