Marcos

Document protection is disabled by default because registering it in the system (Windows registry) may have adverse impact on system performance due to a bug in Microsoft Office. I'll try to find out and let you know which registry value needs to be changed in safe mode to disable integration.

It's probably a legit action of the operating system, however, to date we have not heard of any issues caused by the block.

Without knowing details about the block it's impossible to tell if it was malicious or legit operations that were blocked. Posting a couple of records from the HIPS log might shed more light. Also note that logging of blocked operations should only be enabled for the time of debugging certain issue, otherwise the HIPS log may continue to grow up quickly until the disk space is exhausted.

I've tested submissions via the program's gui and it worked like a charm. Try restarting your computer. At any rate, the preferred way of submitting actually suspicious or infected files is by email due to a huge number of irrelevant stuff that people submit via the built-in form.

Please generate install logs as per the instructions here. When done, drop me a personal message with the logs attached for analysis.

Please continue as follows: - open the task manager and make sure no browser or email client process is running. - disable SSL scanning - click OK - enable SSL scanning - click OK Should you get an error, copy the information about installed modules from the about and paste it here. If you have the most current modules installed, we'll need a Process Monitor log from the point of enabling SSL scanning for analysis.

Currently scanning of https traffic tunneled via an http proxy server is not supported.

With firewall integration completely disabled and Epfw lightweight filter disabled, there's no change ESS could affect network communication in any way.

Maybe the file is too large to submit. I'd recommend following the instructions in this KB article for submitting files for analysis.

It's not clear what connection you meant between enabling SSL scanning and disabling real-time protection which are two completely different and independent things.

The issue should only occur on systems with old processors not supporting SSE2. It was fixed yesterday in Internet protection module 1076 for v5 and v6 users. V7 users will receive an updated module 1078B soon.

A dump should have been created when BSOD occurred. Check if the file c:\windows\memory.dmp exists and look at the date and time of creation to make sure it's from the last crash. If the file doesn't exist, look for minidumps in C:\Windows\Minidump. Compress the dump(s), upload them to a safe location and pm me the download link.

Please create an application dump of ekrn.exe by right-clicking it among running processes in the Task manager and selecting Create dump file. Then compress the dump, upload it to a safe location and PM me the download link. I'll pass it to the engineers for further analysis.

If you're able to reproduce the freeze, please configure Windows to generate complete memory dumps as per the instructions here and when a freeze occurs, use the appropriate key combination to create a memory dump. Of course, disabling startup scan tasks is not recommended as they serve as another protection layer and can detect potential new born malware in memory.

8692We'll be adding detections for new Koreplug variants in update 8692. When available, update the signature database and run a full disk scan. Should it still be detected only in memory, I'll check your SysInspector log for suspicious files.

Please create a SysInspector log as per the instructions here and send it to me as an attachment to a private message.

It seems a reply was sent to you that the domain was removed from blacklist.

The best course of action would be to log file operations during a backup using Process Monitor and to supply Customer care with the log created as well as with a SysInspector log for perusal. It will be enough to leave Process Monitor logging operations only for about a minute. When you have the logs ready, you can upload them to a safe location and PM me the download link or contact Customer care.

Please post a complete record related to the detection from your threat log. The record should look like as follows: 18. 7. 2013 13:59:44 Real-time file system protection file D:\test\kogabontusiq.exe a variant of Win32/Kryptik.BFXC trojan cleaned by deleting - quarantined domain\admin Event occurred during an attempt to access the file by the application:

The log reads "Error 5001. The computer has not been restarted after a program uninstallation. Please restart the computer and run the installer again." So please restart the computer and create a new set of logs.

Check your PM, I've sent you instructions how to fix the issue.

Please check if the issue with CPU spiking goes away after disabling real-time protection. If so, capture all file operations using Process Monitor while reproducing the issue. When done, compress the log along with a current SysInspector log into an archive, upload it to a safe location and pm me the download link.

Does unticking "Epfw NDIS Lightweight Filter" in your local area connection properties make a difference then?

Does this happen regardless of what browser you use? It sounds more like a browser issue than an actual threat symptom.

Try disabling each of the protection modules in the following order, one at a time, to see if it makes a difference: - disable web protection - disable protocol filtering in the advanced setup - change firewall integration to Personal firewall is completely disabled and restart the computer - disable Parental control - disable HIPS and restart the computer