Marcos

How long does it take to scan only WMI and the registry? Would you be willing to try the previous version to measure the time of the initial scan?

How long does the scan take for you with and without WMI & registry selected ? Scanning these newly added objects should take a few minutes, not dozens of minutes or hours.

On my system I scanned WMI and the registry, 16216 objects in total, which took 3 minutes: Number of scanned objects: 16216 Time of completion: 12:44:08 PM Total scanning time: 191 sec (00:03:11) WMI and registry scans are a part of the initial scan and in-depth scan which may now take several minutes longer because of this. They are also scanned when you click "Scan your computer" (don't confuse it with the Smart scan profile). Since more objects are scanned, slightly longer scan times are expected.

I would recommend collecting logs as per https://support.eset.com/en/kb6159-run-the-info-getcommand-on-a-linux-virtual-machine-and-send-the-logs-to-eset-technical-support and opening a ticket with your local ESET support.

On Windows you can use Procmon to find out if and in which file ESMC server is logging to.

Thanks for confirmation. Do you think it would be possible to arrange a remote session as soon as possible? Or if you can do it yourself, we'd need you to ask to install AppVerifier, in safe mode run appverif.exe, press CTRL + A (find the ekrn.exe file in c:\ProgramFiles\ESET ...) and leave the Basic checks defaults. Next configure Windows to generate complete user dumps as per https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps. In particular: Create the registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\ekrn.exe Under this path create the value DumpFolder of type REG_EXPAND_SZ Set this value to the path on the disk where the dumps will be created. For example C:\dump Create the value DumpType of type REG_DWORD and set this value to 2. Reboot Windows to normal mode Run "procdump.exe -ma -e 1 -n 10 ekrn.exe" as an administrator Reproduce the issue and wait until a dump is generated at the path you have specified before.

Make sure that you are using a supported browser. Try it with Chrome and Firefox. On my mobile phone the website you sent me through a PM was blocked by ESET Mobile Security. Make sure that this test page is blocked: https://www.amtso.org/check-desktop-phishing-page/

By default, neither the registry nor WMI are selected as scan targets in the Smart scan profile: Scanning these objects is slower than scanning actual files which also is why these options were not there before but eventually we decided to enable users to scan them, e.g. in case there are some leftovers from an infection which were not cleaned automatically.

Please create a dump of ekrn via the advanced setup -> tools -> diagnostics -> create. Then collect logs with ESET Log Collector and upload the generated archive here.

It is generally not a good idea to disable AV and play with malware samples on a real machine. What you can do is to check for registry changes reported by app.run on your machine and revert the necessary values.

@junyuanma, does temporarily disabling the startup scan tasks in Scheduler and rebooting the machine make a difference?

It's ok. If you run 2 scans, 2 scans will run. There's no limitation to run only 1 scan at a time.

The only known issue with v13.2.15 is that the registry and WMI scanners attempt to scan also non-existing objects. This will be fixed via a module update soon. As for other issues, I'm not aware of other users having reported them with one exception. Please report them to your local ESET support with steps how to reproduce them. If necessary, the support will ask for further logs necessary for troubleshooting. As for a bug-free software, there's nothing like that. We don't live in a perfect world and every software maker releases new versions and updates to address reported issues. Even Microsoft releases monthly updates with fixes.

Please carry on as advised here:https://forum.eset.com/topic/24746-av-is-blocking-loading-webpages 1, Download Procdump from https://docs.microsoft.com/en-us/sysinternals/downloads/procdump 2, Temporarily disable self-defense in the HIPS setup and reboot the machine 3, Immediately after the reboot run Procdump as an administrator: "procdump -ma -e 1 -n 10 ekrn.exe" and wait until the issue occurs. When the issue occurs, procdump should generate ekrn dumps. Please provide them to us.

I mean newly created and modified files

You can temporarily disabling Self-defense in the HIPS setup. A computer restart will be needed for the change to take effect. If somebody could provide dumps instantly, please do so; we are eagerly waiting for them to figure out the root cause of the issue.

Does the scan take long even if you don't select WMI and registry as scan targets?

It's possible to use the PASSWORD="%password%" parameter (https://help.eset.com/era/53/en-US/idh_ra_remoteinst_commandline.html) from the command-line.

It's not supported for security reasons. Otherwise malware or attackers could remove AV protection easily.

I would not recommend creating exceptions. The website loads a javascript from another suspicious website. The domain is registered via Namecheap and registrant information is protected.

Eamsi.dll is loaded into browser processes as far as I can see. I assume it has no effect on games.

I guess the wording could be better and read "Consumed seats" and "Available seats" or something along that line. "Available devices" means that you can activate the license on 1 more device.

Correct. However, I don't see any good reason for not updating modules automatically.

It's enabled for newly created and modified by default which is enough. Moreover, web access, email protection, startup scanner and idle-state scanner have it enabled by default too.

Does temporarily pausing the firewall make a difference?