Leaderboard

Greetings! Listed as fixed in 7.3 "An on-demand scan launched from the ESMC console could shut down the computer even if this post-scan action was not selected" is exactly what started happening after I've upgraded Endpoint clients to 7.3. Never happened before. The process C:\Program Files\ESET\ESET Security\ekrn.exe (WKST-VRN-BKP01) has initiated the power off of computer WKST-VRN-BKP01 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Other (Planned) Reason Code: 0x80000000 Shutdown Type: power off Comment: Computer scan completed That comes from scheduled scan policy (daily on-demand scan with post-scan action set to "no action"). All upgraded endpoint clients have been shutdown after this scan. Fix it please!

https://www.eset.com/sk/o-nas/press-centrum/eset-tlacove-spravy/nadacia-eset-podporila-vyvoj-slovenskeho-testu-na-koronavirus-a-financuje-prvych-100-000-kusov/ Machine translation: Scientists from Slovak companies MultiplexDX, Lambda Life and ProScience Tech have joined forces with virologists from the Biomedical Center of the Slovak Academy of Sciences (BMC SAV) to build a reagent kit according to the World Health Organization (WHO) protocol for reliable detection of SARS-CoV-2. In the first phase they plan to produce and make available 100,000 PCR tests. The ESET Foundation supported the development of the test and finances the first 100,000 pieces to be offered as a gift to the Slovak Republic. Key components have been developed and manufactured by MultiplexDX, a company dedicated to developing and manufacturing innovative reagents for various molecular diagnostic methods. The Slovak PCR test is currently being validated in cooperation with a team of scientists from the BMC SAS. Preliminary results show not only the functionality but also the good sensitivity of the new test, comparable to the currently used diagnostics. “This means that our test is reliable and accurate and can help diagnose early-stage patients. We can produce key components for 100,000 PCR tests in two weeks, ”explains Pavol Čekan, founder of MultiplexDX. “In the process of validation and subsequent registration of the resulting report we cooperate with the non-profit organization CCCT SK. It will be estimated to take about three weeks, ”said Adam Andráško of ProScience Tech. "Virus detection consists of sample collection, RNA isolation and PCR diagnostics itself, with our joint efforts focused on the last step," said Ivan Juráš of Lambda Life. “I believe that the efforts of our scientists will be crowned with success, and we will have enough PCR tests from our own resources as important as coronavirus detection. This will help Slovakia not only in continuous testing, but we will also create a reserve in case there is a shortage of tests in the world, ”notes Robert Mistrík from the permanent crisis staff. The ESET Foundation supported the development of the test and provided funding for the first 100,000 units from the COVID-19 Effective Diagnosis and Prevention Fund. These tests will be offered as a gift to Slovak state institutions. “When creating the Fund, it was important for us to ensure effective mass-scale diagnostics, which can only be achieved through science. Even in such a critical situation, the importance of supporting science in Slovakia, which we have been dedicated to for a long time, thus proves important, ”says Richard Marko, CEO of ESET. Production capacities will primarily be available to diagnostic laboratories in Slovakia after the first 100,000 tests have been used. “We are ready to cooperate with state laboratories, flexibly respond to their needs and supply them efficiently. After meeting the needs of Slovak Laboratories, we can direct our capacities to other countries that would need our products, ”explains the authors of the test.

It's been a slow forum posting weekend and it appears this thread has run its course. We have all had the opportunity to "rant and rave" about Eset Home version protection features we all wished we had and in reality, probably never will have. So it is time to expose this Python POC for what it is - fake ransonware. Err ..... what, you say? The POC encrypted files. Well so does a lot of legit encryption and other apps including user created ones. So lets get into this. A few years back, the NextGen security software vendors were trying "to get traction" against the established AV vendors with their supposed superior behavior detection methods. Corresponding to this was the appearance a proliferation of ransomware "simulators" where one was encouraged to test their existing AV solution with. The most infamous of these was RanSim produced by KnowBe4: https://www.knowbe4.com/ransomware-simulator . I wrote a thread about the methodology used by this product and similar ones here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ . Eset subsequently commented upon Ransim tactics in their own publish article on Eset ransomware protection: https://cdn1.esetstatic.com/ESET/INT/Docs/Others/eset-vs-crypto-ransomware.PDF So let's get into some details on the POC. First, note this from the POC's author posting about it at malwaretips.com: Next is why no vendor on Virus Total detected the POC initially and I believe presently. That one is pretty straightforward. The ransomware portion of the POC never ran. The POC pauses program execution waiting for user input to continue. VT's automated sandbox analysis timed out waiting for input it does not respond to. In summary, I am not 100% ruling out that techniques used in the POC could bypass existing Eset ransomware detection methods. However, a POC must be developed deploying real world ransomware deployment and execution methods with the most important being the program runs uninterrupted and encryption activities performed against all existing files in C:\Users\xxxx\Documents\*, etc. directories.

