Marcos

We were unable to download any malware from the mentioned url, only a potentially unwanted application. Please follow the instructions in the above mentioned KB article to submit files to ESET for analysis. Also please write in English so that we all can understand you.

This pop-up window doesn't come from nor is caused by ESET. Does it pop up right after your start Windows? Perhaps an ESET SysInspector log would shed more light. Please create one and supply it to me via a personal message for perusal.

Ekrn is an essential process and must be started as soon as possible in order to provide effective protection. Startup scans and the initial update are delayed by default.

We are working on a new service build that should address all issues known to date. Please try increasing the spinlock timeout by running "sudo nvram slto_us=0xffffffff" and restart OS X for the change to take effect.

Sometimes it's necessary to run the uninstall tool more times until no AV program is detected. What pop-up are you getting now that ESET has been uninstalled completely?

ESET doesn't use nor protect the registry key shown in the screen shot unless you create a blocking HIPS rule manually. I'd say this is not related to ESET at all.

Weird. We replied to all who had sent complaints about the block to samples[at]eset.com. Anyways, the issue is still investigated as the domain is involved in scam so the domain may be blocked again after the investigation has been completed.

Please continue as follows: 1, enable logging of blocked connections in the IDS setup 2, clear the firewall log 3, reproduce the problem 4, stop logging 5, post your firewall log here (if too large, export it to a text file and attach the file to your post).

I'd suggest running the uninstall tool twice or even more times unless it reports that no security program has been detected. It seems that the HIPS driver is still loaded and protecting the ESET install folder. PS: We would appreciate if you could share with us the reasons that led you to uninstalling ESET

Please follow the official guidelines for reporting blocks to ESET: hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN141

You can check task details in Scheduler for information when a task was run last time.

Please follow these instructions and report the file to ESET Malware Research Lab. No wonder that the file is detected as it's packed using Themida and has no version information and is not digitally signed either. These factors make files highly suspicious for antivirus scanners.

Exactly. Since the clients are running an old v. 4.2, perhaps the best course of action would be to create a new installation package with the latest version of ESET Endpoint Antivirus / Security 5.0.2228 and push it to the clients with a correct ERAS configuration.

As I wrote, one of the main differences between v4/v5 and v7 is that in v7 advanced heuristics is used by real-time protection on execution by default. Emulation by advanced heuristics is a resource and time consuming process, however, thanks to LiveGrid files with good reputation may be omitted from scanning which substantially improves the whole performance. There are several reasons why you don't notice this "lag" with other AV products: 1, Some vendors may not attempt to unpack such large files at all due to an adverse impact on the scan time. While such approach improves performance on one hand, it leaves a potential security whole on the other hand as malware spreading in similarly large files wouldn't be unpacked. 2, I dare to say that no other vendor has such an efficient and powerful emulator like Advanced heuristics employed by ESET's products which can emulate the code very deeply, allowing to detect many new malware variants utlilizing different envelopes. You can play with settings, such as advanced heuristics on file execution as well as with LiveGrid and Smart optimization to see what impact it has on scanning this particular file.

What about changing the firewall integration to "Only scan application protocols" or "Personal firewall is completely disabled" ? Just in case, restart the computer after changing this setting.

You could hold you breath before this feature becomes available More information soon...

I see, it was a typo. The correct command is "sc query ekrn".

According to my investigation, the installer file is 21 MB in size and is packed with UPX. It takes 4 seconds to scan. In an unpacked form, the size of the installer is 23 MB so the difference is negligible and the scan is completed in less than a second. I assume that disabling advanced heuristics on file execution would help in this case (was disabled in v4 and v5 by default). Of course, we don't recommend disabling this option but you can try just to confirm my assumption. Subsequent execution (scanning) of the file should be very quick with LiveGrid and Smart optimization enabled. If you have v4 installed, you can try enabling Advanced heuristics on file execution to make the setting set up the same way as in v7.

This indicates a problem with ekrn. If you run "sc query ekrn" with administrator rights, is ekrn running or stopped? PS: When posting, did you get an error "Service unavailable" ? I'm asking because a duplicate post was created.

This concerns only the latest Endpoint installers as no newer build of v7 has been released this year yet.

Unfortunately, without further logs we can only speculate what happened. It's not clear if the threat was detected by ESET or not at all and whether ESET was installed on the infected computer or only on the server. Also we don't know how ESET installed on the server is configured and what version of the signature database was installed at the point of infection. Please run ESET Log Collector on the server and send me the output via a personal message. PS: Did you get a "Service unavailable" message when posting? I'm asking because you posted twice.

Changing the Apple ID password shouldn't affect ESET at all. Maybe there was a glitch with activation servers or whatever when you attempted to activate.

It'd be interesting to know if installing Endpoint on that computer locally completes without an error.

A simple answer - no, local IP addresses are not submitted to ESET.

If you enter "hxxp://192.168.1.10:2221" in a browser on a client, will this open a window with the mirror content?