Leaderboard

One thing that I don't like about LiveGuard is that it seems to send every new file created on the device to LiveGuard upon execution. Even if it's an old, trusted and safe file. As you soon as I try to execute a new file that wasn't on my device before, ESET sends that to LiveGuard. Eg: If I just extract a newly downloaded 7zip installer from a zip file where the installer exe is trusted by literally every AV, as soon as I execute it, it gets blocked and submitted to LiveGuard for analysis. What's the point of this? A ESET's reputation check shows that the file is old with reputation status being Fine & green and the number of users is also high with a green mark. ESET should feed from this LiveGrid status and determine that the file is trusted, whitelisted and not necessary to submit it to LiveGuard for analysis. This alone would massively reduce the load on LiveGuard's server. This type of unnecessary submission needs to be avoided. Kaspersky and Norton makes use of their cloud reputation appropriately, which is something ESET is not doing here. The LiveGrid reputation should mean something. The LiveGrid and the LiveGuard combo should communicate with each other to determine what needs to be submitted and what not. Otherwise, LiveGuard servers are going to be bombarded with excessive unnecessary submission. Unnecessary submission is going to annoy even expert users.

I just checked U.S. prices for Eset. ESSP costs $10 more per year than EIS. As such and for me personally, the increased price is not a major factor. This important LiveGuard feature being included only for ESSP does "leave a bad taste in my mouth." For starters, Eset should have had LiveGuard capability in its consumer product versions long ago. Like feature capability has existed for some time in Eset competitor consumer products as you noted. This includes Microsoft Defender that doesn't cost anything. I also have no need for the extra features ESSP provides and feel upgrading to it for LiveGuard capability is shady marketing tactic. It also should be noted that EIS costs on the average, significantly more than its competitor's equivalent products. Bottom line to Eset - include LiveGuard in EIS or be prepared for a significant loss of your existing EIS product base.

Hello ESET Endpoint Security / Antivirus users, We are pleased to announce the availability of ESET Endpoint Security / Antivirus 9 BETA for public testing. The new generation of ESET Endpoint products for Windows brings new features and improvements, let us briefly describe the most visible ones. Auto-update – This feature improves the upgrade experience for administrators and makes keeping ESET products on latest version easier. It is enabled by default and works out of the box. Technology was present in Windows Endpoint version already 8.0, EULA approval was replaced with EULA notifications. Brute-force attack protection - Evolution of reputation and blacklist-based password-guessing defense technology, providing further protection for RDP and SMB protocols in business networks. Official ARM64 support for both EES and EEA for Windows on ARM ( Secure Browser, Machine learning protection and Deep behavioral inspection features are not available for ARM64 platform in this version) The new features mentioned are not manageable by ESET PROTECT management console as of now. Please check also the list of Known issues for the first public BETA build, we believe the severity of those is very low so they should not affect your user experience much Device Control: Printing task stays in printing queue when printer is blocked Audit logs contain strings "FeatureId", "OldState", "NewState" Web control: Warn action does not work properly for some websites Secure Browser: Ask me option available for websites in list Secure Browser: Some websites are not loaded correctly in secured browser instance Device Control: Some bluetooth devices are not listed in Populate of Device control The ESET Endpoint Security 9 BETA and ESET Endpoint Antivirus 9 BETA builds are available for download at https://forum.eset.com/files/category/4-ees-eea-9-beta/ Both .msi and .exe installers are available and the ARM64 version for Windows on ARM too. We are looking forward to hearing your feedback and experience with the 9th generation of ESET Endpoint products. For your questions and issue reports, please use this forum directly. As usually the build is in BETA quality so by downloading and using it, you agree with our BETA program agreement, which is available at https://forum.eset.com/files/file/31-eset-beta-program-agreement/ After a week or so of BETA testing, please fill out this short survey for us https://survey.eset.com/index.php?r=survey/index&sid=798153&lang=en so we can evaluate the BETA program and make our offering even better for you. Thank you in advance. Peter Randziak on behalf of teams involved

The user must choose whether to enable or disable the LG feedback system. We cannot enable it automatically for legal reasons:

This is similar to Avast's (and AVG) CyberCapture feature, which is available even in the free version. The difference is that cybercapture is dependent on the Mark of the Web similar to Microsoft's Block at First Sight feature, while it seems with ESET it's for every file that is not known to ESET. So this is a nice feature and a good addition. But I can't really justify the decision to not include it in the Internet Security version. ESSP is ridiculously expensive. LiveGuard should've been made available to both EIS and ESSP.