False positive reports To submit a possible False Positive see Submit a suspicious website / potential false positive / potential miscategorization by Parental control to ESET for analysis when you wish to submit via email or use Submit sample for analysis function from the program GUI of ESET product installed on your computer. Whitelisting ESET does provide a whitelisting service for software vendors by which you can submit your software to minimize the chances of false positives, e.g., when your software is being downloaded. This service is intended as preventive measure for trusted and undetected applications to minimize risk of future false positives. Whitelisting service is not a channel for removing existing detections, disputes or solving other unrelated problems. If you want to register your software for whitelisting, please follow the instructions in the KB article How do I whitelist my software with ESET? Requirement for False positive submissions When submitting false positive file(s) via email or via program GUI, it is necessary to send copy of falsely detected file(s) as well as description of the file. I will explain what information is needed and why it is important. 1) Name of the legitimate application the file belongs to. When submitting false positives you must be able to identify what is the name of application that is being falsely detected. No-name false positive reports (when information about the application name is missing) are harder/slower to examine and in many cases indicate correctly detected malware rather then false positive. Example of correctly provided information: “This file belongs to VLC media player 3.0.6.” When you provide the specific version number, it helps. Example how not to submit false positives: “I don’t know what it is and why I have it on my computer but I think it is a false positive.” If you don’t know what the file is, don’t report it as false positive. 2) Name of the application’s author, developer, vendor or website where you downloaded the software Each legitimate software have known author or there is known company who developed it. There is known source/origin where the software can be obtained and you can learn information about it. This information is needed in investigation process. Researchers need to verify whether the software is safe and they may need the full installer to evaluate the software properly. Researchers may need to investigate whether other versions of the same software were affected by false positive or not. It is important to know the source/website where you downloaded the software because some download websites provide different installers than original vendors. 3) Application's purpose Let the researchers know what the application is supposed to do, what value does it offer to you. This information is usually available on vendor’s website but there are many old applications where the website is no longer available, or software was distributed only on CD-ROM/DVD, or the software is custom/in-house developed and the description is not generally available. Examples how of application’s purpose: This is a picture viewer, video convertor, movie player, communication software, printing program, database program, web browser, accounting software, computer game, tool I use for programming, etc. Don’t hesitate to provide any additional information you deem important. You may add the specific detection name you saw when detection occurred. In case some specific circumstances are needed to reproduce the problem, tell it to the researchers how (For example it may happen that the file itself is not detected but it downloads/creates other files that trigger detection). You may submit false positives via email or directly from ESET product via Submit sample for analysis function. In order to use the function open GUI of ESET Internet Security, you will find following icon in Tools and clicking More Tools: Please select “False positive file” option and attach the file you want to submit. Please provide all necessary information (as described above) researchers need to process your false positive submission. Information you provide indeed significantly helps ESET laboratories in the identification and processing of samples. Thank you for your submission!

I think this is resolved in just-released ESMC 7.2 where it look like this:

We are currently debugging the issue. Most likely we will be able to address it via an automatic HIPS module update.

The PUA detection is correct. It's optional. For more information what PUA are, please read https://support.eset.com/en/kb2629-what-is-a-potentially-unwanted-application-or-potentially-unwanted-content. If you think that benefits of using a particular PUA outweigh possible risks, you can exclude the PUA from detection.

