Marcos

If you need to be sure that an installation package will remain available in the repository for a longer time, use the previous major version, e.g. if Endpoint 6.6.xxxx is the latest and has been available for the public for a longer time, install the latest v6.5. In case that a serious problem is found in the latest major version which is what has happened recently, all affected installers have to be removed from the repository. Normally this should not happen and even in case that a severe issue was found, it should only concern the very latest or recent minor versions and only these would be removed from the repository. If you look at the list of available 6.5 installers, we keep quite a lot of older versions in the repository: If you want, we can provide you with EP6.6.2068 and you can install it from a local url. If the install task doesn't have a license selected, you'll avoid the issue that v6.6.2072 addresses.

EIS v11.0.159 x64, Windows 10 RS3, HIPS module 1309. Couldn't it be that you have a custom rule for hosts created that would override asking you about an action?

We do not recommend re-using older software install tasks since the installers used in this task might have been already removed from the repository. It's a good practice to always create a new software install task if there's a bigger time gap between deployment. Today we've released a new Endpoint 6.6.2072 which addresses an issue with upgrading to EP6.6 and a license selected in the Software install task. All previous versions 6.6 were removed from the repository. Please create a software install task from scratch which is a matter of a few seconds. As of ESMC v7 (ERA), older software install tasks will be invalidated automatically and you will be able to enable notifications about this in ESMC as well. ERA 6.5 already displays a notification that the referenced install package is not available if you hover the mouse cursor over the task:

What issues are you having with Smart mode? It's in fact interactive mode which prompts only if a suspicious operation is being performed. It's a purpose of this mode to not ask the user a lot.

What tool did you use to test direct disk access?

As we probably all agree, there's no security software in the world with 100% malware detection despite having Antivirus and antimalware protection modules. It's similar with ransomware shields - there's not a single security product that could prevent malicious data encryption without blocking also benign applications. In this case, the tester bypassed an important protection layer - web access protection which would have likely prevented the malware even from being downloaded. Another protection that was bypassed by copying files with real-time protection disabled is scanning of newly created files by real-time protection which is done with advanced heuristics when also sfx archives are scanned internally (which was also this case - an NSIS installer). ESET provides complete protection utilizing various protection layers and modules which interact with each other. Disabling a particular protection module (e.g. real-time protection) may substantially affect other modules (e.g. HIPS/AMS/Ransomware shield, etc.). All protection modules must be enabled and working in order for a product to provide maximum protection.

This forum is not a channel for disputing detections. Please follow the instructions at https://support.eset.com/kb141. Having said that, we'll draw this topic to a close.

You'll need to create a rule for HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\* or HKEY_LOCAL_MACHINE\SYSTEM\*\Control\Session Manager\Environment\*.

No problem with this here:

Instead of HKEY_CURRENT_USER, use HKEY_USERS\%SID% with the SID of the current user. Does that make a difference?

Do you get any error if you attempt to activate Endpoint manually using a license key or as a security admin?

As I have already stated in one of my posts above, disabling real-time protection, copying samples and running them after re-enabling real-time protection is not a real-world scenario. In real world, the web access protection would have come into play first and might have already blocked the ransomware. Also while copying files, they are scanned more deeply, especially if it's a sfx archive like it was an NSIS archive in this case (note the NSIS/Injector detection in the video which could have normally been triggered earlier if samples were not copied with real-time protection disabled). To sum it up: 1, There's no security protection that can protect you from 100% of malware. This is also a reason why administrators of larger networks should also user EDR solutions like ESET Enterprise Inspector which is going to be introduced this year and which can alert administrators about indicators of compromise. 2, The test was not performed in real-world conditions. An important protection layer - web access protection - was skipped which might have normally blocked the threat.

What false positives do you mean? ESET is known for extremely low number of false positives so you virtually should never make any exclusions. Even then, excluding a file or folder is pretty straightforward - Advanced setup -> Antivirus -> Exclusions (Edit). Anyways, let's not mix different things here. You started with ransomware so if you want to discuss exclusions or false positives, let's create a new topic.

Great You have just proved that no AV can detect 100% of threats but this has been well known for ages. However, this testing scenario bypasses one important protection layer - Web access protection which can: - block addresses or domains that are known to host malware - scan files with higher sensitivity utilizing more paranoid detections - scan files completely (in case of archives / sfx archives and files packed with a runtime packer or protector). Also disabling real-time protection before copying samples bypasses more thorough scanning by real-time protection: - newly created files are scanned utilizing advanced heuristics - newly created files are scanned more deeply in cases of NSIS or other SFX archives like in this case. Having said that, it's likely that in real-world scenario the user would not have gotten infected as the malware could be stopped by web access or real-time protection when the file was being created.

A cloud solution for administration of ESET's products will be introduced later this year.

You can install ERAS (ideally deploy a virtual appliance which is the quickest way) and deploy ERA agent to clients. This way you'll make Endpoints and ERA agent manageable by the new ERAS and you will be able to adjust policies for both products.

Yes, Endpoint 6.6.2072 will be released tomorrow. If you are having the issue discussed in this topic, did you try deactivating and reactivating Endpoint as per the instructions at https://support.eset.com/kb6636 ?

Please refer to the KB article Server migration in ESET Remote Administrator 6.x.

Some configuration settings are populated automatically after installation, e.g. the list of drivers, network subnet, etc. Potentially unwanted applications do not have a default state, hence it doesn't change the number of changed settings. Please provide some screen shots for clarification. My EP is showing 2 changes and there are actually two changes in the cfg tree: rules and the list of drivers. On my EP enabling the setting increases the number of changes to 10 which is correct since it is disabled by default.

It could be caused by web / email protection or protocol filtering disabled or malfunctioning on the client. It is a known bug that the error message is not shown in the ERA console. Anyways, if the computer has access to the Internet, I'd strongly recommend keeping protocol filtering and web/email protection enabled, or you'll disable a substantial protection layer that protects users from Internet-borne threats.

The server service.msicomputer.com uses a certificate which was revoked and is not trusted any more: https://www.ssllabs.com/ssltest/analyze.html?d=service.msicomputer.com&latest Revocation status Revoked INSECURE DNS CAA No (more info) Trusted No NOT TRUSTED The owner of the website must fix the issue on their end.

How did you activate the license? It appears that until Jan 10 it had been activated using an offline license file. Note that offline license files are intended only for systems that never connect to the Internet. What is weird is that there's no value WebLicensePublicId in the registry according to your screen shot. Try deactivating EFSW via the ELA portal and reactivating it manually by entering your license key. Make sure that the public license ID is written to the registry.

Neither Web Access protection nor Web Control work as plug-ins for browsers but they check http(s) traffic on the network level. I've tried to reproduce it but I couldn't play any previously played video on the Youtube site after disconnecting the machine from network.

These applications can install other applications without user's consent. I'd suggest disabling it.

No, we are not saying it's a virus or another kind of malware. We are saying it's a Deceptor. It's listed in the list of Deceptors at https://customer.appesteem.com/deceptors. It is in the interest of its vendor to communicate with AppEsteem and work on resolving the issues.