When using the auto update feature, the upgrade is first applied at reboot, so it will continue to be fully protected by the old version until you eventually reboot the device which is then upgraded

Whitelisted are basically files signed by known trusted certificates, e.g. by Microsoft. Samples submitted to LiveGuard are separated from samples submitted by LiveGrid. In case of LiveGuard they are submitted to a safe environment where even access by ESET staff is very limited. This is because users can also choose to submit suspicious documents and it would not be safe if a broad group of ESET staff could access them. If a file submitted to LiveGuard turns out to be malicious, the result is shared with LiveGrid users. Other than that, nothing is shared. The fact that a file is old and more users have got it does not mean that it's 100% safe. Therefore only whitelisted files are not submitted. EDTD submits a lot of more files than LiveGuard and the systems can manage processing that load.

Yes it can be managed by the ESET PROTECT (cloud), just the new features are not yet manageable. Yes the agent needs to be installed the same way as with GA version. Yes, it is enough to install the BETA version to test it. As mentioned above, it can be managed by the ESET PROTECT cloud, but only the features available in previous generation are available to be configured and managed as of now. The ESET Insiders program is an invitation only program, join requests are being evaluated case by case. You can drop me a personal message to find out more... Peter

Let's "cut to the chase" in regards to Eset's cloud scanning. As shown in the diagram in this article: https://help.eset.com/edtd/en-US/overview.html , Eset is using Microsoft's Azure AI servers. Microsoft will gladly allow anyone who so desires use of those servers. Obviously, this use is not for free. The question however is just how expensive is their use? There is a low budget developer who markets a security product add-on named VoodooShield: https://voodooshield.com/ which is popular with participants of the security forums; e.g. wilderssecurity.com. This product also uses the Azure AI servers. There is both a free and a paid version of this product. As far as I am aware of, both the free and paid versions use the Azure AI cloud servers.

Description : Improve ESET update server capacities. Detail: Last week some connections to (some?) ESET update servers were abysmally slow, as in downloading at 0.01-0.1 mb/s while my internet line offers close to 13 mb/s. As a consequence download single update files took a *very* long time. According to e-mail support some major ESET module update caused high spikes, so the server/connectivity infrastructure should be improved to handle these spikes much better.

What is meant by "whitelisted" files in this context? I noticed that out of the 456 .exe files contained in the WSSC GUI (Nirsoft, Sysinternals) only those 5 are re-read after reboot that qualify as "potentially unsafe applications" (regardless of the respective settings and exceptions). All none exe files on my system seem to be re-read by ESET after each reboot, regardless of module updates. This includes all TTF (font) files, but also things like loading thousands of Lua addons files, hundreds of Toc files, dozends og TGA and font files when World of Warcraft is started for the first time after a reboot, plus NVidia and Battle.net client cache files. I assume that most of these files are only re-hashed instead of rescanned (analyzed)? But it's still re-reading of files that were already scanned when the PC was last turned on (or just before reboot a few minutes ago).

I understand the spinning platter situation, but modern systems don't use HDDs for system drives anymore. And even then, scanning network shares on my HDD based NAS is faster when done by multi-threaded AV products. All of my own and my customers' computers use SSDs for years already. Defender peaks at over 2500 mb/s during on-demand scans running 24 threads/files in parallel, meanwhile ESET is chugging along one file at a time. This should be brought up to more modern standards rather sooner than later. Furthermore large compressed archive files should be handled by multiple threads, too, especially for the uncompression part of the operation.

We are testing Windows 11 and EEE/EFDE currently. So far there are no major problems at all. Upgrades from Windows 10 while encrypted work just like any other Windows 10 Feature Update. It’s seamless when performed through the Windows Update setting. In the event where you need to use the Win 11 ISO to perform the upgrade, then our updater utility works too.

