Marcos

Please make sure that you enter the password correctly. The password is case sensitive.

To start off, please collect logs with ELC, upload the generated archive to a safe location and drop me a personal message with a download link.

I can't tell now how they will be detected but I'd like to have a generic detection for similar malware.

Please move the following files elsewhere, e.g. to c:\!eset and reboot the machines: Evelyn: c:\windows\system32\tasks\a0d88a9b-c6fc-5f0a-199ecc066929f55b Marcelo: c:\windows\system32\tasks\8d4f1036-2a47-533a-5234b217253d09ac Mnunez: c:\windows\system32\tasks\7db67a1a-1f84-5fad-933343f1082c255a Sonia: c:\windows\system32\tasks\eadb615c-36a6-5fb5-5273d4f164f0ff69 Then encrypt the files with the password "infected", upload the archive to a safe location and drop me a message with a download link. Only after I acknowledge receipt, delete the files.

I'm gonna check the logs. In the mean time you can try switching to pre-release updates so that the latest cleaner module with improved scanning and cleaning of WMI malware is downloaded.

Disabling HIPS was not suggested as an ultimate solution to the issue. Now please re-enable HIPS, disable Advanced Memory Scanner and reboot the computer. Let us know if the issue is gone or not.

A vs B discussions are not allowed. You can try both products and choose the one that suits you best. ESET products have very small footprint and employ various technologies to protect you from newly emerging malware. For more information, please read https://www.eset.com/int/about/technology/.

Is it detected upon execution? Does temrporarily disabling HIPS and rebooting the machine make a difference?

No and it's very unlikely that the authors, police or someone else will ever disclose a master decryption key.

If you create an Ubuntu boot disk, does it work with your graphic card alright?

Please check C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html and trace.log for possible errors.

I don't see any reason why this would be blocked by ESET. Does renaming ekrn.exe in safe mode has any effect?

As for the blocked communication from the notebook, engineers confirmed that none was blocked. The only blocked packet in the log was the following one, probably because of the zero length: 63608 8849.616791 2018-02-23 15:37:17,302570 192.168.0.10 192.168.0.14 UDP 42 5355 → 50416 Len=0 BLOCK Please try the following: - Disconnect the notebook from your network - Disable firewall on the notebook - Enable advanced firewall logging on the computer - Restart the computer - Connect the notebook to the network and reproduce the issue by attempting to connect to the computer - Disable logging - Collect logs with ELC.

Speaking about smart TVs, today we've unveiled ESET for Smart TVs running on Android TV.

I think this has been fixed / improved in the mean time since I'm not having these issues with the latest internal v11.

Does temporarily disabling HIPS and rebooting the server make a difference? If not, what about temporarily disabling automatic start of real-time protection followed by a reboot?

If you have an idea how advanced setup should look like if not as a setup tree, feel free to tell. In the internal version I have installed, the width of columns is preserved. If it doesn't work like that in the current v11, it should change in future builds. Please provide a complete record from the Detected threats log. ESET NOD32 Antivirus partially contains a firewall. However, it's responsible only for protocol filtering. Please provide a screen shot.

I'm not sure if it's feasible since it could be misused, e.g. by malware.

You would need to disable self-defense in Endpoint and reboot the machine.

Try restarting the ERA Agent service.

Does temporarily setting the ESET Remote Administrator Agent service to not start automatically and rebooting the system make a difference? This would confirm or deny that it's cause by applying an ERA policy.

Remove all exclusions and exclude the path * with the detection name @NAME=MSIL/HackKMS.E.

Built-in rules can be displayed after checking the appropriate box in the rule editor. For communications with no rule the user is asked about action to take.

Unfortunately we still do not know what is triggering the issue. A customer that our engineers were working with said that the issue stopped occurring without any intervention or changes made. If we have some news, we'll let you know. Leaving scanning of sent email is basically safe since users do not normally attach fresh malware to email and even in such case the file would be scanned by real-time protection.

If you are ok with Coinminer running on the machines, did you exclude @NAME=JS/CoinMiner.D and @NAME=JS/CoinMiner.F for whole drives, ie. with * as the path?