Marcos

Do you mean firewall on the server or on clients? If you create a mirror on the server using ESET Remote Administrator, is it created alright without an error and the problem is just with updating clients from the mirror?

I've seen variants detected only by ESET so the likelihood that the samples you're referring to are detected is quite high.

Most likely it's detected as Win32/Filecoder.XX. However, without an exact sample it's impossible to tell for sure and my assumption is based only on searching for the name provided.

Please post here a complete record from your ESET Threat log containing the full path to the file, the detection name as well as some other information.

You'd need to disable real-time protection but this would leave your computer unprotected. It's the role of real-time protection to scan all files that are created or accessed by the operating system or 3rd party applications. Are you experiencing any issue with real-time scanning?

Does the slowdown occur at the time the clients receive an update? By default, a startup scan is run after an update to make sure no threat is active in memory. Are they systems with multi-core processors or what's the hw configuration?

In order to troubleshoot the issue, we'd need a Process Monitor log from an issue replication for analysis. When you create one, compress it, upload it to a safe location and pm me the download link.

You can try v7 but since Windows XP uses legacy drivers and does not support minifilters, it won't make any difference and the issue will occur also with v7. There are basically 2 options: 1, upgrade the operating system to a newer one with support for minifilters 2, make the application open files for writing only in one thread. Making a change preventing the issue from occurring on Windows XP would cause the real-time scanner not to detect malicious files.

It's been confirmed by engineers that this issue cannot be fixed in the legacy driver used in Windows XP and older due to technical limitations of the operating system. Issues like this may occur if an application opens files in 2 or more threads for writing and ShareMode read,write. That said, the only solution is to use a newer operating system as keeping real-time protection disabled is not an option. Another solution would be to make the application open files for writing only in one thread in which case the sharing violation wouldn't occur.

Probably it's because I didn't restart after installing v7 beta. Anyway it's not a big deal as long as the Exploit Blocker is functional, which I hope it is, am I right? So this explains the problem. A computer restart is required for the text to be displayed as it was added via a module update so that beta users can test the new feature without making a new beta version.

I've noticed that sharing violations occur on C:\Database\tempres.bin. Was the Procmon log created with v4, v5 or v6 installed? I assume you're using Windows XP, could you confirm? As for the issue with v7, could you try installing it again, now without importing settings from a previous version? If the problem persists, please create one more Procmon log with v7 installed. In that case, it'd be most likely a known issue of legacy drivers that could only be fixed in the minifilter driver used on Windows Vista and newer.

The thing is you're looking at the Web protection settings -> URL address management on the client but in the Configuration editor you have a Web control setup window with rules open. Web access protection and Web control are different features although both allow for blocking URL. While URL address management is a part of Web protection, Web Control is an equivalent to Parental Control in home version.

Code emulation is a kind of a task that can only be performed sequentially. It's not that we now have multi-core processors and every single application will benefit from it when performing its tasks. As I wrote, if several scans are run at once (e.g. on mail servers), scanning threads are run by separate cpu cores simultaneously which increases the overall scan performance.

We've been unable to reproduce it. After updating a fresh v7 beta and restarting Windows, the text "Enable Exploit Blocker" is always displayed.

Please contact the French Customer care via this form. For licenses ordered via the web, you should get an email with your license details within a few minutes after purchase.

Regular automatic updates are attempted on an hourly basis by default as long as the computer is turned on.

If disabling real-time protection actually helps, the only operations performed by real-time protection are those with ekrn.exe process. Other modules do not perform file operations and even network operations are performed by ekrn.exe. I have a long-time experience analyzing Procmon logs and various issues related to ESET products so I'm sure I'm not mistaken

Please refer to my previous post and post information about the modules installed.

Your policy was properly applied to my Endpoint client after connecting to ERAS v5. Could you please post a screen shot of your Web control rule setup to make sure you're looking at the right setting?

System variables should work, user variables not as they are not available in the local system account.

I have replied to your pm. As for Procmon logs, you'd see ekrn opening a file for scanning (CreateFile operation) if one is actually scanned. I didn't find any such records about the time the issue manifested.

It's because you run only one file scan at a time. If you ran 2 scans simultaneously, 2 CPU cores should be utilized, one by each scan.

From my personal experience, ESET detects much more PUAs than any other competing products. Even if they start detecting a certain PUA, they remove detection after receiving a complaint from the application's vendor, most likely because further disputes with vendors always require a lot of investigation which is time and resource consuming. Also I'd like to emphasize that unlike some other vendors, ESET only detects files that actually pose a risk, ie. configuration files, images, text files, etc. are not detected and removed. They files are often installed with potentially unwanted applications. Therefore, in order to remove PUAs completely, we always recommend running uninstall via the Control panel -> Add/remove programs rather than deleting exe and dll files only.

You purchase a license for a particular product which will entitle you to download and update any version of the product. With an ESET Smart Security license, you can also download and update ESET NOD32 Antivirus, if needed but not vice-versa.

Please post information about installed modules from the About window.