ESET NOD32 Antivirus for Linux desktop is a legacy product. Legacy products do not support activation but require a username and password for update.These are not usually included in the license email since current products require only a license key for activation but can be provided by customer care on request. I'm gonna send you a personal message with your U/P momentarily.

ESET has been protecting users worldwide for decades already and have always provided state-of-the-art protection. While it was always our digital worlds that ESET has been protecting, now with the epidemic of the SARS-CoV-2 coronavirus the need to protect also users themselves became inevitable. Besides supporting various scientific and charity events, we are now creating a fund to support effective diagnosis of SARS-CoV-2 coronavirus, giving 300,000 EUR to support the purchase of a diagnostic system capable of analyzing 4000 samples per day. By purchasing ESET's products you can be sure that you also support science and charity. Machine translation: https://translate.google.com/translate?sl=sk&tl=en&u=https%3A%2F%2Fwww.eset.com%2Fsk%2Fo-nas%2Fpress-centrum%2Feset-tlacove-spravy%2Fspolocnost-eset-vytvara-fond-na-podporu-ucinnej-diagnostiky-koronavirusu-sars-cov-2%2F Recognizing the seriousness of the SARS-CoV-2 coronavirus spread, ESET has decided to engage in the fight against the epidemic in Slovakia. The ESET Foundation has therefore set up a COVID-19 Effective Diagnosis and Prevention Fund, to which ESET will contribute EUR 300,000. The amount will be increased later if necessary. The aim of the newly established fund is to provide, in the first phase, the necessary equipment for improving the quality of diagnostics and introducing comprehensive testing in Slovakia. Since its inception, ESET has dedicated itself to the diagnosis of computer viruses and is symbolic to support the diagnosis of biological viruses in this situation. Even at such moments, the importance of science, which can make a significant contribution to solving the situation, has been shown. ESET Foundation supports science and research and is the organizer of the ESET Science Award. “We have set up a fund to support the effective diagnosis and prevention of coronavirus because we believe that only a systematic scientific approach will help us manage this epidemic. At the same time, it is essential that we think ahead today and take steps to relaunch the economy. General and systematic testing of the population will help in returning the employees to the work process and thus also help the Slovak economy, ” explains Richard Marko, CEO of ESET. Through the Fund, ESET will support the purchase of high-performance diagnostic equipment, the development of systems for more efficient online diagnostics, or contribute to the cost of operating or collecting and transporting samples. Public and private medical diagnostic institutions and laboratories operating in Slovakia that are authorized to diagnose this type or to take and transport SARS-CoV-2 related samples may receive financial support. These institutions can contact the ESET Foundation at nadacia[at]eset.sk . The expert guarantor in the evaluation of the use of the fund's resources is the recognized Slovak chemist Robert Mistrík. “After the first discussions, we are considering co-financing the purchase of the Roche cobas 8800 System, or co-financing its operation. This device is able to do real-time RT-PCR tests at lower unit cost and shorter time in automatic mode. It can evaluate up to 4,000 samples in a single day. We will look for a partner to operate this device. Of course, the fund will also be open to other solutions supporting its goal, ” concludes Robert Mistrík, the fund's expert guarantor. More information about the Fund for the Support of Effective Diagnosis and Prevention of COVID-19 can be found at www.nadaciaeset.sk .

Description: Color code failing tasks Detail: The server used to color code the tasks that are failing. I'm running the latest ESMC, and now, that doesn't happen, and I have a hard time figuring out which tasks are failing. Is there a way to color code it again, or where can I see it? All I get is a generic email saying: "At least one client task has invalid configuration and therefore will fail."

The ESET Knowledgebase YouTube Channel celebrates its 10-year anniversary today! https://www.youtube.com/user/ESETKnowledgebase/community Check out the infographic for our lifetime YouTube statistics for the channel. The ESET Knowledgebase channel includes step-by-step video tutorials demonstrating the key processes and features of our ESET products, from ESET NOD32 Antivirus and ESET Internet Security to business products like ESET Security Management Center. In addition, our channel is yet another way for our customers to reach us with feedback and questions. We make every effort to respond to support-related comments and yes, we do take video suggestions!

Simple answer here folks is Eset normal channel release updates are region specific. Select countries will see the release prior to other countries. It has always been this way.

