Jump to content


Popular Content

Showing content with the most kudos since 05/19/2019 in all areas

  1. 2 points
    We have pinpointed a memory leak in the memory dumper. A fix is being reviewed and will be released through an automatic module update next week.
  2. 2 points

    PUP not handled

    Today we've released a fixed version of the Antivirus and antispyware module 1552.3 which addresses cleaning issues on Mac. Could you please check if PUAs are now cleaned properly?
  3. 2 points

    Eset To The Rescue Again!

    Some "free press" courtesy of bleepingcomputer.com: Windows 10 Apps Hit by Malicious Ads that Blockers Won't Stop https://www.bleepingcomputer.com/news/security/windows-10-apps-hit-by-malicious-ads-that-blockers-wont-stop/
  4. 1 point
    A-V C is "very creative" when it comes to finding samples for its Realtime test series. It's not uncommon for it to slip in a few samples that are geographically restricted to one country and/or region within with an "in-the-wild" dispersion of < 10. The odds of encountering one these samples in close to zero.
  5. 1 point
    I assume the reference is to this year's most recent A-V C Realtime test where Eset scored 98.4%; approximately the same as it has previously scored recently in this test series. If one has concerns about Eset, refer to this more comprehensive test series where over 10,000 malware samples are used: https://www.av-comparatives.org/tests/malware-protection-test-march-2019/ . Eset scored 99.86% for malware protection. Again, this is only one AV Lab's test; and test series for that lab. Refer to all the AV lab tests that Eset participates in and you will observe that Eset is a top scorer overall.
  6. 1 point
    It must have taken a bit of digging to find a test from a year ago. Test like this are not worth their weight in salt. So what is your purpose and point in posting this? Regards, Tom
  7. 1 point

    ESMC says up-to-date with 7.0.577?

    Thank you Marcos. I looked at that page several times and just overlooked that part. Guess I need to read the docs and not just skim them.
  8. 1 point

    ESMC says up-to-date with 7.0.577?

    Please read https://support.eset.com/kb3690/. The ESMC release contains the version 7.0.577.0 of the ESMC Server for Windows and version 7.0.471.0 for Linux.
  9. 1 point
    MacOS Catalyna is to be released in the fall. We officially support only final versions of operating systems, not betas since a lot can be changed under the hood before the new MacOS is released which could break ESET's functionality. At the time of the official release of the new MacOS, we should have a compatible version of ESET CyberSecurity and ESET CyberSecurity Pro at your disposal.
  10. 1 point
    Hello everyone, soo this is pretty recent. For the last couple of days I have been exhausted by the amount of ip's I see that either attempt to port scan me [2-3 ip's have attempted to port scan me in the past, most recent one was a few days ago but have been blocked by eset's firewall] and some ip's that have something to do with Svchost. I don't even know what to do anymore and I have ran out of ideas. My original idea was to ignore everything and let the time talk by itself, but it has come to the point where I constantly keep on checking the connections that were attempted via my internet. I have done everything, from scanning my network to even scanning my pc several times to see if I have any sort of malware inside my pc. Nothing was found. I've searched most of the ip's that pop up as svchost or whatever on abuseipdb and most of them were flagged as malicious. I'm gonna post some screenshots here of such ip's: I don't even know what to do anymore. Thanks in advance for your help.
  11. 1 point

    Windows 7 vs Windows 10??

    I believe this article sums up the differences nicely: https://wtop.com/tech/2018/06/is-windows-10-safer-than-windows-7/
  12. 1 point

    Importing setting to new HDD?

    don't know if your system is used by others, but if it is not, then I would not worry about this issue. the security hole from the article can only be exploited locally, as in sitting at the machine. Unless you are going to be performing DDOS attacks or hacking into your own system, then your safe. If it's your own system, your should already have Admin level access to the OS available to you. the only way for to be vulnerable is if you allow access to your machine to a untrusted remote user using Remote Desktop, Teamviewer or other similar software.
  13. 1 point
    Hello, It's possible CloudFlare incorrectly caches some parts of configuration editor and returns out-of-date data causing this. Please create HAR log @PavelP mentioned it might help us determine whether issue is with CloudFlare or webconsole itself. Ideal would be to have tomcat access log paired with this log to determine which requests made it to server and which did not. Thanks.
  14. 1 point

    Windows 7 vs Windows 10??

