• Content count

  • Joined

  • Last visited

  • Days Won


Marcos last won the day on March 22

Marcos had the most liked content!


About Marcos

  • Rank

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

2,699 profile views
  1. Did you upgrade from an older version? If so, does installing EEA v6.5 from scratch solve the issue?
  2. Unfortunately, files encrypted by Filecoder.Crysis (.wallet) cannot be decrypted. We recommend keeping them in case that decryption will be possible in the future. Were the encrypted files located in shares that other users (or everyone) can write to? Do you have ESET configured for maximum protection, ie. is LiveGrid enabled and working? You could provide me with logs collected by ESET Log Collector to review your ESET configuration.
  3. Did you export the CA certificate from the former server? ( Export all Certification Authority Certificates from your ERA Server and save each CA certificate as a .der file.) Did you import it on the new one? ( Import all CAs exported from your old ERA Server. To do so, follow the instructions for importing a public key. )
  4. The javascript used on the website is obfuscated in a way that malware authors obfuscate malicious scripts to evade detection which is why it's detected. For more information about why we don't recommend using this kind of obfuscation, see You can add this particular website to the list of URLs excluded from protocol filtering to avoid detection.
  5. I still see this awful obfuscated code there: The owner of the website should replace it either with an image or non-obfuscated script.
  6. According to your screen shot, you've picked a wrong product. Instead of "ESET File Security for Window Server (v6+)", you've picked "ESET Endpoint for Windows" which is why it's not applied on EFSW.
  7. The padlock next to the LivveGrid setting means that it's enforced by a policy. Please check client details in the ERA console and check the policies that are applied. Make sure the setting is enabled.
  8. 1, In order to inject a fake verifier dll, one would have to modify values for ekrn.exe and egui.exe under IFEO but these have been protected by self-defense since v4.2. 2, We are aware that some non-crucial processes are not currently protected by self-defense, however, in order to modify the registry an attacker would have to gain admin rights. Even if that happened, it wouldn't make much sense to spend time injecting a malicious dll into an unprotected less important process just to disable protection for instance, as this could be done directly via gui once an attacker gains admin rigths. Needless to say, that in such case he or she can do much more damage to the system or data then just disabling the AV. 3, They claim: "Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago." Really? On systems with ekrn running as a protected service, unprotected processes have no access to it.
  9. Since this will need a deeper analysis, I'd recommend contacting your local customer care and providing them with: - advanced personal firewall pcapng log - the output from ESET Log Collector tool To generate an advanced personal firewall pcapng log, open the advanced setup and temporarily enable it under Tools -> Diagnostics. When done, restart the computer, reproduce the duplicate IP address detection and then disable logging. Next collect logs using ESET Log Collector (will also include the pcapng log) and provide the output to Customer care for further analysis.
  10. If you enable LiveGrid manually, does it stay enabled? Also could you confirm that you installed ESET File Security or ESET Mail Security 6.5 on the server?
  11. Please clarify what problem you have with querying ESET cloud servers with hashes of files and urls. Apologize, I misread your initial post.
  12. HIPS is a critical protection feature similar to real-time protection in terms of importance. Disabling HIPS also disables: - Self-defense - Advanced Memory Scanner - Exploit Blocker - Anti-ransowmare protection (currently present only in home version 10 but the plan is to get it to Endpoint too) That said, by disabling HIPS you substantially reduce protection capabilities of ESET Endpoint and expose the computers at risk when it comes to new borne malware. Doing so causes Endpoint to be more dependent on definition updates, creating a gap during which computers are more vulnerable to malware attacks. Nevertheless, if you want to take the risk you can disable changing the protection status if HIPS is disabled under Tools -> Application statuses.
  13. The version of your ESET NOD32 Antivirus or ESET Smart Security matters. As I wrote, if you use v7 or older, once these versions reach end of life further updates will not be guaranteed by ESET. With v8 installed, the upgrade notification window can be suppressed for the next few months until some time before the end of its end of life which is likely to happen next year. The main reason why users should use the latest version of a security program is that only this way they can be protected to the maximum extent against newly emerging threats. Needless to say that new versions bring other fixes and improvements under the hood, such as much lower memory consumption and performance improvements introduced in v10.
  14. Unfortunately, you didn't mention what version of EAV/ESS you have currently installed. For instance, according to, v7 will be discontinued towards the end of this year and no further definition and module updates will be issued. Currently only v10 provides maximum protection against newly emerging threats and especially against ransomware (Filecoders).
  15. What actual issues are you having with upgrade? The records in the HIPS log are probably normal and not a sign of issues. Diagnostic HIPS logging should only be enabled for a limited time to troubleshoot HIPS-related issues.