ESMC is a complex mission-critical product and it's important for administrators that it runs reliably all the time. Upgrade should be performed after backing up the database and at the time when administrators can afford to solve possible issues should something go haywire during upgrade. Likewise administrators do not let server systems upgrade automatically and immediately after the OS maker releases updates not addressing critical vulnerabilities.

Got it, Turns out I had made the change already. My memory just isn't what it used to be. Getting old isn't fun at all, but it beats the alternative. Thanks to both of you for your help.

Hello, Our service provider is currently having issues with deliverability to certain email domains, yours included; they have raised an issue with their upstream email provider. In the meantime, we apologize for the inconvenience. Tomas

Since this forum is not a channel for disputing detections and url blocks. we'll draw this topic to a close. Only the security malware lab is entitled to make decisions about url blocks. In this case, the blocks appear to be ok. Aggressive or misleading ads are subject to detection as well.

I'm stating two issues here in one topic. First, ESET has two types of installers, one is an online installer and the other is offline. But both are totally misleading. The offline installer is merely a 53 mb file which only installs the product but the all the modules data is downloaded after installing. Then the online installer which should do what the name suggests but it doesn't. All it does is downloads that 53 mb installer and install and of course downloads all the modules data after installing. Why even say it an online installer while it's definitely not! Highly misleading. Literally every AV I ever tried, all of their online installer download the whole product including modules and signatures, etc. ESET is the only exceptional one. Same goes for which is supposed to be ESET's offline installer. Almost all AV who still provides an offline installer installs the full product and only download the required new updates after installing unlike ESET. I don't understand! If you want to give users the option for an offline installer then that should contain every modules, updates till the day of creation and for the online installer it must download everything first then install the product. The second issue is, ESET update downloading speed right after installing is always very slow for me. Most of the time it only use 10-20% of my bandwidth even when there is no other internet activity. I started using ESET when version 12 came out and so far it has always been this way. My internet is already pretty slow so only using 10-20% bandwidth makes the process extremely annoying. Update download speed is always slow I guess but since the daily signature updates are only a few kilobytes, those are not noticeable but the first update is. Why does this happen? Why can't ESET make use of the rest of the free internet bandwidth?

I want to add to this that this also happened to me on two computers that I was testing the upgrade on where it immediately performed a scan after the upgrade was completed and promptly shut down the computers. The event log confirmed it was an ESET-initiated shutdown after a scan completion. This is the same as the others have reported, but not a scheduled task, and not on demand, but immediately after the upgrade. Being located 1700 miles away from the office, and during a pandemic where no one else is in the office on a regular basis, it took a full week to get someone in there to turn these computers on. Fortunately, they were computers that were not in use by anyone, so were perfect candidates for this upgrade. Of course, I can't risk updating any other computers to 7.3 until this is confirmed as resolved.

The script uploaded to VT is the initiator script that will run the payload script that has been previously dropped here: C:\updatewins.js . As such, this JavaScript itself is not malicious; the script in the C:\ root directory is. Hence why no one on VT detects the initiator script. Full analysis of this initiator script is here: https://www.hybrid-analysis.com/sample/1b1640edb3f7213f4338c6e0017a1b9028c6b324d64f3e63c09169540e82f4a5?environmentId=120

Got it from VT. In fact, it's not detected because of the extension but with a correct extension it would be detected: updatewins.js - JS/Kryptik.BPU trojan. The detection was created between Feb 17-20. We'll adjust it so that such files can be normally detected.

I don't think it's possible. Moreover, I can't think of a good reason to not use the latest installer.

Yes, it was a false positive created by the mechanism for automatic generation of detections.

It should be fixed in the upcoming module update.

Yeah, the problematic driver that we saw in another case with BSOD was from 2016 too. Please uninstall v7.2 in safe mode and install 7.3 after starting Windows in normal mode.

