Marcos

I would ask your administrator to disable scanning of removable media (real-time protection would still scan files on them). Stopping a scan would require administrator rights or entering an admin password anyways.

I was unable to reproduce it. Please provide a Process monitor boot log as well as ELC logs as per the instructions linked in my signature.

I see that it's detected as Win32/FusionCore.L potentially unwanted application. The detection is correct; the installer has fusion.dll embedded. Detection of potentially unwanted applications is optional. If you have opted for PUA detection, you can still exclude a particular PUA from being detected by checking Exclude from detection after unfolding advanced options in the yellow alert window.

Did you try to disable automatic start of real-time protection and restarting the computer? If that doesn't help, try disabling HIPS and restarting the computer. Should the problem persist, try renaming C:\Windows\System32\drivers\ehdrv.sys in safe mode. Is there a way to get the software in question and reproduce the issue on our part?

I tested it and didn't have any issues after switching back to regular updates. Again, I'd like to encourage everybody who don't work on a production system to keep pre-release updates enabled. This will enable you to receive new modules with new features or fixes in advance and in case there are issues with a new module, you can switch back to regular updates after you report it to ESET and wait until a new module addressing the issue becomes available.

The minimum update interval is 60 minutes for update from ESET's servers and 5 minutes from a mirror.

Please check if dumps are created in C:\ProgramData\ESET\ESET Endpoint Security\Diagnostics folder. If so, upload at least two recent ones to a safe location and pm me download links along with the output from ESET Log Collector.

Do you mean that the gui (egui.exe) or the kernel process ekrn.exe is continually restarting? Are there any records of it in the system event log?

That's quite a lot. Please generate a dump of ekrn via the advanced setup -> Tools -> Diagnostics -> Create (dump). When done, compress the dump created in the Diagnostics folder, upload it to a safe location and pm me a download link.

HIPS was first introduced in v5. Since then it's improved a lot, especially its subfeatures like AMS, Exploit Blocker and the brand new anti-ransomware protection introduced in v10. All these including self-defense are virtually parts of HIPS. For those who don't mind being asked about an action when a suspicious operation is attempted can switch HIPS to Smart mode which is more effective then automatic mode but some decisions must be made by the user. As already said above, AV programs use various protection layers to make it difficult for malware authors to bypass them all. Also J.D. mentioned that even if a particular malware is not visually recognized it doesn't mean we won't learn about it. Quite the contrary; such samples are automatically replicated and detection is added within minutes via LiveGrid.

There's nothing new on this matter. However, as a workaround excluding the whole Dropbox folder (which includes .dropbox.cache) should work.

ESET does not integrate into Thunderbird as a plug-in. Please elaborate more on the issue. Also try the following: - restart Windows - without launching any application, disable SSL/TLS filtering in the advanced setup and click OK - re-enable SSL/TLS filtering - launch Thunderbird and check if the issue is solved.

We were unable to reproduce it. Please enable advanced firewall logging in the adv. setup -> Tools -> Diagnostics, then trigger the firewall window, select to create a rule and deny the communication. If the communication of the application was allowed, disable logging, collect logs with ELC as per the instructions linked in my signature, upload the generated zip file to a safe location and pm me a download link.

By clicking Allow or Deny you select an action for the existing connection. Afterwards the action will be remembered if you choose to save the rule.

I would also strongly recommend upgrading to Endpoint v6 and ERA v6 for maximum protection and using an http proxy to cache update files instead of using a mirror to save traffic.

Try checking your disk for errors by running chkdsk.

I don't see any security issue with that.Even the standard Windows lockscreen triggers gamer mode with older versions. Gamer mode does not disable protection but on the other hand it should not stay enabled for longer then necessary.

I don't think it's an attacker or malware that disables anti-phishing. An attacker would disable the whole AV product or even uninstall it and not only disable a less important protection feature. I'd suggest opening a case with your local customer care and providing them with ELC and Procmon logs created at the time when you observe performance issues. Also a complete memory dump might shed more light.

You can control a particular setting (exclusions) either via a policy or by user. Policy overriding is only temporary. There's a chance that this will be improved in ERA / Endpoint v7 but I can't confirm it now.

Please uninstall ESET in safe mode as per the instructions at http://support.eset.com/kb2289. Then download and run the appropriate installer from www.eset.com which will download and install the latest version.

The solution is to disable Windows Defender. The rule has always been not to have two or more real-time protections running at a time which happens when ESET installs; it takes some time for Defender to disable after our real-time protection activates which causes deadlocks under specific circumstances and file operations then take minutes to complete. The plan is to release a hotfix for Endpoint 6.5 next week. As for home users, it will take longer since changes needed to prevent clashes with Defender are not trivial.

It's enabled as of v10.1 and we will continue gradually enabling it for modules after making sure there's no adverse effect on performance.

The issues may basically occur with any version since it's a clash of two real-time protections running at a time. It's always been a rule not to run 2 real-time protections at a time but recently Microsoft has made some sudden changes that triggered the clash. The issue is not limited to ESET's products and more AVs are affected.

Is Endpoint v6 installed on clients? If so, you can manage licenses via ela.eset.com. As for the higher number of seats covered by your license than actually needed, I'd suggest contacting the distributor or reseller from whom you purchased your license to reduce it to the number of computers that you actually use.

ERA merely displays action that is logged on clients. "Deleted" means that a file was deleted right away, e.g. when malware was detected in a newly created file and cleaning the registry is not needed. "Cleaned by deleting" is reported when cleaning was performed but the file contained only malicious code and therefore was deleted.