Good advice. I am tired of wasting my time in this forum reporting Eset problems that ultimately get dismissed.

Let's talk about Eset's Network Inspection Inspector processing since there is zip technical details on it. To begin, Eset's network inspection processing is not new and has existed on every EIS version I used dating to 2014. Past versions were relatively benign and non-troublesome. Once I configured Eset's network connection to accommodate my router, the settings remained stable. All this changed when Eset decided to get "cute" and expand network Inspection to examine router settings for the purpose of detecting suspected hacking activities. Great idea for off-the-self routers and the like that perform standard network initializing activities. A very bad idea for ISP provided routers with customized firmware settings. The only positive thing in recent Eset versions is that now Network Inspection Inspector can be disabled via GUI setting which was not possible in the past. For those who like technical details, let's get into those. Using a networking connection monitor such as TCPView, open it immediately after system startup time. Look for an ekrn.exe connection monitoring UDP port 138. Eset is examining network connections via proxy using this port. This is also where the problems start. My router is using NetBIOS which also uses that port to initialize it's router connectivity to my device. It then goes downhill network-wise from here.

First, verify your credit card data has been deleted from both your Eset eStore account and your myEset.com account. When I likewise did my Eset license renewal via EIS GUI option, it set up a myEset.com account w/o my permission and set it to auto renewal! Also stored in that myEset account is the credit card number used for the purchase. Given all the security issues with myEset.com accounts being hacked, I also deleted the myEset.com account. I for one have had it with Eset's overly aggressive license renewal/management crap. It's just "one more nail added to the Eset coffin" in regards to terminating the future use of this product.

I'm not angry about you reporting it. Quite the contrary, we are happy if you report us possible malicious samples or urls. I just wanted you to point in the right direction, ie. to report stuff directly to samples[at]eset.com according to the KB if you want the submission to receive better attention. Also I wanted to point out that even if a particular website is not blocked (ie. it may be a completely legitimate one with just somebody posting links to cracks), the point is to detect possible threat in the end no matter how it is achieved, ie. by blocking access to the malicious website or by detecting the malware upon download or execution at latest.

Well, there was one last thing I had to perform to get the router, Win 10, and Eset networking to play together nicely. I have long suspected that Win 10 Smart multiple-homed DNS name resolution was the source of most of my network issues. This was further amplified by Eset networking initialization. But since this feature was using my ISP DNS servers combined with the way the router establishes Win 10 network connectivity, I could never definitively nail it down. You can read about what Win 10 Smart multiple-homed DNS name resolution does here: https://www.ghacks.net/2017/08/14/turn-off-smart-multi-homed-name-resolution-in-windows/ . The gist of the what is does is: What I have been observing after my Win 10 networking "from hell" reconfiguration activities described previously is at Win 10 fast startup and/or startup from sleep mode predominately is multiple connections to IPv4 address 1.1.1 to port domain. Err what? Port domain turns out to be port 53 and of course, 1.1.1.1 is Cloudflare's IPv4 DNS address. First, I have never ever seen these domain connections before. Next is I shouldn't be using Cloudflare's IPv4 DNS server on an IPv6 network. Bottom line is here is a graphic example of my Win 10 network connection being borked by Smart multiple-homed DNS name resolution processing. As far as what this did to Eset's network connectivity processing can best described as a double-whammy bork from the deepest depths of networking hell. Anyway, I have disabled Win 10 Smart multiple-homed DNS name resolution and finally, all is well networking-wise.

Next time this updating issue occurs, use a network connections monitor to ensure ekrn.exe has a solid connection to port 8883. You can use Eset's Network Connections tool or TCPView. I prefer TCPView since it will show if there are sync issues with the connection to port 8883, ekrn.exe is trying to establish. Eset uses port 8883 with fallback to port 443 for Push Notifications. If there are issues with getting that connection, it will cause this bork Eset updating behavior some are experiencing.

Kind of ridiculous putting all the work on the end user.

