Marcos

I was unable to reproduce it. Does the issue occur only with HTML emails? Do you have adding a tag signature to outgoing scanned email enabled? Does the issue manifest also if you send an email to yourself? Does temporarily disabling the options for adding addresses to the antispam address book make a difference?

Nope, ecls appears to scan files alright, however, by default it reports only malicious files and errors (which are normal since quite many files are open exclusively by the operating system). At the end of a scan with ecls you should see a relatively big number of scanned files in the final report. As for the issue with scanning from gui, what version of the product do you have installed? If possible, please generate a Procmon log; start logging prior to running a scan and stop logging after the scan completes with 0 scanned files. When done, save the log and compress it. Also collect logs with ELC (make sure to select also ESET Computer scan logs). Then upload both archives to a safe location (e.g. Dropbox, OneDrive, etc.) and drop me a private message with download links.

Does that mean that any scan you run from gui (e.g. smart scan) ends immediately with 0 files scanned but ecls.exe scans files on drive c: alright?

If you are behind a firewall, make sure that ekrn.exe can communicate with ESET's servers. For details please refer to https://support.eset.com/kb332/#antispam: Version 5 and higher: You need to allow requests to your local DNS server (TCP/UDP port 53). Base domain for DNS queries: e5.sk NOTE: Make sure to open TCP/UDP port 53535 for the addresses in the table below. Otherwise, the performance and catch rate of antispam will be limited. h1-ars01-v.eset.com 91.228.166.61 h1-ars02-v.eset.com 91.228.166.62 h1-ars03-v.eset.com 91.228.166.63 h1-ars04-v.eset.com 91.228.166.64 h1-ars05-v.eset.com 91.228.166.65 h3-ars01-v.eset.com 91.228.167.36 h3-ars02-v.eset.com 91.228.167.67 h3-ars03-v.eset.com 91.228.167.68 h3-ars04-v.eset.com 91.228.167.74 h3-ars05-v.eset.com 91.228.167.116 h5-ars01-v.eset.com 38.90.226.21 h5-ars02-v.eset.com 38.90.226.22 h5-ars03-v.eset.com 38.90.226.23 h5-ars04-v.eset.com 38.90.226.24 h5-ars05-v.eset.com 38.90.226.25

I don't see any duplicates in the list. Each of the packages has a unique version number.

It is not possible to update only the detection module without other modules and the program itlself. Since v9 is the last that officially supports Windows XP, on this operating system the program won't update to newer versions that not only address known issues but also bring new protection features and improved performance.

What happens if you scan drive c with ecls.exe, ie. if you run "ecls.exe c:" in the ESET install folder?

The Outlook plug-in scans email regardless of what protocol is used, ie. also email received via MAPI from MS Exchange will be scanned.

You don't need to create a SysRescue cd or usb at all, unless you're trying to clean a persistent malware that is difficult or impossible to remove in normal mode.

You have basically 2 options: 1, Enable override mode in a policy that is applied on endpoints. You can select users from AD who will be able to override the policy and pause protection or change other settings. 2, Create a new group with the privileged users in it and a policy which will not have the above mentioned setting set by a policy bounded to this group. These users will be able to pause protection without using override mode provided that they have administrator privileges.

Currently in order to get a BPP module with support for Chrome v64 x64, you need to enable pre-release updates in the advanced update setup. You can also wait a bit until the module is distributed to all users.

MMX was talking about client/server functionality in ESET which is required for protocol filtering to work. Support for HTTP/2 will be added via a module update in the future.

You would need to have a group of these users and with a policy assigned that has the "Start Real-time file system protection automatically" enabled but it cannot have a flag to be applied or enforced by the policy. Only users with administrator rights can manually disable real-time protection if not set by a policy.

We've been working on it over the past months. Support for http2 should be added within the next few months after the feature has been fined tuned and bugs fixed.

Again, if the application is pre-installed, you can only disable it on non-rooted phones. This is not a limitation of ESET but the OS and no other application will help you either. What is not clear to me is whether the app was detected by ESET and it was impossible to clean it. You've mentioned "the uninstall procedure using ESET". Could you please clarify? Applications are not uninstalled via ESET but from the system application list.

A policy overrides any local settings and locks them. To temporarily override it locally, you must enable and use override mode. Where in the documentation did you read that policies don't work this way? It's the natural purpose of policies to enforce configuration by administrators.

If it's a pre-installed application it cannot be removed, only disabled.

Huawei is one of the vendors to use customized versions of Android that come with tools capable of killing any 3rd party application. We are currently investigating possibilities how to defend and prevent ESET's applications from being killed.

Please provide me with: - ELC logs - files that allegedly cause the issue when being scanned - a Procmon log from time when the files are scanned Compress the files, upload them to a safe location (e.g. DropBox, OneDrive, etc.) and drop me a pm with download links.

For some reason a SysInspector log was not found and included in the archive. Could you please collect logs with ELC again and, if the following error is logged in collector_log.txt, also generate a Procmon log while collecting logs with ELC as per the instructions in https://support.eset.com/kb6308/? [12:05:26.034] SysInspector log is being generated... [12:05:31.550] Adding file: C:\Users\DR9DB4~1.SHR\AppData\Local\Temp\elc8800.tmp.xml -> Config/SysInspector.xml [12:05:31.550] WARNING: File was not found or could not be opened - skipped.

Unfortunately, you didn't mention how you responded to the detection of a new network after installing EIS. If you selected your home network as home/office network (trusted), sharing within this network would have been allowed. Please continue as follows: - with EIS installed, enable advanced firewall logging in the advanced setup -> tools -> diagnostics - reboot the computer - reproduce the issue - disable advanced logging - collect logs with ELC. Once you have collected logs, upload the generated archive to a safe location (Dropbox, OneDrive, etc.) and drop me a message with a download link. The logs should reveal the root cause of the issue you are having.

Does temporarily pausing real-time protection make a difference? Since you have posted in a forum intended for server products, does it happen with EFSW 6.5 installed on a server?

I didn't tell it's a must to start Windows in safe mode and uninstall Endpoint in order to fix the issue. The issue should be fixed automatically by ERA Agent after a computer restart provided that the two conditions mentioned above are fulfilled. Therefore I asked if a license file exists on a disk and whether the latest version of the Configuration module is installed which should be enough for the issue to be remedied automatically.

There should be no need to start Windows in safe mode. First of all, please check if you have a license file license.lf downloaded in C:\ProgramData\ESET\ESET Security\License. Then check the version of the Congiguration module used by ERA Agent C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Modules\em039_64.dat. If you view the file, you should have version 1526.10 installed (released for general public on Jan 25). If these two conditions are fulfilled, simply rebooting the machine should make things work. Please let us know about your findings.

No problems here. Checking the domains api.google.com and mail.google.com but none is on the blacklist and I'm able to open the latter in a browser without issues. Please post a screen shot of the alert but also with the IP address visible (expand the Details option in the pop-up alert).