Marcos

Please see my comment here: https://forum.eset.com/topic/20056-eset-issue-with-sandboxie-persistent-holding-of-registry-keys/?do=findComment&comment=98359

Do you actually have pre-release updates enabled?

Do you have ESMC Agent installed on the server? Are there any errors in C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html or trace.log?

ESET File Security is intended for file servers; it does not include a personal firewall.

The issue has been fixed in the BPP module 1155 currently available on the pre-release update channel.

A link to instructions how to collect logs with ELC can be found at the right hand side of this forum, in my signature or simply go to https://support.eset.com/kb3466/. Besides providing ELC logs here, also create a support ticket and provide your local customer care with the logs as well. Adding an exclusion for a domain should generally work.

Please collect logs with ESET Logs Collector and provide me with the generated archive. Did you already activate the product?

Nowadays more and more malware communicates over SSL so scanning the communication is critical for keeping the system safe and malware free. Abandoning SSL scanning would substantially deteriorate protection capabilities of particular AV products. If Microsoft provided a better way of scanning SSL communication, we would not be forced to do SSL introspection.

It depends on how sensitive documents and files were on the machine. For instance, if it was a computer in a bank with customers' data, I'd prefer re-deploying the OS from a clean image than just cleaning the malware itself if it was running there and the actions and changes to the system were not tracked, e.g. using an EDR solution. If it was just a home computer, I'd trust the antivirus that it has cleaned the malware completely. Also you mentioned that you had uninstalled the malware. However, malware does not install in the OS and does not appear in the list of installed programs so I assume you might have meant a potentially unwanted application and not actual malware.

Since you have posted in the ESET Endpoint Encryption forum, is the issue actually related to that product or you had the issue with Endpoint Security or Endpoint Antivirus?

The whole range of ports has been added intentionally for increased security. We'll try to address it without the need for you to remove the range of ports which would lower the security and allow bypassing SSL filtering.

Are you able to reproduce it whenever you reboot or turn on the computer?

I always recommend turning it on and exclude any such application by the detection name if it begins to be detected then and is intentionally used for legitimate purposes by the user. PUsA also cover tools that can be used by attackers to stop or uninstall AV in case of a breach via RDP for instance.

This is offtopic but ok, let's answer it. There's nothing wrong with ESET, we're better and better day by day. Recently we've achieved top results in a test of a prestigious testing company. As you probably know, taking part in a test costs really a lot of money so AV companies have to carefully decide which tests they will take part it. As for AV Test, we continue to be tested in private tests where we already receive excellent score.

What kind of information are you referring to? If you mean how we get new malware, there are many sources from which AV companies receive it and also the companies share a portion of samples with other ones. A very valuable source of samples are those submitted automatically from users via the LiveGrid Feedback System which helps us react instantly to new borne malware. Of course, in order to take advantage of that, you'd need to use the last version of our products that support streamed updates and have also other security features not present in older versions that help us proactively react to suspicious behavior without updates. Besides that, we offer ESET Dynamic Threat Defense for corporate users which performs instant analysis of suspicious files in a sandbox and samples are evaluated using Augur, our machine learning system and by other mechanisms for maximum accuracy. For a list of ESET's technologies that protect our users, please read https://www.eset.com/int/about/technology/

We've had a setting for detection of pot. unsafe applications for years, I reckon it was first added in NOD32 v2 around 2003 or so. It's disabled by default since it covers legitimate tools that can be misused in the wrong hands.

We've ordered Chromecast for testing. Also I've inquired developers about the port range if it's intentional or if it's a bug. The question is if leaving only port 443 there actually resolves the issue with Chromecast.

Not sure what you would like to know about these updates. The engine as well as some other modules are updated 6 times a day to cover recently discovered malware.

Old versions like Endpoint v5 update 6 times during work days. The latest version of Endpoint (v7) updates every 10 minutes besides standard modules updates that I've already mentioned. The task should be run as soon as the client connects to the ERA Server. With ESMC, it's performed instantly after sending a wake-up call.

Please keep only port 443 there. Somehow the range 0-65535 was added at some point in the past, I had it already in v12.1.

The updater has never returned the error you've mentioned. It sounds like an error returned by ERA. Please run update manually on a client and provide us with the error message you get.

I would suggest the following: - reboot the machine - enable advanced logging under Help and support -> Details for customer care - reproduce the issue - disable logging - collect logs with ESET Log Collector - open a support ticket with your local customer care and provide them with archive the generated by ELC.

What error is reported on such clients if you run update manually? Do they update from ESET's update servers? Do you use a proxy? I'd strongly recommend upgrading Endpoint to v7 and ERA v5 to ESMC for maximum protection against current threats as soon as possible.

For instructions how to report blocked but already cleaned URLs, please refer to " Please read this before you post". Having said that, we'll draw this topic to a close.

It's available only on the pre-release update channel. This is intentional.