Marcos

Do you have a reason to believe that it's blocked by ESET, e.g. you receive an alert when the login page should open? Does temporarily disabling firewall or web access protection make a difference?

The conversation about ransomware has been moved here: https://forum.eset.com/topic/12475-anti-ransomware-protection/.

Please run this tool to find out if the computer is protected from EternalBlue exploits: https://help.eset.com/eset_tools/ESETEternalBlueChecker.exe.

Please refer to some reputable company or website, not to that you took the screen shot from And yes, there are hardly any AV products that wouldn't protect you from the last DiskCoder.C yet.

Yes, the System process (PID 4) runs on every Windows system.

We are about to release a new version of ESET SysRescue soon. Please try it with the new version, when available.

It's not true. HIPS rules alone would cause a lot of problems. If one wants, we have a document with hints as to what rules can be added to mitigate ransomware. However, the user must know how and what to fix if issues stemming from the rules occur. The Anti-ransomware feature is not simply HIPS rules that have been added. It's a sophisticated system for evaluation of process behavior which is an extension of HIPS. Adding brand new features to old versions with limited support is not a practice of software or operating system vendors.

I, for one, doubt that a network vulnerability could be detected generically a long time before it's actually discovered. I'd say it's not possible without FPs. You seem to believe that any updates to security software are about signatures and that there is some security software that magically can recognize any vulnerabilities and malware before it's created / discovered without update. If it was that easy, why Microsoft doesn't generically patch any possible vulnerabilities that may be found in the future in their products? Also detection names don't tell much because it's just a name and we could call it simply "SMB exploit" based on which you would not be able to assume when the detection was created. The fact is that the detection of EternalBlue exploit was added on April 25, about two weeks before the Wannacry outbreak. After the outbreak security programs were tested and ESET Endpoint Security v6 was one of 3 security products to have detected and blocked it at the network level. All other tested products failed. Unfortunately, nobody knows what the situation was on April 25 when we added the detection. It could be that ESET was the only vendor at that time to have proactively protected against any exploits of the vulnerability.

You must have enabled detection of potentially unsafe applications just recently. This particular detection of a toolbar has been there since 2012.

It's like asking why we didn't implement it in NOD32 v1 and waited until v10 Or why Windows 10 couldn't look and work like it does since v1. Every software is developed over time and reacts to current needs. Even cars or other things were not like they currently are at the time they were invented and things as well as software and even we humans continue to develop.

Please provide more details about what oper. system is running on clients, what ESET product and version is installed and what issues with InDesign it causes.

It doesn't use any script. It merely checks the installed version of srv.sys.

Blocking remote ports should work. Please drop me a pm with ELC logs and step-by-step instructions what you did. Did you want to block any http(s) communication on those ports or only with specific servers?

I'd suggest contacting Customer care and creating a regular support ticket as we'll need to collect logs from your machine to find out if the appropriate dat file doesn't contain any records or if it's that they are not only displayed.

ESET products download updates from ESET's servers via http, ie. the remote port is 80. What error are you getting when attempting to update Endpoint manually?

It depends on many variables. Providing all clients have the same modules installed and a newer update of particular modules is available, a client will download the update files and http proxy will cache them so that other clients don't need to download the same files again from ESET's servers but will receive them from the proxy server's cache. If some computers have skipped some updates, they will download update files from ESET's servers as they were not previously downloaded by clients. See http://help.eset.com/era_install/65/en-US/index.html?difference_connectivity.htm for more information.

If it's in MBR, then it's necessary to use Windows Recovery Console or another tool to replace / fix mbr.

First of all, please makes sure that you are using the very latest version of Endpoint. If that doesn't make any difference, try disabling all Outlook plug-ins but ESET. If that doesn't help either, try disabling "Sent email" option.

In order to clean viruses in MBR, run fixmbr from Windows Recovery Console or use Testdisk for Linux from a Linux boot medium.

Yes, it can be accomplished using HIPS. Please refer to this KB for some examples: http://support.eset.com/kb6119 Access to this forum is not paid and is free to everyone. Approving the first post of a user is an effective measure how to prevent spam flooding the forum and since it was weekend, it could take some time to get your post approved.

Given that ESET was initially one of 3 security solutions to protect against the exploitation of the EternalBlue vulnerability, do you assume that the other 2 vendors had already magically protected against it when the vulnerability was not yet known to Microsoft? And then why only 3 vendors were able to protect weeks after releasing the patch by Microsoft? Weren't the other vendors too slow?

This is just a change in wording. As of ERA v6.5, "Virus signature updates" was renamed to "Modules update" but the task has always served to download all module updates, not just the engine itself.

Your assumption is correct. Offline license files are intended for computers that cannot access ESET's license servers at all. If they are able to access them through a proxy server, you should use the standard activation method. As for mirroring, it's an ineffective method of updating as many files downloaded with each update are never used by clients. When updating through a proxy, only update files that are really needed and have not been cached yet are downloaded.

Does update fail even if you run update locally on a client? If so, what error do you get?

Create a software install task for desired clients / group, select the latest product version from the repository and that's it. Agent on the clients will download the latest version and install it over the current one. I'd recommend doing this at the time when you can afford to restart the computers. A restart will be required for new drivers to get loaded.