After update to new version it works. Thanks

Release Date: May 28, 2020 ESET Endpoint Antivirus and ESET Endpoint Security version 7.3.2032.0 have been released and are available to download. Changelog: Version 7.3.2032.0 Added: Compatibility with future Windows 10 major update, due in H1 2021 Fixed: Detected files were blocked also when only reporting was enabled Fixed: An on-demand scan launched from the ESMC console could shut down the computer even if this post-scan action was not selected Upgrade to Latest Version Upgrade my ESET Endpoint products for Windows to the latest version IMPORTANT NOTE: After upgrading from an older version of Endpoint to v7.3, a computer restart will be required for antivirus protection to work. Make sure to upgrade machines during a maintenance window when you can afford to reboot them. To reboot the machine automatically when sending a software install task from the ESMC console to clients, select the appropriate option: Support Resources ESET provides support in the form of Online Help (user guides), fully localized application and Online Help, online Knowledgebase, and applicable to your region, chat, email or phone support. Online Help (user guides) Visit www.eset.com/contact to email ESET technical support

Since you are in the official ESET forum, the answer is clear Anyways, it's a good practice also to try various products to find out if a particular AV works alright on your machine. It can happen that an AV with excellent results in tests causes performance issues in your environment and vice-versa. Should you encounter an issue while trialing ESET, you can ask here for assistance.

Updated today to the stable version of build 2004 and haven't seen any issues. Seem to be slowly rolling it out now

Hi, a quick update to this older thread. With the upcoming update of the Archive support module (v1303, currently on pre-release servers) it should be now possible to remove macros from office documents in incoming emails, even in previously released Mail security products. If you define a custom rule with Attachment type condition, select "Office files/Generic OLE2 Compound Document", and choose Quarantine attachment (or Delete attachment) as an action, Office documents will be delivered without any macros. Note: you can of course combine additional conditions in the rule to target it to specific groups or types of emails. Matej

Seems that creating the following rule is sufficient: Name: Allow Teams Helper App: /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper.app Action: Allow Direction: In Protocol: TCP & UDP Ports: Remote Remote Port: All Destination: Entire internet

With EDTD, any file potentially carrying malware is submitted for analysis in the cloud where the file will be run. Based on the behavior analysis and evaluation by 3 different machine learning models, the file is then evaluated either as malicious, highly suspicious, suspicious and probably clean. EDTD can be configured to block access to files downloaded by browsers or email clients until a result of EDTD analysis is received. Let's assume a spammed VBA office document with a malicious macro that is not covered by a detection. Without EDTD: A user receives the email and opens the attachment. Since there's no detection for it yet, it will be run. Depending on what it does, further operations may be detected by some of the protection modules (e.g. if it downloads payload from a blocked url, web access protection will block the download). If it dropped payload and ran it, the payload could be detected by Advanced memory scanner, Deep Behavioral Inspection, etc. upon execution. It could also happen that it wouldn't do anything that could be detected by other protection modules. The user would need to wait until the next module (engine) update to get the malicious document detected. With EDTD: The user receives the email. The attachment is sent to EDTD. The user attempts to open the attachment but EDTD blocks the operation (results from analysis have not been received yet). During the analysis the document is evaluated as malicious (e.g. the detection has been added in the meantime, the behavior of the document was suspicious, etc.). Once the analysis has completed, all machines in the organization are informed that the file is malicious and Endpoint on machines acts accordingly, ie. blocks access to the malicious document.

Since you seem concerned about various Eset network outbound connections, here's a list of IP addresses and URL's used by various Eset products and features within: https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-eset-product-with-a-third-party-firewall

It's a perfectly legitimate connection: https://knowledge.digicert.com/generalinformation/INFO4987.html

ESMC should be installed only on server systems. We do not recommend nor guarantee that installing it on Windows 10 home will work. Is the Tomcat service running? Please check this out: https://support.eset.com/en/kb6752-apache-tomcat-is-not-running-service-could-not-starthow-do-i-fix-this-problem-esmc-7x Does it work if you access it via http?