    Also don't forget about AMSI and protected services which were not available prior to Windows 8.1. With the help of AMSI script malware can be more efficiently detected. New script malware may be undetected on systems that don't support AMSI.
  15. 1 point
    Hello, We checked multiple browsers to identify which one produces this error (seems like you posted chrome error), However for future reference (and potentional improvement) can you please answer following? browser(s) (in case of IE ideally export security settings for security zone console is in) - you already said you tried multiple, however platform/browser still matters for reproduction. webconsole behind reverse proxy/application firewall ESET (or other) product with TLS filtering enabled installed on computer connecting to console Any "uncommon" setup you can think of This issue can arise in case _some_ https requests on same site (in this case as Pavel said seems like js script) is blocked from download. Which in case of TLS (to my knowledge) requires MITM interception (product/WAF/RP/actual attack) or extremely restrictive browser rules. Thanks, M.
  16. 1 point
    We have identified a problem when upgrading a Windows 10 system with ESET Endpoint Encryption installed to the 1903 feature update. Installing the update can cause the system to crash (blue screen) when booting. We are currently investigating the cause and recommend not upgrading an encrypted system to 1903 until further notice. Systems that have been affected will need to be decrypted using our recovery tool (if full disk encryption was enabled) and then repaired using the Windows recovery console. See this knowledgebase article for more details: https://support.eset.com/kb7309/
  17. 1 point
    You must have an older v6.6 installed ( – 6.6.2063 are affected) so upgrade to v7 will surely fix it and the notice will go away then.
  18. 1 point

    Cycled antispam

    Hi yardstudio, Releasing of spam from mail quarantine should work even if you don't report the false positive. The message is resent using replay directory and antispam is not evaluated again. If the email was marked as spam again, it means that it was routed through SMTP agent and tested for spam again - this is not the usual case. Do you have more Exchange servers in your environment? If yes can you describe routing of mail? Information about delivery of the message can be seen in "Received" headers (in the detail dialog) of the message that returned to quarantine. Please post the "Received" headers. BTW, which version of EMSX do you use?
  19. 1 point
    Please provide a Procmon log from a failed update attempt as per https://support.eset.com/kb6308. In particular, start logging with Procmon, run update and after it has failed, stop logging. Then save the log, compress it and provide it to me for perusal.
  20. 1 point

    Importing setting to new HDD?

    1. Open "Services" and for "NVIDIA Telemetry Container" stop service and set startup type "Disabled" 2. Run AutoRuns and in "Task Scheduler" section disable: + NVIDIA telemetry monitor + NVIDIA crash and telemetry reporter (2 instances) 3. You may also want to remove Telemetry logs: C:\ProgramData\NVIDIA\NvTelemetryContainer.log C:\ProgramData\NVIDIA Corporation\NvTelemetry\events.dat C:\ProgramData\NVIDIA Corporation\NvTelemetry\nvtelemetry.log C:\Users\user\AppData\Local\NVIDIA Corporation\NvTmMon\NvTmMon.log C:\Users\user\AppData\Local\NVIDIA Corporation\NvTmRep\NvTmRep.log Who needs an additional spy in your own PC?.. Awesome my friend, I forgot about those other bits We need to send a clear message to Nvidia that we will NOT tolerate their spying on us via telemetry, and we will every workaround we can think of in order to defeat it. It's bad enough that windows 10 is virtually one massive spyware collecting agency Rather than do all of the above, you can simply install nVidia drivers as normal. Once installed open an elevated command prompt and run the following: rundll32 "%PROGRAMFILES%\NVIDIA Corporation\Installer2\InstallerCore\NVI2.DLL",UninstallPackage NvTelemetryContainer This will remove all telemetry, logs, services and tasks. I use it all the time now and it's a very clean way of removing nVidia telemetry. https://forums.geforce.com/default/topic/1056140/geforce-drivers/defeating-nvidias-telemetry/post/5830317/#5830317 Personally, I just disable the Nvidia Telemetry service and leave it at that. I haven't seen any outbound Nvidia traffic after that. I also can't vouche the the above rundll32 method since I never used it. As far as blocking GeForce Experience outbound activity, the best way to stop it is never install it or uninstall it. Also according to this article, nothing Nvidia Telemetry or Geforce Experience does is supposedly nefarious: https://www.howtogeek.com/280101/relax-nvidias-telemetry-didnt-just-start-spying-on-you/
  21. 1 point

    Importing setting to new HDD?

