Marcos

We can arrange a remote session if you want and I will install it for you.

You cannot create such a dynamic group. The thing is that dynamic groups are evaluated on clients, not on the ERA server. That said, agent on clients evaluates membership in dynamic groups and sends this info to ERAS. Obviously it cannot send information that it hasn't connected for 2 days as the moment it sent the info it would have already connected.

We're going to release Internet protection module 1311 to pre-release update servers soon. One user has already confirmed that it fixed the issue. Could you please check if you have the same proxy server configured both in Firefox and IE?

Please provide me with ELC logs collected as per the instructions linked in my signature.

Posts pertaining to the HackTool.Patcher potentially unsafe application were moved here: https://forum.eset.com/topic/12637-hacktoolpather-potentially-unsafe-application/

The main gui window cannot be maximized. For this reason, we have the "Open in a new window" option wherever it makes sense, e.g. for logs and on-demand scanner to name some. You can revert to default settings to make sure that you don't have logging of blocked HIPS operations or diagnostic logging enabled. These should be enabled only for a limited time while troubleshooting a particular issue. As for HIPS, you can disable logging of blocked operations in the advanced HIPS setup -> Log all blocked operations. Should the problem persist, please provide me with ELC logs as per the instructions linked in my signature. I strongly suggest using default settings which already provide maximum protection without any noticeable effect on performance.

If you have v10.0 installed, it should upgrade to v10.1 if you install it over. Try downloading EIS v10.1 x64 installer from here: https://download.eset.com/com/eset/apps/home/eis/windows/latest/eis_nt64_enu.exe

Instead of installing over, uninstall ESET first and then install it from scratch. Obviously ekrn is running so it's not a clean install. If there's a problem uninstalling EFSW via the standard uninstaller, use the ESET Uninstall tool in safe mode.

Those are files that are exclusively used by the operating system or you don't have permissions to access them. Simply ignore these records.

Unfortunately, you didn't mention whether you have ESET NOD32 Antivirus or ESET Internet Security installed. If the latter, you probably chose to treat the other networks as public (untrusted) and therefore some communication may be blocked by the firewall. Does temporarily disabling the firewall make a difference?

I'm not aware of any fix for the issue that we discovered in the past. Anyways, as long as you have real-time protection enabled (and it should always be enabled), documents as well as other files will be scanned by it.

If you don't need a repository, an alternative way how to create a local mirror with update files is using an Endpoint v6 product. The size of such mirror would be much smaller as it wouldn't contain installers. If the clients connect to an ERA server, you could use a local msi installer with a software install task without the need to have the whole repository.

Please contact customer care as this is an issue that hardly anyone will be able to comment on this forum.

If somebody creates malware intended to be used in a targeted attack, I assume they most likely already know what security software the victim uses and what weaknesses it has so that they can focus on how to bypass even behavior blocker or sandbox upon execution.

That's weird because in safe mode neither the ehdrv.sys driver providing self-defense nor ekrn.exe is running so it should be possible to rename the file. @HienKieu I meant the driver C:\Windows\System32\drivers\epfwwfpr.sys. If possible, please provide us with a complete memory dump from a crash so that we can confirm it's the issue that we assume it to be. In the next service release and future versions we plan to add a check for values returned by the OS but since it seems to be caused by a bug in Windows, it will be just a workaround and the issue may recur later or even with other than our software.

Monoculture is not good neither in agriculture nor in IT security and diversity is needed as a security measure. Otherwise pests could spoil the entire crop easily and it's likewise with security; if there's one pre-dominant security vendor, it's enough for attackers to focus on bypassing just one AV in order to get big profit from attacks. Adding some fresh samples seen at VirusTotal (mainly Nymaim downloader that has been released in at least 10 variants today), now with LiveGrid detection that will change to DNA detection after the next update: Win32_Filecoder.HydraCrypt.N.temporary\81b6309679ce392748c6300b5733bc95 - a variant of Win32/GenKryptik.APJD trojan Win32_GenKryptik.APJY.temporary\winx_maylo_19_07_17______indstro.exe - Suspicious Object Win32_GenKryptik.APKA.temporary\framer-1.exe - Suspicious Object Win32_GenKryptik.APKC.temporary\infrared-76.exe - Suspicious Object Win32_GenKryptik.APKG.temporary\megabits-04.exe - Suspicious Object Win32_GenKryptik.APKL.temporary\output.111806120.txt - Suspicious Object

Presentation mode can be activated by the lock screen for instance. To my best knowledge, this should be fixed in Endpoint 6.6 that is about to be released soon. As a workaround, you can disable changing the application status if presentation mode is activated via a policy under User interface -> Application statuses provided that Endpoint 6.5 is installed on clients.

As for "next-gen" products and AI, read more about ESET's standpoint on this presented by J.D. at https://forum.eset.com/topic/12303-any-deep-learning-techniques-in-eset-products. These terms are rather buzzwords nowadays and are marketed more like an ultimate solution to malware infections. Here are some examples of new malware that emerged today and how ESET's technologies both in the product and on the backend enable us to quickly react to them and also add DNA detections. Of course, the results don't tell if a particular AV would protect against the malware on execution but ESET's detections ensure that the malware is also detected on systems where malware is not executed (e.g. gateways, mail servers, etc.) or by the online scanner or SysRescue Live: hxxp://www.tuttXXXXXXXXXpaese.com/q.exe hxxp://finishXXXXXXXXXXXXXXXhard.com/filesok/666.exe hxxp://workXXXXXXXXXorme.com/get/4/icq.exe

We've been doing that for a quite long time already Suspicious files are sent via LiveGrid and replicated. If malware is recognized, detection is provided to all users via LiveGrid within a couple of minutes.

For how long have you been waiting for the upgrade to complete?

Try disabling the option to enable presentation mode if an application running in full-screen mode is detected and let us know if it makes a difference (adv. setup -> Tools -> Presentation mode).

Hello, We are only aware of one cause of BSOD where epfwwfpr.sys is listed as the culprit. It happens when we receive bad and unexpected data from Windows, most likely due to a bug in WFP. Would it be possible to provide a dump from the crash? Also please clarify if you have ESET Endpoint Antivirus or ESET Endpoint Security installed since the driver in question is included only in Endpoint Antivirus but you wrote that it's Endpoint Security. In order to be able to start Windows in normal mode, start it in safe mode and rename the driver epfwwfpr.sys.

Log windows can be maximized. What particular window do you mean that cannot be maximized (except the main window with the android)? As for the records in your HIPS log, it appears that you have logging of all blocked operations enabled. It should be enabled only for troubleshooting purposes, otherwise the HIPS log may grow quickly, unnecessarily waste disk space and also cause performance issues.

Hello, unfortunately, it's not possible to avoid that. I'd suggest using ESET's default repository and using an HTTP Proxy (e.g. Apache proxy bundled with ERA v6 all-in-one installer) to cache update files and installers and to prevent downloading redundant files.

As it was already said, if the version of the detection engine ends with "P", you most likely use pre-release updates and all other modules should be the latest available on pre-release update servers as well. It can occasionally happen that some users have a newer version of a particular module than the others. This may happen with staggered releases when a particular module is distributed only to a limited number of users with the others to follow in the next few days.