Marcos

Please make sure that the detection is disabled: It is disabled by default since some legitimate applications may use ICMP for communication in a non-standard way. The detection is disabled by default and will be probably removed from the setup in the future.

There is nothing to worry about. While we internally recognize Ransim, it's a simulator that doesn't do any harm and whether an AV passes the test or not doesn't tell anything about how well the AV protects against actual ransomware or other types of malware.

Unforrtunately I still don't get what the problem is. If you mean that ESET does not appear in the App Lock list of installed applications, then the behavior is correct.

The current beta version of Catalina is not final yet. At the time of the final release ESET's products which is expected in October will be fully compatible with it. Without downgrading to the latest stable release (Mojave) it's not possible to install ESET.

If I understand it correctly, you're unable to run uacinstall.vbs neither from the temp folder nor any other folder but if you give a VBS script a different name, it can run. Correct?

Not true, it takes VT some time to update. Plus VT doesn't take into account when a particular file was blacklisted in LiveGrid which happened hours ago. ECLS Command-line scanner, version 7.0.2097.0, (C) 1992-2018 ESET, spol. s r.o. Module loader, version 1018.1 (20190709), build 1054 Module perseus, version 1554.1 (20190731), build 2050 Module scanner, version 20053 (20190920), build 42838 Module archiver, version 1291 (20190823), build 1305 Module advheur, version 1193 (20190626), build 1175 Module cleaner, version 1195 (20190610), build 1293 name="70e50d0eae76044b3c022cdb423bd47e525a8891", threat="Win32/Filecoder.NXW trojan"

I'm unable to reproduce it with or without uBlock. Please enable advanced protocol filtering logging in the advanced setup -> tools -> diagnostics, reproduce the detection of untrusted certificate, then stop logging, collect logs with ESET Log Collector and upload the generated archive here.

Maybe they've changed the certificate recently? I'm not getting a notice about untrusted certificate:

I'd strongly recommend uninstalling EEA v5 and installing the latest EEA v7.1. Instead of updating from a mirror, I'd suggest using ESET HTTP Proxy to cache dowloaded files and thus save network traffic. Also when updating from a mirror you lose streamed updates that are downloaded every few minutes and thus ensure maximum protection against newly emerging threats. As for the malware, it seems to be spreading from a remote share. Does temporarily disconnecting the machine from LAN stop malware detections? Please carry on as follows: - upgrade Endpoint on the machine to v7.1. Ideally install Endpoint from scratch, ie. uninstall v5 first. - run a full disk scan - collect fresh logs with ELC and upload the generated archive here.

It doesn't seems like malware behavior. What link did you click? What urls opened in tabs? Note: when posting links, make sure they are non-clickable.

Alternatively you can migrate to a new server installed in English. For instructions, please refer to the links above. It's up to you which way you choose; whether you'll do manual translation or install an English version of the ESMC server and migrate clients to it.

It's a PoC with an encryptor and decryptor in one. The instructions for decryption say: Run the ransomware in the command line with one argument, decrypt. Example: GoRansom.exe decrypt So detecting the sample would mean that users would not be able to decrypt files if it was detected and blocked by ESET.

A lot of information is missing there. Please attach status.html as is.

Let's try it with the next version when available which will not wait for WSC to respond on a check on system startup.

Please provide a screen shot of the message you received. Was it really a notification about a marketing message or a marketing message itself that popped up?

For a start let's check C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html and trace.log for details about the problem. You can post status.html here as well. If agent is not reporting to your ESMC server because its IP address or certificates have changed, re-deploy agent with a correct address of the ESMC server and the current peer and CA certificates.

In case of self-signed untrusted certificates ESET doesn't ask for an action and leaves the decision to the application (browser / email client) as though it was not filtering SSL. It is not clear to me for what purpose you'd like to use interactive SSL filtering mode; interactive mode (be it in fw, HIPS, etc.) cannot be used in environment where settings are either password protected or configured via a policy or where the user doesn't have administrator permissions to save settings.

You have removed the logs. Any reason for that?

You can change the language on the logon screen: If you change the language you'll receive a pop-up notifications that objects created during installation will stay in the original installation language (German in your case). You can backup the database and certificates and re-deploy the ESMC server which you'll install in English. Please refer to https://help.eset.com/esmc_install/70/en-US/migration_same_version.html?migration_same_version.html for instructions how to perform server migration.

If it's easy to reproduce, the best would be to get a complete memory dump from unresponsive state. For instructions how to configure Windows to generate complete memory dumps and how to manually trigger a crash to generate one, please refer to https://support.eset.com/kb380/.

For a start, please provide logs collected with ESET Log Collector. Feel free to post the generated archive here since attachments are not available to other users than ESET's staff.

Please drop me a personal message with your email that was used to create the Password Manager account. By the way, the public ID is not confidential; it cannot be misused for anything. That's why it's called "public" so you don't need to worry about having it posted anywhere publicly.

The app is correctly classified as potentially unwanted. The PUA detection is optional and it's at user's discretion if it will be enabled or not. Even if the user opts for detection and comes across a PUA that he or she thinks outweighs possible risks, it can be excluded from detection. For information on what PUAs are, please refer to https://support.eset.com/kb2629/. Since this forum is not a place for disputing detections, we'll draw this topic to a close.

You can try creating a simple test file test.vbs with the following code inside: wscript.echo "Hello"

The file C:\Users\Jamie Jarvis\AppData\Local\Temp\uacinstall.vbs was dropped and wscript.exe read it successfully. Couldn't it be a policy or another 3rd party software that would block execution of VBS scripts from temporary folders? If you put your own vbs script in that folder, are you able execute it?