Marcos

If you are behind a firewall, please make sure that ESET (ekrn.exe) can access activation servers as per the KB https://support.eset.com/kb332/. Also make sure that the proxy server is configured properly in the advanced setup -> Tools -> Proxy server. If you don't use any, make sure it is disabled.

This has been discussed here recently. To sum it up: - There is nothing like 100% malware detection / protection. Every antivirus misses threats, some less, some more. ESET uses various protection modules that protect users at different layers. For details about ESET's protection layers, please read more at https://www.eset.com/int/about/technology/. - There are dozens of thousands of new malware variants that emerge on a daily basis. Every test has a very limited test set. This particular "tester" works for Emsisoft as he stated on the web. To avoid suspicion of biased verdicts, testing should be left to prestigious organizations, such as AV-Comparatives, SE Labs, AV-Test, Virus Bulletin, etc. These reputable testing organizations adhere to AMTSO testing principles and: 1, provide AV vendors with samples or hashes of missed files for verification and give vendors time to dispute detections, 2. perform real-world tests to reflect real-world scenario as much as possible. Neither of this happened in this case; we didn't have a chance to verify and dispute detections nor the test was performed in real-world conditions and at least one important protection layer was skipped in the test.

By offline you mean that there is no single computer in LAN with Internet connection? Otherwise you could install an HTTP server on the computer with Internet connection that would have connectivity limited to ESET's servers and would cache update files. It's also possible to copy the content of a mirror to a removable medium and use it to update other offline computers from it.

It should be possible but it'd be dangerous since updates of the operating system might render it unbootable if no permissive rule for a newly created executable important for the OS to start existed.

We have at least 16 Filecoder families for Linux so while Linux is basically a safer OS, it doesn't mean it can never get infected. The main problem was that an attacker remoted in via RDP (Remote Desktop) and uninstalled ESET. If a Windows system is properly secured, the chances of getting infected can be minimized. Also had ESET been password protected and detection of potentially unsafe applications enabled, it wouldn't have been possible to uninstall or disable ESET easily.

Please gather logs with ESET Log Collector and provide me with the generated archive.

I'm gonna drop you a personal message with instructions how to check the server for vulnerabilities.

There was malware in the past on the host. Since it's been removed in the mean time, the website was unblocked. We recommend sending a follow-up email to samples[at]eset.com if an issue has not been resolved within 2 work days. Send the email from the same email address and use the same subject but use the prefix "[Resent]", "[Follow-up]" or something along this line to make it clear that it's a follow-up submission. While we do our best to respond in a timely manner, it may happen that sometimes it may take longer.

Please post a screen shot of the pop-up notification since it's not clear if it's the automatic device scan feature or Device control which is triggering it.

Please read https://forum.eset.com/topic/17810-eset/. Files were encrypted by Filecoder.Crysis, ie. decryption is not possible. If you had ESET installed at the time of infection, most likely an attacker remoted in via RDP and disabled or uninstalled ESET prior to running the ransomware. It is crucial that you secure RDP since it's a typical infection vector in case of Filecoder.Crysis and no security program will be able to protect you 100% if an attacker manages to get in with administrator rights. Last but not least, never underestimate the main rule to always back up crucial files on a separate drive and avoid connecting it to already infected systems.

If you purchased the license from ESET's website, contact LLC at the number listed on https://www.eset.com/us/ or use the support form to create a ticket.

Unfortunately, files encrypted by Filecoder.Crysis (aka Dharma) cannot be decrypted. It is very likely that an attacker performed a brute-force RDP attack, disabled or uninstalled AV and ran ransomware to encrypt files. I'd strongly recommend uninstalling Endpoint v5 and installing the latest v7 which also contains Ransomware shield, Network attack protection and also supports streamed updates for a quick response to new threats. Also it is crucial that you secure RDP, e.g. by using 2FA, using RDP only within your LAN and using VPN for remote access, using RDP lockout policies, restricting RDP access on a firewall only to specific IP addresses, etc. Please email the following stuff to samples[at]eset.com: - a couple of encrypted Office documents - payment instructions dropped by the ransomware - ESET Log Collector logs (upload the archive to a safe location, such as OneDrive, DropBox, etc. and provide a download link) - a link to this topic. It is important to understand that installing only an antivirus program without taking other security measures will not ensure safety. If an attacker remotes in with administrator rights, he or she can do virtually anything. However, even if that happens having password protection of settings as well as detection of potentially unsafe applications enabled should prevent him or her from successfully running malware which probably wasn't this case either.

Please read https://support.eset.com/kb5827/.

Please contact your local distributor who will generate a trial licese for the products you need. Not sure if you would like to test only Endpoint + ESET Security Management Center or you'd be also interested in products for mail or file servers as well. Recently we have also introduced ESET Dynamic Threat Defense for a quick response to suspicious files found within computers in your company. Mail server products allow for deferring emails while suspicious or potentially dangerous undetected attachments are analyzed by EDTD. Last but not least, we have recently introduced an EDR solution ESET Enterprise Inspector for monitoring activities in client's network, warning an administrator or CSO of potential security issues based on custom or pre-defined rules created by malware analysts who can then respond to potential threats by taking the appropriate action (immediately block files based on hash, create exception to reduce false positives, etc.) or use the information provided by EEI to mitigate further attacks.

Try uninstalling Endpoint, run the following commands and install it from scratch: rm -Rf ~/.esets rm -Rf "/Library/Application Support/ESET"

Since this forum is not a channel for reporting and disputing detections or blocks, please report the block to ESET as per the instructions at https://support.eset.com/kb141/. Having said that, we'll draw this topic to a close.

Make sure that: - SSL/TLS filtering is enabled and works (in case you want to block https websites) - a leading and trailing asterisk is used, ie. *domain.com/*

First of all, uninstall EFSW v6.2 and install EFSW v7. Should the problem persist, please carry on as follows: - configure Windows to generate complete memory dumps as per https://support.eset.com/kb380/ (a reboot will be required) - reproduce the crash - compress the complete memory dump - gather logs with ESET Log Collector - upload both archives to a safe location (e.g .Dropbox, OneDrive, etc.) - contact your local customer care and create a regular support ticket with a description of the issue and links to the archives enclosed - drop me a personal message with the links as well. Lat but not least, I'd recommend disabling driver verifier. Do you have it enabled for all drivers? For what reason?

V4 is an ancient version which does not provide sufficient protection against current threats and is not supported any more either. Uninstall it and install the latest Endpoint v7 (or 6.5 in case of WinXP) asap without disabling any protection features or default settings. After activation and update, run a full scan and reboot the machine after the scan was completed. Should the problem persist: - gather logs with ESET Log Collector (select Threat detection in the ELC menu) - Procmon boot log Upload the stuff in an archive encrypted with the password "infected" to a safe location and email samples[at]eset.com while providing a download link as well as a link to this topic.

Expired certificates will be handled by the browser itself soon. This change has already been made in consumer products through a module update with Endpoint to follow soon.

Check the installed applications and browser extensions and remove those that you don't known for sure if they are 100% clean. If that doesn't help, run a full disk scan with detection of potentially unsafe and unwanted applications enabled.

I would appreciate if you could provide me with some examples of such malware. If a new malware was not recognized and managed to run, it would have been detected and cleaned by a startup scan which is run after an update or when the system starts.

Does the issue still persist?

The cause of the failure is: ERROR: CNativeSqliteConnection: Unable to open database. Reason: unable to open database file, Code: 14 Maybe a Procmon log would shed more light. I'd suggest contacting your local customer care so that the case is properly tracked.

Never saw this kind of error. What application reports it? Please post a screen shot for clarification.