Does creating a permissive bi-directional firewall rule for the following app help? /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper.app

Ok Live installer it is. Just a synonym but the meaning should be the same. The live installer can still determine the OS and install the full product from online and then install it. Maybe it would be even possible to implement something like multi-threaded download so that the download speed should be fast unlike the in product download speed which is terribly slow for me which is also I mentioned above. Is 85 mb would be the size of the installer for the whole package? I see that ESET currently downloads around 150 mb during the first update. So if the compressed version in an offline installer is only 85 mb then I think that's not big at all. That's probably the smallest I've seen. Even with my not so good internet it would only take over a minute to download that. Even a 150 mb installer shouldn't be considered huge and many other AVs have a lot larger ones. Also like you said, the live installer's job is to download the product without worrying about OS versions, etc so most people are likely to download the live installer anyway so a 85 mb or even a bit larger optional offline installer is fine and seems more appropriate than the current one.

Have full control over devices connected to the account, like remote updates, remote settings, remote scanning etc.

Description: Products updateDetail: Verify if the installed products are up to date

This may happen if the previous version was not uninstalled properly and there are some leftovers in the registry. Try running the Uninstall tool in safe mode first: https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool

Try out both and compare them yourself ... its depend upon the System your are using .. which one will be compatible for you

I use Automatic firewall myself now (used to use interactive mode). I believe you can disable Chrome updates without the need for the firewall https://www.makeuseof.com/tag/stop-automatic-chrome-updates-windows/ This will at least stop chrome updating automatically itself. You could run the firewall after than it interactive mode and try to update and possibly tell eset to block it however you may block the wrong thing.

In regards to what this malware JavaScript malware does, a few observations. In addition to other system modifications, it creates a new network service. It also creates a copy of wscript.exe in the C:\Users\Public directory. Assumed it is using that copy to execute any additional scripts the malware deploys. So if one is indeed using Eset HIPS to monitor wscript.exe startup, you would have made target application in the rule C:\Windows\System32\wscript.exe. As such, this rule will not detect wscript.exe startup from any other directory location. This gets us to Eset's "stone age" HIPS capability. I for one have "been harping" for some time about the lack of global wildcard capability. That is a specification such as *\wscript.exe that would detect wscript.exe PE use regardless of where it is located. -EDIT- How this would be deployed is one "ask" HIPS rule for C:\Windows\System32\wscript.exe. Then one "block" HIPS rule for *\wscript.exe. This would also enable blocking of abused legit "living of the land" utilities such as those included in the SysInternals suite; e,g. PsExec, that can be maliciously deployed from any directory. BTW- the dropping of executable's into the C:\Users\Public directory is a technique used by North Korean hackers. One possible source where the malware is originating from.

Hello, Device ID in MDM database is pseudorandom due to google privacy policy (unless device is enrolled in Device Owner mode). To remove device from MDM run stop managing task wait a few minutes (due to replication), EESA should be uninstalled if device still has connectivity. It should be safe then to remove device from ESMC console. Devices which receive stop managing task have DeEnrollmentFlag set to 1 in Device table (I believe since 7.0 version) if there's a quirk and it's not removed automatically. HTH, M.

Most likely you are still on an older engine. The current one is 21448 which doesn't detect the file any more and 21449 is going to be released momentarily.

ESET should protect you against all known ransomware variants and also against the majority of new, not yet created variants. However, I'd like to emphasize the importance of keeping RDP secured, having all critical OS updates installed and practicing safe computing, otherwise even the best AV could get disabled by attackers.

Yep, works now, thanks.

Marcos, Thank you for your help. I was told that it was not possible to merge the two licenses.

gary11111, Please try to open B&P from the shortcut and go to your bank site, FF should work fine for you this way. With FF and ESET banking and payment a separate profile is created. You may set your personal security you wish FF to use with B&P in this profile by just opening B&P and choosing FF "options" while in the B&P window (you can use tighter security than normal browser for example). Personally I love this method of operation, I have just my secure payment sites in the B&P profile. I open B&P from the desktop shortcut when I want to have its extra level of protection while making payments. I even organize my favorites in that profile making the house finances very efficient. Getting every site to open as desired is quite a challenge with modern site design. If you supply your bank site the moderators may be able to pass that on to developers to see why it is not opening automatically. I hope this may help in your enjoyment of ESET, in my opinion one of the best -- ebill

that's a great news. we are waiting for it. thanks a lot!

Hello tbsky, thank you very much for your post, don't worry, we plan to release mentioned versions in the middle of November. Stay tuned!