    Since it appears you want to still use GeForce and not uninstall it, you can download the latest non-vulnerable update here: https://www.geforce.com/geforce-experience/download . That should eliminate the update alert you have been receiving. As far as your other nVidia drivers, you have a problem. For any drivers less that release 390.65, you're vulnerable to the Spectre and Meldown vulnerablities noted here: https://nvidia.custhelp.com/app/answers/detail/a_id/4611/~/security-bulletin%3A-nvidia-driver-security-updates-for-cpu-speculative-side . I would serious considering updating your graphics card.
  22. 1 point

    Importing setting to new HDD?

    To begin with, there is a serious security vulnerability in regards to Nvidia GeForce versions prior to 3.18. You can read about that here: https://www.bleepingcomputer.com/news/security/nvidia-patches-high-severity-geforce-experience-vulnerability The article also refers to Nvidia driver vulnerabilities that have been recently discovered. So you have to verify if your Nvidia drivers have been have recently updated. As far as your screen shot goes, your Nvidia software is indicating that a GeForce software update is available. In light of the above posted, you probably want to perform the update. BTW - you don't need the GeForce software for your Nvidia drivers to function properly. It's primary purpose is to inform you that NVidia driver updates are available. It can be uninstalled via Control Panel -> Programs option.
  23. 1 point
    maneet kaur


    can we stop the scan every time the modules are updated?
  24. 1 point

    Importing setting to new HDD?

    Guess I am not following you on this one. Each time you export your settings, a new .xml file is created. Just import the latest .xml file you created.
  25. 1 point
    The block is correct. We informed that leaked licenses were published on it. In turn we were promised they would be removed so we unblocked it then. However, shortly after unblocking it the license and other illegal stuff was put back again and this repeated several times. We are not going to play cat and mouse.
  26. 1 point

    PUP not handled

    See this thread: https://forum.eset.com/topic/19081-jsspigotb/ . Also refer to the Eset knowledgebase article link I posted in the thread.
  27. 1 point

    Last Connected Not Correct

    I've found similar instances and attribute it to some form of agent corruption. I haven't found an easy way to repair the agent, but the majority of the time, simply uninstalling and reinstalling the agent resolves the issue. Not what I would consider a "fix", but does get things working again.
  28. 1 point

    As soon as possible option of Scheduler

    Here some more results: If consecutive scheduled daily scans can't run at the scheduled time, then the scan will only be done as soon as possible if the previous scan was at least 23 hours ago. If that is not the case yet, then EIS will wait until it is. If consecutive scheduled weekly scans can't run at the scheduled time, then the scan will only be done as soon as possible if the previous scan was at least 6 days and 23 hours ago. If that is not the case yet, then EIS will wait until it is. In my opinion this is not how it should be! For example: A scan is scheduled to run every Monday at 00:00:00, but it doesn't get the chance to run at that time. The computer isn't booted any earlier than Wednesday 20:00:00, but almost directly after booting the missed scan is executed. The next week again there is no chance to run the scan at the scheduled time, but now the computer is booted on Monday at 08:00:00. I would expect the scan to run then almost directly after booting, because it is scheduled to run every Monday at 00:00:00 and in this case 08:00:00 is as soon as possible, but instead EIS decides to wait until Wednesday 19:00:00, which is 6 days and 23 hours after the previous scan. In other words, if there is never a chance to run the scan at the scheduled time, then it will take many weeks to get the scan running on Monday again, because the time will only be advanced 1 hour a week.
  29. 1 point

    ESET keeps stealing focus from Firefox

    It will be fixed in v12.2. I reckon the beta version has it already fixed.
  30. 1 point
    It is needed to do the following steps to fix the issue because some of the modules are probably corrupted. The best way is to stop the service, clean update cache, delete the modules and download completely fresh update files and modules will be recompiled and added to /var/opt/eset/esets/lib - stop service - delete content of modules directory /var/opt/eset/esets/lib - clean the update cache directory /var/opt/eset/esets/lib/data/updfiles - clean logs direcotry /var/log/esets/ - run update manually deleted modules will be replaced for fresh /opt/eset/esets/sbin/esets_update --verbose - once update is successfully done you can start the service
  31. 1 point

    Activation does not work...

