Marcos

Blocked communications are logged with diagnostic logging verbosity. Enabling it may have adverse effect on performance and logs could grow quickly, therefore it should not stay enabled for longer than needed to troubleshoot an issue.

Wildcards are not supported in firewall rules. Otherwise one could create a rule for svchost.exe for instance but since this is also a typical file name used by malware the rule would also be applied to both malicious and innocuous svchost.exe.

Did you get a red warning when downloading it? Otherwise it's likely that it was not ESET but the protection built in Firefox which evaluated the download link as bad and blocked it.

Please contact your local ESET office for details of how monthly billing works in the UK. In our country, we don't offer monthly billing as far as I know except when purchased through mobile carries.

You're asking about SMBv1 exploits, ie. exploits that target network vulnerabilities. Therefore the question about EAV protecting from these exploits does not make sense. EAV cannot currently protect from network exploits as this can only be done by the firewall inspecting network communication. Another question is detection of malware or applications that spread via network exploiting the mentioned vulnerabilities. In that case it can vary from case to case, some malware was proactively blocked by other protection techniques and some required update of modules in order to be detected.

What do you mean by Internet monitoring? If protocol filtering in the advanced setup, it shouldn't cause BSOD. Does temporarily disabling advanced scanning of browser scripts in the advanced setup make a difference? Could you upload a dump from such crash to a safe location and pm me a download link so that we can analyze it?

1, Remove all custom rules, especially the block ones. 2, Make sure that the subnets 192.168.1.0/24 and 10.1.1.0/24 are marked as Home or office networks in the known networks setup. If that doesn't help, you can run the Firewall troubleshooting wizard which will show a list of recently blocked communications and enable you to create the appropriate allow rule with a few clicks.

In each office install HTTP proxy which will cache update and install files for other computers. Using a mirror is not recommended if low traffic volume is crucial. The thing is when using a mirror, many often unneeded files would be downloaded with each update.

Yes, but as I wrote, older products will not be able to create a mirror compatible with Endpoint v6.6 and newer. An updated version of the command line Mirror tool will support mirror for Endpoint v6.6+ but it's not available yet. Currently only Endpoint 6.6 can create a mirror from which other computers with Endpoint 6.6 can update. If possible, use an http proxy to cache update files which will also save a lot of traffic compared to using a mirror which downloads quite many often unneeded update files with each update. If you must update from a mirror for whatever reason and http proxy nor creating mirror with Endpoint 6.6 is not an option, wait with upgrade to Endpoint 6.6 at least until an updated version of the Mirror tool is available.

Where did you hear about that? Do you know the detection name? If you have a sample, please submit it to samples[at]eset.com for analysis.

Endpoint v6.6.uses a new format of modules to substantially reduce memory consumption and improve performance. Currently only another Endpoint v6.6 can create a compatible mirror. We plan to update the commandline mirror tool so that it can create compatible mirror but it will take some time. Server products v7+ will be able to create a mirror for EPv6.6 but it will not be compatible with older versions.

You can send a product activation task to selected computers if you want to activate them using a different license. A more elegant solution would be to ask the distributor or seller to merge the two licenses while subtracting the cost of existing licenses for the remaining period.

Does temporarily disabling protocol filtering in the advanced setup make a difference? If not, what about disabling automatic activation of gamer mode when an application running in full-screen mode is detected?

There are tons of legitimate files that would appear suspicious to LiveGrid because of low age or count. It could be custom applications made for and used by particular companies or new versions of legitimate software after the release.

You can disable automatic activation of gamer mode if an application running in full-screen mode is detected. I assume you won't notice any difference in performance without gamer mode. Alternatively you can disable notifications about gamer mode activation in the Application statuses setup in the advanced setup.

A behavior blocker would cause quite a lot of false positives or would bother the user to make a decision him/herself every while and then. Our aim is to keep ESET install-and-forget, without asking the users for an action. The more questions, the higher probability of wrong decisions and subsequent infection. ESET leverages a handful of advanced technologies explained at https://www.eset.com/int/about/technology/ to achieve maximum protection without nagging the user or causing false positives.

I'd check permissions for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ekrn and the subkey and making sure that the System account and Administrators group have full permissions granted.

Unfortunately, you didn't post in a product forum so we don't know what product and version you use. Do you use ESET NOD32 Antivirus or ESET Internet Security? The latest 10.1 version? Does temporarily disabling protocol filtering in the advanced setup or firewall (in the case of EIS/ESS) make a difference?

Those are 32-bit systems. However, Agent will decide if a 32 or 64-bit version should be downloaded so you can use this package for installation on 64-bit systems too.

ESET Internet Security has a firewall with network protection module capable of protecting vulnerable computers from network exploits, Antispam, Banking and payment protection and Parental control. As for the undetected files, it could be just some registry remnants. Submit MBAM's quarantine to ESET as per the instructions in the FAQ section at the right-hand side of this forum. Regarding pop-ups from Geo-um.btrll.com, create a new topic in the Malware finding and cleaning forum so as not to mix several topics in one.

This is a known bug in EP6.6 and has been already fixed internally. I reckon that configuration through ERA policies should work though.

The mirror must be created with Endpoint v6.6 since older products do not support EPv6.6-compatible mirror. The mirror tool with support for Endpoint v6.6 is in the works and will take some time until it becomes available. We strongly recommend utilizing an http proxy to cache installers and update files instead of using mirror.

Since the question is general and not related to ESET's products, the topic was moved to the General discussion forum.

Feel free to pm me or email samples [at]eset.com proofs that a particular application has PUA-like behavior. Before an app is classified as PUA,we must have proofs to support the classification, e.g. in case of legal disputes.

It appears to be a local UK ordering system, therefore I'd suggest contacting ESET UK on this matter.