Hello, Many thanks for your suggestion. We will add it also to ESET PROTECT Cloud. We have it already in the on-prem version. I apologize. It was forgotten in the cloud version.

Hello. Currently, it is a bit difficult, to determine, which computer has EDTD activated and working. Your are right, that in the past, it worked in the following way: You enabled EDTD via policy If the EDTD was "not activated" on a particular machine, it reported an error Based on this error, you can group such machines in a dynamic group You can have set "activated EDTD" task on top of such dynamic group that will enable it Currently, the "error" state was removed, and EDTD does not report that type of error it is not activated. Per my knowledge, this was due to some architectural changes, and moving towards "more proper" reporting of feature states. Last update I got from the developers was, that we are working on a better way, that will be most likely implemented in next releases. One IDEA is use "ESET Solutions" tab, and over there you will see, how many have EDTD active, and how many does not have it active. You can click "Deploy", which should do both the enabling, and activation in one step. Sorry for the inconvenience, and stay tuned for the updates, when the proper solution gets implemented.

Hello. I have forwarded this info to our release manager, as I do agree, that every release post / info / metadata should include also the release date, for simpler orientation.

Hi @secured2k, Thank you for getting in touch, here is the KB that you requested regarding the ESET Windows Updater Utility: https://support.eset.com/en/kb7148-manually-install-windows-10-feature-updates-on-a-full-disk-encrypted-fde-system The error you are running into is due to the disk not being accessible during the update as it is Encrypted and Windows has not been told to use the Encryption Drivers in order to access the disk, this utility solves that problem by passing the required switches to allow Windows to use the Encryption Drivers and thus be able to access the disk. Thanks, Kieran

In my opinion LG/EDTD should be implemented also in the EIS version. Only as addons or implemented in ESSP would not increase your sales since the price is higher than your other products but especially compared to your competitors on the market. Implementing it in EIS would certainly increase the load on your servers but you would also have a better and more updated cloud network to defeat new malware since the result of the sandbox process is then transmitted to all devices that have enabled the feedback system. Also because LiveGrid in its current state takes a long time, LG/EDTD 5 minutes and spreads the result to everyone.

For anyone interested in trying the ESET Endpoint Security 9 & ESET Endpoint Antivirus 9 BETA, we have good news to share - we have just launched a public BETA test for it. To find out the details and sign up please visit the dedicated BETA forum section

Totally agree with this point. Here for example, the price of ESSP is 44% more expensive than EIS. I personally don't really need extra features in ESSP, paying that much extra price for something i don't really need, sorry i didn't. Its even more ridiculous that the now added feature is actually available on a competitors free product.

I have very similar feelings to "itman". I see ESET's core mission as "Bringing people the best anti-malware protection we can create". And a feature like LiveGuard in my opinion is one of the "core" features of an antimalware product, just like samples, heuristics, etc. That's why I think it should have been available in the basic (and legendary) NOD32 antivirus. I understand that it's not easy to move in a global market, but you need to be fair to your customers. Originally, the Premium version offered extra features. That is, extensions beyond the basic antimalware protection. (For example: "Do you want a password manager too? Do you want encryption on top? These things degrade cybersecurity, but are not DIRECTLY related to antimalware protection.) But in this case, the primary protection feature is offered in the "premium" package. This approach creates bad feelings with me. Unfortunately, it's similar with the cancellation of the custom version of NOD32 for Linux. Again, I understand cost optimization, developer utilization, etc. But would a truncated version of Enterprise v8 for Linux, really cause ESET to move into the red numbers? Especially when it doesn't even offer a basic antivirus for free like most other vendors? Sorry for the long entry. Translated with www.DeepL.com/Translator (free version)

Beta v15 was provided only to the members of the ESET Insider program. It will be released in a few days. Currently we have ESET Endpoint Security v9 available for beta testing.