    Yep! All working fine now, just needed some time to update maybe. Thanks fro your promt replay! Case closed! Best regards PS/ Also got 30% off, we likes that...
  32. 1 point

    Cant fix Win32/Agent.TBV

    If you have a paid license for an ESET product, please provide logs collected with ESET Log Collector for a start.
  33. 1 point
    The website was compromised and still contains a malicious code.
  34. 1 point

    Migration from ESET to another antivirus

    You might want to refer to this latest A-V Comparatives Endpoint test and resign yourself to living with the issue of high false positives as far as TrendMicro is concerned: https://www.av-comparatives.org/tests/business-security-test-march-april-2019-factsheet/
  35. 1 point

    Updating Names

    You can synchronize computer names by running the following server task:
  36. 1 point

    console cloud

    Any chance it resolved itself automatically after a time? We are currently experiencing issues with license synchronization, which is targeted by release that is rolling out this week.
  37. 1 point

    Unsual Open Network Services notification

    Some further info on Telnet. Port 23 is not the only port used. Port 107 is used by Remote Telnet. Also there is a way to shut down all Telnet activity using the Eset firewall. You would have to create a firewall rule to block all inbound and outbound activity specifying the protocol as "Custom" and the protocol number as 240 - 255. In other words, 15 firewall rules would be needed since the Eset firewall only also one protocol number to be specified per firewall rule. Ref.: http://www.networksorcery.com/enp/protocol/telnet.htm
  38. 1 point

    Unsual Open Network Services notification

    To be 100% accurate in regards to telnet is the following. The telnet client is not installed on Win 10 by default: https://www.rootusers.com/how-to-enable-the-telnet-client-in-windows-10/ . As noted in the article if the telnet client is installed, any port can be used by it; not just port 23. When router's reference telnet, they are just referring to its default use of port 23. Disabling the telnet option on the router is just blocking all inbound/outbound WAN side port 23 TCP/UDP traffic to/from the router. When the router is set to bridge mode, you are instructing the router to pass all inbound and outbound traffic through the WAN side of the router. All firewall, IDS, and protocol filtering methods on the router are disabled. Additionally, both NAT and stateful transmission detection are also disabled on the router. As such, you are now relying 100% on Eset's firewall for port 23 protection. Whereas Eset's firewall will block an unsolicited inbound port 23 traffic by default, such is not the case for any outbound port 23 traffic. By default, Eset allows all outbound traffic.
  39. 1 point

    Removal of JS/ScrInject.b ???

    Referring to the first two postings in this thread, browser ad and JavaScript blocking extensions and the like would not have prevented this activity. It appears something was installed manually. It could have be standalone software. If it was then the following were applicable: 1. The software was installed prior to Eset being installed. 2. Eset's PUA protection was/is not enabled. 3. Eset's PUA detection was ignored and the poster allowed the software installation. Another possibility is the poster either explicitly or inadvertently installed a browser extension that contains the javacript code being detected.
  40. 1 point

    Removal of JS/ScrInject.b ???

