Marcos

Switching to pre-release updates should resolve the issue. Build 16299 is an Insider preview build. Users with standard release builds of Windows 10 were not affected.

There's something weird going on: 1, The db C:\Users\Photos\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb is almost 1 TB in size. 2, It takes several seconds for wmpnetwk.exe to read a tiny block of data (4kB) from it. In total it takes 213s. Question: Does killing the wmpnetwk.exe process or moving the unusually large db to e.g. c:\bak\CurrentDatabase_372.wmdb and rebooting the machine make a difference? 3, It takes several seconds for svchost.exe to read a tiny block of data from C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{5EDF709D-B80F-47C8-8326-A4381B72DA64}\mpengine.dll. In total it takes 170s. Question: What OS do you use? Make sure that the "Windows Defender Antivirus" service is not running. Make sure that Windows Defender Security Center reports that ESET is installed as an antivirus provider. 4, It takes several seconds for OfficeC2RClient.exe to read a tiny block of data from its binary. 5, I see that you have the Blackbaze backup software running which is writing to C:\ProgramData\Backblaze\bzdata\bzfilelists\v0031cf8035a93a59cfc580d011a_i____filelist.dat.future and topdirs.xml.future.tmp and ESET is subsequently scanning them after each change. Question: Does adding "C:\ProgramData\Backblaze\*.*" to the exclusion list make a difference? After checking the above, also run "chkdsk c:" to check the disk for possible errors. Also check the system event log for possible information about HDD or controller failures.

Also a complete dump of ekrn created via the advanced setup -> tools -> diagnostics -> create (dump) might shed more light.

As far as I know, after installing FCU some webcams are reclassified as a different type of device. A workaround for this should be implemented in the next version of v11.

Hi itman, thanks for the heads-up. I've informed the developer of HIPS and will update you as soon as I hear back from him.

We do not offer a 30-day trial version of ESET Smart Security Premium for paying users with ESET Internet Security. Moreover, I was unable to find any paid license registered to your email address b**********er@i*****.com; found only trial licenses registered to you. If you have actually purchased a full version of ESET, you've likely registered it to another email address. If so, please provide me with information that would help me look up your paid license.

I don't see anything wrong with it. The robot looks quite differently than our android and MacKeeper is detected as PUA anyways.

You have posted in the ESET NOD32 Antivirus forum which is a consumer product and is not managed by ERA. Do you have ESET Endpoint Antivirus 6.6 installed? If so, please provide me either with your public license ID or the seat ID that can be found in HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\WebSeatId. If only one Endpoint is affected, I'd recommend deactivating it via the ELA portal and reactivating it manually or via ERA.

According to the developers, it's implemented only for older oper. systems (Windows XP, Windows Server 2003). Next year we plan to make substantial improvements in HIPS re. this.

Unfortunately, without getting a sample or at least a hash of the ransomware we cannot tell if it's detected or not. According to the information I've found, we probably detect it as Win32/Filecoder.NDT or Win32/Filecoder.NHT. Even if the ransomware family is known, there can be numerous variants of it. Remember that even if a particular ransomware sample is detected, attackers often carry out bruteforce RDP attacks, disable or uninstall the security software and then run the ransomware to encrypt files and extort money from the victim. We strongly recommend setting a password to protect ESET's settings and to prevent protection modules from being easily disabled or the ESET security product from being uninstalled. Another things to consider are: - enabling detection of potentially unsafe applications (cover tools that can be used to kill protected services) - hardening RDP (e.g. restricting connections to specific IP addresses or ranges, using more complex passwords, denying logon through RDP for users who don't need it, etc.) - using a fully supported OS and installing all critical security patches that are available, etc.

Please elaborate more on the issue since the ticket number was assigned to you by your local customer care ticketing system that we don't have access to. In order to activate your license, enter your license key in the appropriate field in the activation dialog. Provided that you have Internet connection established and the license key is valid for the product that you have installed, it should activate without issues.

A minidump does not provide enough information to determine the root reason of a crash. It may be even another application triggering it which only a complete memory dump would reveal.

How do you know it's ESET that is spiking the cpu? This could happen when scanning files but you wrote that temporarily disabling real-time protection didn't help. Please provide a Procmon log with at least 2-3 minutes captured while the cpu is being heavily utilized. For instructions, please refer to https://support.eset.com/kb6308/. The Procmon log should also reveal which process utilizes the cpu.

Please continue as follows: - in the advanced setup -> tools -> diagnostics enable advanced firewall logging - restart the computer - disable logging - collect logs with ELC, upload the generated archive to a safe location, such as Dropbox, OneDrive, etc. and pm me a download link.

First of all, check if application protocol filtering is enabled in the advanced setup -> Web and email.

A detection for "service4.exe" will be added in update 16647. I'd also recommend enabling detection of potentially unsafe applications if you haven't already since they cover also coin miners.

The files were encrypted by Filecoder.FV. Unfortunately, decryption is not possible. It's likely that an attacker carried out a bruteforce RDP attack, remoted in, disabled ESET and ran the ransomware. Most of ransomware is self-removed after they finish encryption of files. I'd recommend restricting RDP connections to specific IP addresses or subnets and using stronger passwords.

1, I assume it will not extend your current license because it's a new license and not a renewal. 2, With your license you can install EIS or ESS. If you would like to use the latest v11, use EIS which has replaced ESS but has the same features plus some extra new ones added in v11. 3, Installation of EIS over ESS is a supported scenario so you should be able to upgrade seamlessly.

Please continue as follows: - configure Windows to generate complete memory dumps as per https://support.eset.com/kb380/ - restart Windows and reproduce BSOD - after a restart, compress the memory dump, upload it to a safe location (e.g. Dropbox, OneDrive, etc.) - collect logs with ELC and upload the generated archive - drop me a message with both download links.

See https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/ for instance. All you need to do is select the correct network interface and start logging. Then manually run update and after the error "Server not found" appears, stop logging and save the log.

Please create a pcap log with Wireshark at the time you attempt to update and post the log here.

This should work but shouldn't be needed since we have enforced clients to re-download a license file. If the upgrade of Endpoint to any v6.6 was carried out in less than 24 hours, restarting the computers should enforce them to re-download it and subsequently insert the username and password to the registry. If the issue hasn't been resolved automatically within 24 hours after the upgrade and restarting the computers has no effect, please drop me a message with the value of HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\WebSeatId from such computer so that we can check it out.

Why do you think the disk activity is caused by ESET? Please create a Procmon log from time when the issue is manifesting and leave it capture operations for at least 1-2 minutes. When done, compress the log. Also collect logs with ELC, upload both archives to a safe location (e.g. Dropbox, Onedrive, etc.) and pm me download links.

Not sure what dictionary you mean. Maybe the ESET Outlook plug-in clashes with another one that is installed on those machines. If the issue occurs with the very latest Endpoint 6.6, I'd suggest contacting customer care and providing them with an Outlook email plug-in debug log for perusal. Customer care will provide you with instructions how to generate one.

How much time has elapsed since you've upgraded to EP6.6 and the issue occurred? Did you also reboot the computers to enforce requesting of a license key?