Marcos

First of all, this forum does not serve as a means for reporting false positives nor false negatives. To report the alleged false positive to the ESET Security Research Lab, follow the instructions in the FAQ section at the right-hand side of this forum. Also don't forget to include the url which is blocked. Last but not least, we kindly ask you not to hijack someone else's topic next time but create a new one instead. Having said that, we'll draw this topic to a close.

If you also use ESET Remote Administrator to manage Endpoints, you should be able to create the appropriate threat reports on a regular basis.

The Locky executable was supposed to be detected. On my test machine, I had one week old modules, disabled even real-time protection but the latest Locky was still detected and blocked upon execution. I can check ELC logs anyways, at least to review the configuration and make sure that ESET is not misconfigured somehow.

The latest variant of Locky was detected even with an outdated detection engine. When I executed it on a computer where ESET had not been updated for 1 week, it was detected in memory and blocked: Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here 8/22/2017 8:45:42 AM;unknown;file;Operating memory » C:\Documents and Settings\Administrator\Desktop\a.exe;a variant of Win32/Filecoder.Locky.L trojan;cleaned by deleting; It could be that an attacker remoted in via RDP, disabled ESET and then ran the ransomware. If you would like to investigate it, collect logs with ELC (choose Threat detection from the menu in ELC), upload the generated zip archive to a safe location and pm me a download link.

Already replied here: https://forum.eset.com/topic/12879-posted-2-times-since-no-one-saw-my-first-one. The detection is correct. Having said that, we'll draw this topic to a close.

It's a known bug in Windows 10 IP build 16257. Microsoft has confirmed it and is working on a fix.

If the former computer doesn't boot up, simply install and activate ESET on the new one. Otherwise the proper procedure would be to uninstall ESET from the former computer before activating it on the new one.

It seems to be a new TrickBot blocked in LiveGrid about 9 hours ago and the detection added in update 15954 released about 3 hours ago. If malware is already running in memory and we detect it, the process is either terminated or suspended. That said, even if you see a malicious process among running processes, it may be in suspended state and do nothing. The computer should be restarted to finish cleaning.

Speaking about VirtIO drivers, this is what we have recently found out: It seems that there is a problem when Receive Segment Coalescing (RSC) is enabled on VirtIO Ethernet adapter. Our wfp drivers do not support RSC, which is perfecly fine and Windows should disable RSC on that network adapter. However, for some unknown reason when Windows tries to disable RSC on Virtio, the BFE service hangs (we believe that it could be bug in MS or VirtIO). While we are considering adding RSC support to our drivers, a workaround would be to use different NIC driver or to disable RSC in the network adapter properties, both for IPv4 and IPv6. It can be disabled via the registry as well; search for VirtioAdapter in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\<adapterID> and set RscIPv4 and RscIPv6 to 0, then reboot and install ESET

That's all. You can harden the system against infection by using additional HIPS rules, e.g. if you don't need to use wscript.exe, cscript.exe, mshta.exe, javaw.exe and powershell.exe, you can create block or at least ask rules so that you have control over script execution.

Files are always quarantined when they are cleaned or cleaned by deletion.

The log is ok and no error is logged. We'll need to see what's going on when Windows starts. Therefore please temporarily enable advanced firewall logging in the advanced setup -> tools - diagnostics, change the dump type to full and restart the computer. If the firewall and web and email protection malfunction, disable firewall logging and create a dump by clicking Create in the Diagnostics section of the advanced setup. Finally collect logs with ELC, upload the zip file to a safe location (e.g. Onedrive, Dropbox, etc.) and pm me a download link.

Please try disabling automatic activation of gamer mode if an application running in full-screen mode is detected in the advanced setup -> tools -> gamer mode and let us know if it solved the problem.

I'd suggest contacting ESET German Customer care regarding this.

Only allowing rules from Windows Firewall are honored. You'll need to create block rules in EIS.

The detection is correct. This forum does not serve as a means for reporting detections to ESET. See the appropriate link in the FAQ section at the right-hand side of this forum. Since it's not a false positive, you don't need to report it as the detection would remain. Having said that, we'll draw this topic to a close.

The option to also evaluate rules from Windows firewall is enabled by default.

Is the mac address of the machines always same? Are they all physical machines and not VDI without persistent storage?

Home licenses are not managed via a web interface yet. We only have ESET License Administrator portal for managing business licenses for v6+ products. In the future, we plan to have a similar portal for home users too. However, that does not mean that we have no control over overuse. Distributors can contact you if overuse is detected and take the appropriate measures if the license has leaked to the public.

Detected and blocked by LiveGrid It's Filecoder.Locky. We'll need to investigate what happened during replication as it should have been blocked by LiveGrid hours ago. Strange that almost no other big AV vendors detect it yet.

It's important to realize that even with the best ad blocker users won't be 100% safe. For instance, popular websites may get compromised at times and may serve malware, either as iframe, script, external script or the attacker will replace otherwise perfectly legit app like a remote admin tool, torrent client, etc. with a trojanized one which also contains malware besides the legitimate application.

it's a one month old file, almost no big vendor detects it. Resembles DealPly PUA. Drops a batch file that deletes the exe. The file was passed for further analysis to find out if it's worth detection.

Does disabling the option to enable gamer mode automatically when an application running in full-screen mode is detected in the advanced setup -> tools -> gamer mode make a difference? Does disabling / enabling this option has any effect on performance when playing games or watching video?

Never saw a blank notification window. Do you have the latest v10.1.219 installed?

No, this is not possible. Normally the content of quarantine should not exceed dozens of MB. How many files do you have in quarantine? Are they mainly very large files? What threat was found in them?