Marcos

We do not load mdnsNSP.dll. I assume it's Bonjour itlsef which attempts to inject the dll into ekrn which fails due to self-defense protecting ekrn from this.

You can already control if scheduled scans can be paused by the user or not:

ERAR is an obsolete tool which was useful at time of infamous LockScreens before the era of Filecoders that encrypt files. I will check if it's still available for download and we'll most likely remove it from download servers.

Even though the rtf file is not detected, the payload is detected either as: u.b - Suspicious Object or u.b - Win32/GenKryptik.CDTU, depending on what version of the ESET product you use (v11.1 / EPv7 or older) and the time you scan it. In ~3 hours from now all versions will detect it as Win32/GenKryptik.CDTU and the rtf dropper will be detected as well.

It is weird because if Endpoint is really managed via ERA and the agent reports to ERAS, potentially unsafe and unwanted applications should be cleaned automatically. Does the machine appear in the ERA console?

I was unable to reproduce the block. Please report it to ESET as per https://support.eset.com/kb141/ and provide also logs gathered by ESET Log Collector.

The IP address was unblocked yesterday. Next time please follow the instructions at https://support.eset.com/kb141/ to report a FP to ESET.

Please do not ask about that every few days. There are still some tasks (of more than one hundred in total if I remember correctly) pertaining to http2 support to complete.

I've just realized that you have posted in the ESET NOD32 Antivirus forum. The above mentioned solution will only work with firewall-enabled products, ie. ESET Internet Security and ESET Smart Security Premium.

You could accomplish this as follows: 1, Create a new firewall profile (e.g. "Unprotected wifi profile") 2, Create a new fw rule blocking all communication with the profile set to the profile you created in step 1. 3, Move the blocking rule on top of other rules (you may need to enable display of default built-in rules) 4, Create a new network in the Known networks list and assign it the firewall profile created in step 1: 5, On the Network identification tab, enable the following parameters which will be used to identify unprotected wifi networks:

Please elaborate more on what you mean by "managing password protection on scanning".

You can disable application updates in the advanced setup. However, we don't recommend doing so since only keeping the product up to date will ensure maximum protection against newly emerging threats and only new versions with new and improved protection features are able to keep pace with ever evolving threats. As for v11, it's more like a facelift of v10 with a lot of bugs under the hood fixed. One of the biggest advantages of v11.1 are streamed updates which enable it to protect users from newly emerging threats better than ever. Protection will be improved even further with future versions that will bring new protection features. If you have any specific issues that prevent you from upgrading to latest versions, we'd like to hear about them and possibly address them so that you can upgrade without concerns and benefit from all that new versions bring.

If possible, temporarily uninstall ESET NOD32 Antivirus, install ESET Internet Security (EIS) and activate a trial version. With EIS installed, enable creation of advanced logs as follows: Next reboot the machine. After the reboot, disable logging and gather logs with ESET Log Collector again. After we have pinpointed the issue, you can downgrade to EAV through "Change product" in the "Help and support" section and reactivate it using your paid license by clicking "Change license" and entering your license key.

If you open https://edf.eset.com/edf in a browser on that machine, do you get an xml like as follows? If that works, could you try activating Endpoint manually and capture the network communication with Wireshark during the activation attempt?

If you are using a firewall, make sure that activation and edf servers are accessible from the troublesome client: https://support.eset.com/kb332/

Currently only a notification is displayed when you connect to an unsecured network.

Not on Endpoints but in EMSX you can create a mail transport protection rule to block attachments with specific extensions: https://help.eset.com/emsx/6.5/en-US/index.html?idh_wizard_rules_list.htm

If you have v11 installed,it should update automatically without popping out any notification.

The problem had been there even before, it's just that we didn't notify about it. As a result, it could happen that Windows Defender ran simultaneously and the user didn't have any indication about issues in ESET's gui. I'd recommend contacting customer care so that the case is properly tracked and can be looked into by developers.

If you run sysinpector.exe, you'll see there's no such option, probably mainly due to security reasons. Also running an unsigned service script requires confirmation from the user via gui.

Your license for consumer product ESS/EIS doesn't entitle you to active ESET File Security for MS Windows servers. Please contact your local distributor.

I have replied to this in the topic you quoted. ESET had detected Filecoder.Crysis for months before the user got infected. That happened most likely because RDP was not properly secured and virtually anybody could get into the system with administrative rights and disable ESET easily prior to running the ransomware. However, the fact that RDP was not configured properly in no way means that ESET failed to protect the user. General advice: - disable RDP if not really needed, or limit its use to users who really need it - make sure users with RDP access don't use weak passwords that are easy to guess or bruteforce - use RDP only within VPN - use 2FA - restrict RDP to specific IP addresses or ranges on a firewall - keep the OS and all applications updated, regularly install critical security updates - use the latest version of the ESET Security product (preferably ESET Endpoint Security with the Network protection module to protect machines from exploits coming from unpatched computers and exploiting vulnerabilities in network protocols to proliferate over LAN) - use default settings of your ESET Security product and customize settings only if you are aware of the impact on security (otherwise consult it with customer care first) - enable detection of potentially unsafe applications to prevent ESET from being disabled - protect ESET settings with a password I kindly ask anybody to stay on topic. Any unrelated posts may be removed or moved elsewhere.

Don't pick just the sentence that suits you best without quoting the rest: " In vast majority of cases it is that the user hasn't applied security measures and RDP is allowed for every user even if a strong password is not used. " If one doesn't pay attention to locking a car which would also turn on the car alarm and a thief steals the car, then it's not the fault of the vendor of the alarm that the car was stolen. In case of Filecoder.Crysis which was also reported by the OP you quoted, we find out that the ransomware had been recognized by ESET for months before users got infected simply because the users didn't pay enough attention to security and let virtually anybody connect via RDP easily and with admin rights do whatever they wanted to, including disabling or uninstalling the AV and subsequently running ransomware. Since everything has been said and to prevent further bashing and ranting, we'll draw this topic to a close. We are open to constructive discussion and criticism as well if there's a reason for it, however, trolling in our forum will not be tolerated. Discussions must be reasonable, polite and without ranting and personal attacks.

If uninstallation from ERA fails, are you able to uninstall EES manually on the client? If not, you'll need to resort to uninstalling it in safe mode using the Uninstall tool. As for using ESET Endpoint Antivirus vs ESET Endpoint Security, I'd strongly recommend upgrading your license to the latter and keep EES installed. Unlike EEA, EES protects machines from threats exploiting vulnerabilities in network protocols and therefore can stop new threats originating from unpatched systems from infecting them.

First of all, please check if the time of the last connection is more-less current and that agent is still connecting to ERAS. Did you uninstall ESET Endpoint Security and reboot the machine prior to sending a new software install task? By the way, downgrading from EES to EEA is not a good move. EES provides also Network protection layer which protects the machine from various exploits in network protocols. For instance, it had protected ESET users for 2 weeks already from the EternaBlue SMBv1 exploit when the infamous WannaCry outbreak occurred and millions of machines in the world got encrypted. On the contrary, ESET Endpoint Antivirus does not provide this level of protection.