    Great! thank you!
  41. 1 point

    Realtime module not functional

    The problem with the machine from which the latest logs were taken is that you have an old eamonm.sys driver from v4.5 running. Did you upgrade to EFSW v7 from EFSW v4.5? If so, a restart is needed after installation for new drivers to get loaded. Did you reboot the server? If so, please uninstall EFSW completely, make sure there is no eamonm.sys driver in c:\windows\system32\drivers and install EFSW v7 from scratch.
  42. 1 point

    EFS 7.0.12014.0 - MSSQL ERROR

    It's not a problem. The only reason why it occurs with v7 is that older version didn't support protected service, a security feature of Windows. In v7 it's possible to disable protected service at the cost of worsening protection, however, it wouldn't be worse than with v6.5 which didn't support it yet. With v7 you get also ransomware shield which can proactively protect the server from encryption by ransomware.
  43. 1 point

    EFS 7.0.12014.0 - MSSQL ERROR

    Hi, as marcos noted this error is logged when automatic exclusions for Microsoft SQL server are enabled. Automatic exclusions for Microsoft SQL server are using ADO API to read information from "sys.master_files" table to get list of files to exclude from scanning. The ADO API obviously loads a DLL that is not signed. As a workaround, automatic exclusions for Microsoft SQL server can be disabled.
  44. 1 point
    Beech Horn

    EFS 7.0.12014.0 - MSSQL ERROR

    That line looks like the example from: https://docs.microsoft.com/en-us/previous-versions/windows/hardware/code-signing/dn756632(v=vs.85)#user-mode-and-kernel-mode-code-troubleshooting With the signing levels being: 0x0: Unchecked 0x1: Unsigned 0x2: Enterprise 0x3: Custom 1 0x4: Authenticode 0x5: Custom 2 0x6: Store 0x7: Custom 3 / Antimalware 0x8: Microsoft 0x9: Custom 4 0xa: Custom 5 0xb: Dynamic Code Generation 0xc: Windows 0xd: Windows Protected Process Light 0xe: Windows TCB 0xf: Custom 6 It looks like you are requesting all DLLs to be higher than (or more likely equal to) 0x7 (Antimalware) and this DLL is actually 0x1 (Unsigned). THE FOLLOWING IS THEORY AND SHOULD NOT BE CONSIDERED ACCURATE To me, it looks like NOD32 is loading the DLLs into its own service when running as a Protected Service rather than scanning them without loading it into memory in a manner unlike a library (e.g. without running the code or injecting the DLL into the service). On top of this sqlnclir11.rll should be reported as 0x8 instead of 0x1 by Microsoft, which is in itself a problem. If we look at 0x4 (Authenticode) this would also trigger that error but could be legitimate signed code which gets blocked due to the way NOD32 is scanning when running as a Protected Service.
  45. 1 point

    EFS 7.0.12014.0 - MSSQL ERROR

    There is no way to solve it if Microsoft doesn't update the rll file with one with a valid signature except disabling Protected service in the HIPS setup which would enable unsigned dll files to be loaded in ekrn.exe. Of course, that would be a security hole and unnecessary risk so we don't recommend disabling protected service.
  46. 1 point
    @andy_s We will track this as an improvement request, towards the future versions. Issue is, that the "upgrade" itself is handled by Endpoint (in case you execute scan and select option "shutdown after scan"), and Endpoint does not initiate agent wakeup to report scan completion. It simply triggers shutdown, before the result is replicated. Maybe, if you are willing to, can you explain why are you shutting down the machines? Is it to save power over weekends, or? As there might be different way how to achieve that. One that will report "success" would be a run command, with a respective windows shutdown / with delay, as task would report "Success" not in the moment of task execution, but on the moment when it contacted WMI provider with the command the reboot. If system acknowledged, it will report success. Also, out of curiosity, what is your replication interval?
  47. 1 point
    Description: Enable right-click and double-click in ERA Detail: ERA is one of the most easy-to-use management services I have used. However i believe that to make it more ergonomical there should be a functionality that lets users double-click on something. For example, when wanting to generate a report you first have to click on the report, then go down to the "GENERATE NOW" button and click that. I feel like adding the ability to open reports and other things with a simple double-click action would improve accessibility. The right-click I admit is quite an odd suggestion seeing as if you click on a field once it brings up a menu etc, however, again for things like editing reports, you first have to click the report, then click on the little cog icon over to the far right, and then click on edit. Would it not be easier just to be able to right click the report and choose edit? A very pedantic suggestion I know...
  48. 1 point
    Agreed. I even thought about the programming logistics of that when I posted it, but as the forum is about suggestions, I thought what the heck, let's put it in, as it is a nice idea (IMO) Andy
  • Create New...