Marcos

As far as I know, this Filecoder is run manually by an attacker after remoting in via RDP for instance. Therefore besides upgrading to v10 which contains ransowmare protection module, you should also consider disabling RDP or at least securing it.

The url was opened by Edge, hence I'd start off by checking and removing extensions, one at a time.

That should be ok. In my opinion, ERA should manage that number of clients even in shorter intervals but it depends also on the hw configuration and the amount of data transferred by clients to ERAS.

What about using psexec? https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Do you mean that the firewall is continually asking you about action for FlashPlayerPlugin_25_0_0_171.exe when it attempts to connect to the Internet? If so, please provide me with ELC logs.

Please contact your local distributor. They should be able to provide you with upgrade to ESSP for a small upgrade fee. If you have purchased ESET Internet Security, your license covers ESET NOD32 Antivirus, ESET Internet Security and ESET Smart Security (but not the Premium version which also includes Data encryption and Password manager).

Have you tried running the ESET Uninstall tool in safe mode and then installing ESET from scratch? Should the problem persist, provide me with logs collected by ESET Log Collector as per the instructions linked in my signature.

The certificate issued for *.cdn.hiberniacdn.com expired on May 6th. The owner of the domain should replace it with a valid certificate. You can allow the communication if you trust it or choose Block if you are not sure.

If the clients are in a domain, click "Select SID from ERA" to browse users in AD.

Please continue as follows: - enable advanced firewall logging under Tools -> Diagnostics - restart the computer - reproduce the issue - disable logging - collect logs with ESET Log Collector as per the instructions linked in my signature and provide me with the generated zip file.

All mentioned protection features will work even without active firewall.

V10 .1 installers already contain recent modules so it should work ok on Windows 8.1+ with 3rd party software registered as LSP.

It's actually not a new idea and maybe in the future installers will work like that.

I see. The progress bar was misleading; it showed progress for a particular drive, not for all scan targets and it was quite common that it got to ~90% quickly because of folders with a few files inside and then it took long to scan the remaining 10% because of many files in the Windows and Users folders.

I've tried the latest beta 10.2 and it still shows a progress bar during update. Moving dots are displayed prior to the actual download of update files when the product is attempting to connect to an update server to get information about available updates.

Please contact your local distributor and explain them the situation.

What error do you get when you attempt to activate Endpoint manually on a client? Do you activate it with a license key or with security admin credentials?

Have you tried temporarily disabling protected service in the HIPS setup and restarting the computer? Did you run "netsh winsock reset" as an administrator?

The OP wroge that all machines are running Windows 10. 1. Do you have trusted zone set up properly so that all local machines are members of it? 2. If so, you can run the firewall troubleshooting wizard to review blocked communications and to allow the desired ones with a few clicks.

Do ekrn.exe and egui.exe exist in the Eset install folder in Program files?

It turned out to be doable. We'll consider adding an option to prevent standby in future versions of Eset's products.

If you can't find the registration email with your license key, contact the distributor or reseller from whom you purchased your license.

How do you know it's not running? Does running "sc query ekrn" as an administrator tell that it's stopped or that the service does not exist?

You can't stop that if you are not behind a router with NAT or firewall. Also port scan attacks may come from legitimate devices; in such case it's possible to unblock particular local IP address.

As I have already written, I doubt this is something that a program can control programmatically. That said, the answer is no.