Marcos

Please contact the distributor or seller from whom you purchased your license. They should be able to look it up by your full name and tell you what email address you used for registration.

I'd suggest uploading the following stuff to a safe location and dropping me a pm with download links: 1, The file you scanned 2, The output from ESET Log Collector (see my signature for a link to a KB with instructions).

Actually you were the first to state that ESET's protection is weak when it comes to ransomware so I will be glad if this statement is backed up by a proof. As for ESET's effectiveness in terms of protection against zero-day threats, I can tell from my personal experience that when checking detections by ESET and other vendors as soon as new threats are reported to us through LiveGrid, ESET is very often the only or one of 2-3 famous vendors to detect it. Next, we receive very few tickets related to infection from users who use a current version and have all protection features enabled and the product regularly updated and configured properly which is probably the best proof of effectiveness. Last but not least, ESET is tested by prestigious testing organizations and they have never presented results where ESET's protection was weak.

Based on what you are stating this? It is absolutely not true that ESET's protection against ransomware is weak. Quite the contrary, ESET excels in protection against zero-day threats, including ransomware.

It doesn't make much sense to block it in the program; it wouldn't make protection better given that hundreds or thousands of new scam domains emerge on a daily basis and are alive only for a short time. If such scam website is not detected by a signature, email the url(s) to samples[at]eset.com.

If it wasn't located in c:\windows\installer folder I would delete it. However, msi installers in that folder are needed for uninstalling the application. In case you don't plan to use WinZIP, you could uninstall it and the msi file will be removed from there automatically.

It could be a WinZIP installer. It's known to have SysTweak potentially unwanted application (PUA) bundled. Since it's just a PUA, it's not dangerous and the msi may be needed in the future to uninstall WinZIP. I would select No action for now.

As long as you have SP3 installed (also required by v9), you can install v10 on it as well.

That means Agent was not uninstalled. Please provide me with ELC logs (see my signature for a link to instructions). Endpoint v6 and ERA v6 are mature products. Within a month we're going to release a new version of ERA and Endpoint 6.5 which will introduce a lot of new enhancements and fixes. The document describing new features has 51 pages so there's really a lot new things to look forward to. If you are having any issues with ERA v6.4 that prevents you from using it or if you feel that it lacks some important features that you require, we encourage you to let us know. We listen to our customers and tailor ERA to your needs if we find out that requested features or improvements make sense and a real use case scenario exists. Staying with v5 is like staying with an old car that isn't as secure as new cars just because being afraid of the electronics and new features that were added to make the car more secure and comfortable to the driver and passengers.

Sounds like a PUA detection. Couldn't it be that you received a yellow warning about a potentially unwanted application / url? The detection has nothing to do with firewall. You should be presented with an option to continue to the website if you think that benefits of using the PUA outweigh possible risks (e.g. installation of toolbars).

Create a new Live agent installer to ensure that it includes current certificates needed to succeed handshake and establish a secure connection.

Anyways, I'd recommend upgrading to EMSX v6.4, at least to take advantage of LiveGrid and other new features, such as filtering particular types of files.

Disabling web access protection from gui should work only in case when a particular url is blocked and an alert is displayed. If you don't get any alert, rather disabling protocol filtering should help. Of course, disabling neither option is recommended as it would expose your computer at risk. I'd suggest uninstalling v8 and installing v10 with default settings to see if it solves the issue.

Do you use ERA v6? If so, it's likely that you'll need to create a new Live agent installer with current certificates and deploy it on clients. Should the problem persist, check status.html on troublesome clients for possible connection errors.

Check if the ERA settings are correct and the address does not point to localhost. That would happen if agent is still installed and redirects Endpoint ERA communication to itself. Anyways, what led you to downgrading to Endpoint v5 which provides worse protection than Endpoint v6 and will be become unsupported at some point in the future?

On Windows 7 you have regular update servers set while on Windows XP you have opted for pre-release updates, thus the difference. V10 can be installed on Windows XP SP3.

If pausing firewall helps, run the Firewall troubleshooting wizard to get a list of recently blocked communications and to allow the desired communication with a few clicks.

There's actually an icon for sharing a post in the right-hand upper corner of the post. For instance, to share or reference your last post one would use https://forum.eset.com/topic/10819-eset-endpoint-security-block-foreign-ip/?do=findComment&comment=55164. I can't conceive how it should be supposed to work with URLs. Anyways, the forum system was not developed by ESET and it's a product of a 3rd party company. That said, we can only take advantage of features that the system supports.

The detection may be correct, hard to say without checking the file. Please collect logs with ELC but also select "Recently quarantined files". When done, drop me a pm with the output archive. If too big to attach, upload it to a safe location and pm me a download link.

This is not possible. On how many machines do you plan to install Endpoint v6 on? If you don't want to have them managed, are you looking for a solution that would allow for putting a license key (sensitive information) to an xml that you would distribute to users? Something like that is not possible and probably will never be as we don't want to provide unauthorized persons with sensitive information. What you could do is temporarily deploying ERA OVA to create all-in-one installer, however, it would also contain the ERA agent which would be installed and would attempt to report to ERA then. By the way, could you please clarify why the customer is currently using ERA v5 but does not want to use ERA after upgrading to EPv6? If we better understand real scenarios in which our users use ERA or Endpoint, we can better react to your needs.

Disabling Windows Firewall does not affect ESET's filtering whatsoever and doing so merely removes Windows Firewall filters from WFP. The only effect it would have is that IPSec and maybe also some other Windows functionalities would not work.

Do you want to cease using ERA to manage Endpoint v6? It won't be possible to manage it with ERA v5.

We have received an initial response to our open case at Microsoft and they confirmed that it looks like a bug in wfplwfs driver. Moreover, according to our developers this BSOD can occur when fragmented IP packets (usually UDP) are sent over a PPPoE connection. Windows uses some internal structures to represent network packet and in this case they are crafted in an unusual (but still valid) way. The problem is that L2802_3ParseMacHeader function in wfplwfs Microsoft’s driver does not handle this scenario well which may result in BSOD. We know of 3 ways how to mitigate this BSOD so far: Do not use PPPoE connection (use Wifi, or change your cable/dsl modem for a cable/dsl router which will do PPPoE for you) Do not use programs that might create fragmented IP/UDP. Torrents are well known for creating such packets. Disable UDP in your torrent application if possible. Note that web browsing uses mainly TCP, which is safe. Use an older Eset product. ESSv9 should be safe since it has its own LWF driver called epfwlwf and does not depend on Microsoft’s wfplwfs. This has nothing to do with enabled or disabled Windows firewall, nor with Automatic/Interactive mode of ESET firewall or application rules in ESET firewall.

Do you mean that it's enough to temporarily pause real-time protection for the issue to go away?

If temporarily disabling protocol filtering in the advanced setup makes a difference, continue as follows: 1, In the advanced setup -> Tools -> Diagnostics, enable advanced protocol filtering logging. 2, If the issue can be reproduced with Chrome, open the Developer tools panel (Ctrl+Shift+J) and select Network. 3, Reproduce the issue. 4, Right-click in the Network panel and select "Save as HAR with content" and save the file. 5, Stop advanced protocol filtering logging. When done, compress the previously saved file and attach it to a pm for me. Also include the output from ESET Log Collector (for instructions, refer to the KB in my signature). If too large to attach, upload the file(s) to a safe location (Dropbox, OneDrive, etc.) and pm me download links.