Marcos

Endpoint v6 supports Windows XP and there are currently no plans to stop supporting it as many users are still using it and improvements in newer versions of programs more-less work on Windows XP too.

This seems to have been already fixed.

Yes, it should work. However, since the rules block also legitimate operations, you may encounter issues when attempting to run legitimate scripts for instance. I'd strongly recommend upgrading to v10 which includes ransomware protection for monitoring process behavior and detect potential ransomware.

Oops, sorry for that. I see that I probably clicked Edit next to Quote.

Please provide me with the logs gathered by ESET Log Collector as per the instructions in my signature.

I've tried to reproduce it with German version of EIS to no avail. Everything worked like a charm. You can drop me a pm with logs gathered with ESET Log Collector as per the instructions in my signature.

Filecodeders usually remove themselves automatically after they complete the encryption. You can scan your disks with an ESET SysRescue CD or USB. If you have updated ESET in the mean time, ran a full disk scan and no malware was found, your computer should be clean. For best practices to protect against ransomware, please read http://support.eset.com/kb3433/.

Please refrain from advising users how to prevent us from providing them with maximum protection. For instance, only version 10 can provide maximum protection against ransomware and therefore upgrade to it is strongly recommended.

The setting in the last screen shot is the right one. If you leave it disabled in a policy applied on EFSW, the issue should not occur. It's ok to leave protocol filtering disabling on servers as long as they don't serve as terminal servers and users don't use it to browse the Internet or read email. The issue didn't occur on Windows 2012 because it came with the bug addressed by the hotfix KB2664888 already fixed. On Windows 7 workstations I would strongly recommend installing the mentioned hotfix. Protocol filtering is essential for protecting computers from web and email threats and therefore should never be disabled on workstations.

The "Documents and settings" is a junction point as of Windows Vista and is not visible by default. That said, accessing this folder will cause a relocation to c:\users folder. A solution would be to have an option for not following symbolic links and junction points in the on-demand scanner setup. It's possible that in the future we'll add such setting.

Since "Rip N Replace" is a service provided by ESET, LLC directly, I would strongly recommend contacting them.

It's actually not a threat but a potentially unwanted application. At the end of the scan, the user should have been presented with a window where the desired action could be selected.

The problem seems to be with Anti-Phishing protection that cannot be turned off by a policy because the superior protection module (Web access and email protection) is disabled. I would recommend enabling protocol filtering in the advanced setup and enabling web access protection in gui. Beforehand make sure that the following hotfix is installed to prevent potential issues: https://support.microsoft.com/de-de/help/2664888/computer-stops-responding-when-you-run-an-application-that-uses-the-windows-filtering-platform-api-in-windows-7,-windows-server-2008-r2,-windows-server-2008,-or-windows-vista Another workaround would be to stop applying the Anti-phishing setting in the policies that are applied on the server. The issue will be ultimately fixed in EFSW 6.5 soon.

Unfortunately, if an application is running in full-screen mode it's not possible to avoid automatic activation of presentation mode if it's configured so. Haven't tested automatic activation of presentation mode on Windows 10 myself but we'll look into it and see what we could do about it.

Unfortunately, this is the first time we have heard about that research. To put things right, it is not true that ESET does not verify certificates. Unfortunately, the authors of the research didn't provide information about the version of v9 and modules which were used for testing so that we could verify their findings on our part in the very same scenario. As for not supporting modern ciphers, I, for one, am not aware of a lack of support for modern ciphers either. As soon as more information is available, we'll update this topic.

Please run ESET Log Collector as per the instructions linked in my signature. Select "Recently quarantined files" besides the other entries selected by default and proceed to collecting logs. When done, upload the file to a safe location (e.g. wetransfer.com) and pm me a download link. I'll check if there are actually some files in quarantine on the pc in question.

Just delete the offending file, if not cleaned automatically and that's all.

Please provide me with logs from ESET Log Collector as per the instructions in my signature.

There are no records created with logging verbosity set to Diagnostic.

Could you please post a screen shot of the pop-up notification that you are getting? What version did you have installed? Could you try installing the latest v10 and tell us if the issue persists?

Let's start with temporarily changing logging verbosity to Diagnostics (Tools -> Log files -> Minimum logging verbosity). The re-download CloudCar. When done, send me "C:\ProgramData\ESET\ESET File Security\Logs\warnlog.dat" and change the logging verbosity back to Informative.

How do you know that the engine is not updating? Do you see at least version 14893 in the update pane which is the latest currently? Or if you check the ESET Event log, do you see the engine being updated in regular intervals? If you want to be notified of successful updates, switch off the appropriate option in the advanced update setup that disables notifications.

Currently there's no option not to follow junction points or symbolic links so the behavior is by design.

To reset the password store and to enable you to set up a new master password, go to https://passwordmanager.eset.com and enter your license key as well as your registration email address.

Files were encrypted by Filecoder.Crysis. Unfortunately, decryption is not possible. Both logs show a problem with LiveGrid, therefore I'd recommend testing LiveGrid's functionality by downloading the CloudCar test file which should be detected as Suspicious object. Also payment instructions were not enclosed. If possible, please re-send.