Using Pre release modules Direct Cloud communication module 1118.2 no notifications shown after opening steam client or connectivity errors in the logs, so far ,so appears this new module will resolve the issue

Hello @tommy456 and @Masamunnex, Direct Cloud communication module 1118.2, with this issue fixed is available on pre-release update channel. Can you please switch to pre-release updates, verify if your ESET product downloaded the Direct Cloud communication module 1118.2, try to reproduce the issue and let us know? The issue was caused by multiple requests failing, thus taking the channel offline even in case of a short network outage... Peter

As far as I'm aware the pre release version contains fixes to issues and eset recommend people use it to see if it works and if there are any other issues. However eset don't recommend activating it on work computers in case of any issues

I can confirm 7 0.16 has just been released which fixes the issue

Found the answer - under the the installation (programfiles\eset\enterpriseinspector - a file named eiserver.ini same place to change the connection port

ESET is likely being killed by the aggressive Xiaomi battery optimizer. Please see https://dontkillmyapp.com/xiaomi for instructions how to create an exception.

No. However, if you provide the IP address I could search for possible reasons.

Just curious if someone could tell me what these numbers mean? Thanks!

I will again reiterate what happens on my EIS installation when Network Inspector is enabled. At system restart time, a half dozen ekrn.exe UDP and UPDv6 are established along with an ekrn.exe port 138 connection. These remain for a couple of mins. and are then dropped. In the past, one ekrn.exe UDP and UDPv6 remained. On ver. 17, the UDPv6 connection is usually permanent dropped and not later reestablished. Upon resume from Win 10 sleep mode, a dozen ekrn.exe UDP and UPDv6 are established along with an ekrn.exe port 138 connection. These remain for a a couple of mins. are then dropped. In almost every instance on ver. 17, the UDPv6 connection is usually permanent dropped and not later reestablished. In regards to the ekrn.exe UDPv6 connection when dropped. If I perform anything related to current network status such as ipconfig /all or view network settings in Win 10, the ekrn.exe UDPv6 connection is reestablished and remains in effect until system shutdown/sleep mode. With Network Inspector disabled, I have no borked Eset firewall activity where my normal outbound network traffic is being interpreted as inbound traffic and being blocked upon resume from sleep mode. Although there have been two incidents where this occurred for a couple of port 53 DNS connections. Now really, is this passive behavior? Network Inspector stays permanently disabled on my device. -EDIT- BTW the same above behavior occurs the minute the Network Wizard is opened with the result being the ekrn.exe UDPv6 connection being permanently dropped.

I do not have an info on next planned BETA release, but it seems the new versions are being released in a fast pace as generation 7 has now version 7.0.15 available and before there was 7.0.14 and 7.0.12 and all of them were released in September... Peter

Hello @peteyt I use the BETA version too and noticed the bug as well. The dev team has it tracked to fix it (P_EMSA-10346). I'm checking it. I guess the BETA tickets for EMSA are routed to HQ support, but the reply still should be in your language... Peter

Interesting. My ISP router has an excellent stateful firewall plus IDS protection. Hence, external network attacks like these are dropped on the WAN side of the router. Also, more reason to disable Eset Network Inspector if there are suspicions it might be tampering with any internal router mechanisms.

Maybe I'm being a little stupid but if malwarebytes can remove the full extension why can't eset?

Yes, EsetPerf.etl can be huge; it can grow to gigabytes in minutes, hence we recommend keeping the logging enabled only for a short time. You can compress the file, upload it to a storage location and pm me a download link, we'll see if there's something interesting, such as a high CPU load logged.

The web serve is misconfigured; OCSP Must-Staple is enabled, however, no OCSP response is received. https://www.ssllabs.com/ssltest/analyze.html?d=energy-forecast.n-side.com OCSP Must Staple Supported, OCSP response not stapled

The issue is caused by an older version of the Translation support module. On Monday we should start with upgrade, however, it will require a restart of the ESET PROTECT Cloud instance.

I'm split. I wouldn't mind if Eset introduced it but there's the debate if AVs should basically focus on being AVs and leave the other stuff to other users.

Okay, thanks for the effort. The setting is not a matter of life or death but as a nice to have it would be great... Thx & Bye Tom

As of now, this is not possible. Those "color coded statuses" are hardcoded in the webconsole. I will consult with our product management, if this is something that can be adjusted in the future product releases.

Since its birth