Marcos

If disabling protection modules, protocol filtering and HIPS / self-defense (followed by a computer restart) doesn't make any difference, try renaming C:\Windows\System32\drivers\eamonm.sys and ehdrv.sys in safe mode, one at a time, and then try to reproduce the issue. Let us know about your findings.

I'd add that Endpoint should have blocked this downloader since yesterday, 15:30 GMT.

It appears there are many LockScreen files with double extensions hosted on the url in question. Perhaps you have visited a compromised website with drive-by malware which attempted to download LockScreen from the mentioned urls.

I've used Thunderbird 24.0. After enabling SSL, I exported the root certificate and imported it into Thunderbird manually. Edited trust for the certificate and selected the option "This certificate can identify websites". Scanning emails received via IMAPS worked fine as you can see below:

It works for me fine. Did you add "https://*" and not "https*" as I mistakenly advised before?

ESET's security products don't require .NET to be installed.

The issue with the Training section appearing in gui for some non-US citizens is being investigated.

Already reported here.

Try the following: - enable SSL scanning - add https://* to the list of blocked addresses - add https://url1*, https://url2*, etc. to the list of allowed addresses

Does it mean that disabling web access protection helps?

As mentioned before, all necessary modules and drivers are 64-bit. There would be absolutely no difference in terms of protection or performance if ekrn.exe was 64-bit.

Please let us know if disabling protocol filtering or HIPS (followed by a computer restart) makes a difference. Since we were unable to reproduce the issue in our environment, we'll need your assistance to troubleshoot it further.

The latest version of the real-time protection module was needed for server v4-based products and does not affect other products or versions.

It depends on the number of files, subfolders within a folder as well as on possible archives that are scanned. There's nothing that could be done about it. One thing is that it would take a lot of time to calculate the number of files in each of the folders on a disk, another thing is that it's not possible to estimate the time necessary to decompress archives.

This is ok, I don't see any problem there. As I wrote, ekrn.exe is a 32-bit process.

What's the problem with ekrn.exe being 32-bit? All necessary drivers and modules are 64-bit so ESET's products work on x64 systems fine.

Only Win32/MCH is detected as a potentially unsafe application. Potentially unsafe applications cover legit tools that can be misused in the wrongs hands, not sure what purpose it's included in the package for.

I assume you made a typo as signature updates for NOD32 2.0 were discontinued about 2-3 years ago. As for cleaning in Endpoint, default values are recommended and best for most users.

Please also try the suggestions at hxxp://support.microsoft.com/kb/319624.

If you look at the Service list in the Control panel, is the "Base filtering" service actually present and running or you mean that it's not there and running ServicesRepair didn't fix it?

You can disable the default update tasks and create your own which will run daily at a specific time.

There are two options on the download page for each of the products: Live Installer (a small installation file that runs on both x86 and x64 Windows and will download the appropriate msi file itself) and Offline installer which will download the msi file for the selected operating system.

As for the SSL issue, was Firefox not running at the time you enabled SSL scanning in v7? Do you use a x86 version of Firefox 24? Does the following procedure resolve the issue? - close Firefox (make sure firefox.exe is not among running processes) - disable SSL scanning in v7 and confirm it by clicking OK - enable SSL scanning - start Firefox Regarding the problem with your mouse, please provide us with a link to the vendor's website with more information about this particular model. Do you have Device control integration disabled? Does disabling HIPS and restarting the computer make a difference?

The signature database should be updated as frequently as possible in order to keep staying protected against new born malware. Even a delay of a few hours would expose computers at risk. Of course, if the computers are not connected to the Internet, the risk of infection would be much lower.

Just to make sure, a computer restart is required for HIPS to get disabled which I assume you did.