Marcos

Android runs applications in an isolated environment so one application (benign or malicious) cannot affect the others. Could you confirm that the phone was not rooted? Have you installed ESET Mobile Security on it?

C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html and trace.log in that folder on the troublesome client should provide more details about the connection issue.

Computers with access to the Internet should not be activated with an offline license. Offline licenses are intended only for machines that are always offline, otherwise a notification will appear in the license manager. Computers that are without Internet connection but can connect to the machine running HTTP Proxy can still benefit from LiveGrid, streamed updates, etc. It restricts access only to ESET's servers so users won't be able to misuse it to connect elsewhere.

As you wrote, agent receives policies the next time it connects to the ESMC server. Check client details and make sure it connects to the ESMC server alright, has the updated policy in the list of applied policies under Configuration and the update server setting is included in the policy (ie. it's marked to be applied). If more policies are applied on the client, you may need to enforce the setting in case it's set also by another policy that is applied.

I'm not getting any alert on the said website either. Please post the appropriate record with the full url from the Detection log.

Just for clarification, is Spiceworks installed on 192.168.1.9? The workstation has the IP address 192.168.101.64 and the subnet mask is 255.255.255.0 so they are not in the same subnet. Only SYN packets like these with the IP address of the machine were blocked by the firewall which should not cause any issues. Moreover, TCP port 7680 is used by WUDO (Windows Update Delivery Optimization) to distribute updates in Windows LANs. As to your question, you can request client's configuration in client details and then convert it to a policy.

First of all, we kindly ask you to post in English since this is an English forum and most users and moderators will not otherwise understand and be able to help. As to your question, no password is set by default. If you are unable to access advanced setup, uninstall ESET in safe mode using the uninstall tool (https://support.eset.com/kb2289/) and then install the latest version of ESET from scratch.

Not really. During the first run it will update the peer and CA certificate as well as the ESMC server address.

You only need to create a new agent live installer and re-deploy it on clients, ideally via GPO if you have more computers that are in a domain. With Endpoint you don't have to do anything since it's only agent that communicates with the ESMC server.

The " action selection postponed until scan completion" doesn't occurs with PUAs if detected in a managed environment with the ESMC Agent installed. We've also made sure that the same applies to Mac products too. Please provide logs collected with ESET Log Collector for a start.

For a start it'd be good to get logs collected with ESET Log Collector from such machine. In managed environment, PUAs are cleaned automatically regardless of the cleaning type.

Please provide the url but obfuscate the scheme (http or https) by using hxxp or hxxps instead so that it's not converted to a clickable link.

Please run the following command and provide the output: wmic pagefile list /format:list

On a computer where the communication is blocked: - enable advanced network protection logging in the advanced setup -> tools -> diagnostics - reproduce the problem (ie. make sure the communication is blocked) - disable advanced logging - gather logs with ESET Log Collector and provide me with the generated archive.

Remove the obfuscated malicious javascript and update WordPress and all plug-ins. For more tips how to harden WordPress, refer to https://wordpress.org/support/article/hardening-wordpress/.

Hard to say. I see that it's injected mainly in js files. If you are not an ESET user, I'd strongly recommend downloading ESET Internet Security, installing it and activating a 30-day trial version. As you will browse your website, ESET will block and notify you when you encounter a malicious url. ESET uses a very strong detection of malicious scripts, hence it's often the only popular AV to detect and block malicious scripts which makes people think we must be reporting false positives but in fact they have their website compromised and infected.

That's what I wrote - you can create rules for a specific application that you can browse on your machine but not generally for any application of that type.

If you sent an activation task to the machine multiple times and it was connected to LAN via wi-fi and later via a cable, different hw fingerprints were calculated and hence it was activated twice. However, in such case I'd expect one of the device names to end with "-1". I'd suggest removing the device that hasn't connected for a longer time.

Is it just one computer attempting to communicate with ts.eset.com? Have you had the LG feedback system enabled until recently? Are there any files in the "C:\ProgramData\ESET\ESET Security\Charon" folder besides cache.ndb? Was that client activated properly and has no problem downloading module updates from ESET's servers?

Please post a screen shot of the rule that you've created. Maybe you specified both the local and remote port but the remote port changes and thus shouldn't be specified.

On a machine with the communication blocked, you can run the Firewall troubleshooting wizard to get a list of recently blocked connections which will allow for creating the appropriate rule with one click. You can then apply the rule to all machines via a policy.

This is not possible. With firewall rules you can block addresses and ports in general or for specific applications. It's not that you could use a general name for applications like "p2p applications" and the firewall would block the communication for them or that HIPS would block their execution.

We currently have Application Control only as a part of Parental Control for Android. Please post some screen shots for clarification.

An important remark for those who have installed an older version of Endpoint 6.6 recently. If you don't want to upgrade to the latest Endpoint v7.1 for a reason, make sure to install the latest v6.6. Older v6.6 versions contain an eelam driver with an older certificate so if you have recently installed it on Windows 8.1 or newer it won't be able to load modules.

So it happened just once or he or she can reproduce it by closing and opening the lid at any time?