Marcos

Thank you, I have passed it to a developer. Will keep you posted. Last time we checked the rll file (not sure if 100% same), the file did not have a valid signature: [\Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll]:[\Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe] 0x7 > 0x1 ****************************************************************** This break indicates this binary is not signed correctly: \Device\HarddiskVolume1\Windows\System32\1033\sqlnclir11.rll and does not meet the system policy. The binary was attempted to be loaded in the process: \Device\HarddiskVolume1\Program Files\ESET\ESET Security\ekrn.exe This is not a failure in CI, but a problem with the failing binary. Please contact the binary owner for getting the binary correctly signed. *****************************************************************

Anti-Malware Services are part of Window 8.1 and Windows 10 itself, it's not our service. We merely utilize it. In Windows 8.1, a new concept of protected service has been introduced to allow anti-malware user-mode services to be launched as a protected service. After the service is launched as protected, Windows uses code integrity to only allow trusted code to load into the protected service. Windows also protects these processes from code injection and other attacks from admin processes. (https://docs.microsoft.com/en-us/windows/desktop/services/protecting-anti-malware-services-) You can post your sqlnclir11.rll and we will check Microsoft's signature if Windows AM Services should accept it and allow it to be loaded into protected services.

Protected service is a part of Anti-Malware Services protection mechanisms.

A HIPS developer responded that it's not about signing files in general, otherwise malware authors could buy one and circumvent the system of protected services implemented in Windows 10. PS needs a properly signed dll with a signature that is expected by CI component. A properly signed dll must meet Anti-Malware Services requirements described at https://docs.microsoft.com/en-us/windows/desktop/services/protecting-anti-malware-services- : Anti-malware service signing requirements The user-mode service that needs to be launched as protected must be signed with valid certificates. The service EXE must be page hash signed, and any non-Windows DLLs that get loaded into the service must be also signed with the same certificates. The hash of these certificates must be added into the resource file, which will be linked into the ELAM driver.

Still it's not clear what OS the issue occurs on. On Mac OS, it's necessary to temporarily switch the firewall to interactive mode to create the appropriate rules in order for Skype to work.

Recently we have added a notification that appears if ESET Dynamic Threat Defense doesn't work properly. Beforehand there was no error shown so an admin couldn't easily learn that something was broken and that maximum protection by EDTD was not ensured. Probably EDTD is disabled on Endpoints where the notification is not shown.

Please see the explanation above. There are 2 possibilities: 1, You did not purchase an ESET Dynamic Threat Defense license, however, you enabled it via a policy. As a results, EDTD doesn't work and informs you about that. 2, You purchased an EDTD license but you didn't add it through an EBA account to the ESMC license manager and didn't send a software activation task for EDTD to clients. The solution is to: 1, Purchase an EDTD license to improve protection; ie. suspicious files will be immediately analyzed in ESET's cloud sandbox and ESET Security products in your company will learn about the result and start protecting from possible new malware almost instantly. 2, Or disable EDTD in a policy.

What ESET product do you use? Is it possible to reproduce the issue so that you could provide step-by-step instructions? Does using another browser, temporarily disabling protocol filtering in the advanced setup or disabling other protection modules make a difference? Since this is an English forum, we kindly ask you to post in English so that moderators and other users can understand you.

What kind of browser do you use? Does the website open automatically in other browsers too? Does it open even if the home page is set to blank? Even if no browser extensions are enabled?

Does the cpu utilization take minutes? During cleaning, it's possible that one core of the cpu is utilized to the maximum. It's not an issue since no threat should be found in the first place and, if a threat is found, CPU resources are not that important that we could not utilize them to finish the cleaning asap since cleaning the threat is top priority at that point. If the problem is that cpu utilization doesn't go down let's say after 10 seconds or more, please provide a Procmon log as well as a full dump of ekrn from that time.

I meant this setting: However, disabling protected service will disable an important protection service of Windows 10 and an attacker could theoretically inject into ESET's ekrn.exe running under the system account.

You could try disabling automatic exclusions and adding them manually instead. Let us know if the error is no longer reported after rebooting the server.

Please post the appropriate row from the Filtered websites log.

I assume that both appear in the same device group in the system Device manager. If so, it's not possible to distinguish between them.

As long as you have a valid license, you can install, activate and update any version of the products that you are eligible for. It is not clear to me as to what kind of license is the second one. To my best knowledge, for multi-device security we don't offer renewals and it's necessary to purchase the product again shortly before it runs out. Anyways, I'd recommend contacting your local seller to get accurate information on this.

Is the website blocked in any browser and even if you don't open other websites but this forum's page? Have you tried disabling all installed browser extensions to see if the block stops?

It is not a conflict, the system feature of protected services works as expected and it does what it's supposed to do - prevents files with invalid digital signature from being loaded into protected processes.

You can report them, however, 19H1 is not ready yet and thus we don't have a version that would officially support it already.

There is no way to solve it if Microsoft doesn't update the rll file with one with a valid signature except disabling Protected service in the HIPS setup which would enable unsigned dll files to be loaded in ekrn.exe. Of course, that would be a security hole and unnecessary risk so we don't recommend disabling protected service.

Please start off by gathering logs with ESET Log Collector and uploading the generated archive here.

You must contact Sakri, the Indian distributor, from whom you purchased your license.

There is a "Resend key" link in the email. In case of issues, please contact Sakri, your local ESET distributor.

If you purchase online through www.eset.com, you are redirected to your local distributor's purchase page. For contact information to your local support, open https://www.eset.com/in/about/contact/.

Please contact your local distributor in India since you most likely purchased the license from them so they should be able to check what happened with your order.

Probably the server does not have all critical security updates installed. Please gather logs with ESET Log Collector. Also do the following: - disconnect the computer from network - run a full disk scan and clean found malware - reboot the server - run a full disk scan. Let us know if no threats were found during the second scan.