Marcos

It could be that they were PUAs or some malware in an archive which were detected by v12 after PUA detection was enabled or a full disk scan / initial scan was run. Since v11 and v12 have the same detection capabilities, there's no reason why malware would not have been detected by v11 but would be detected with v12.

Try disabling scanning of archives. Since they may contains gigabytes of data that needs to be unpacked and scanned, it obviously takes a lot of time.

If you don't receive an email with your license after entering your registration email address at https://www.eset.com/int/support/lost-license/ within a few minutes, contact the partner from whom you purchased your license which is probably ESET UK in your case.

I don't think it's possible to purchase several renewals of the same license. Why would you do that? No one knows how the situation in IT and the AV industry will look like in 3 years.

Unfortunately you didn't mention if you use ESET Parental Control for Android or ESET Internet Security or ESET Smart Security Premium. Please provide a screen shot of the notification.

Since this is an English forum, we kindly ask you to post in English so that moderators and most of users can understand and be able to help you. If cleaning the machine by running a full disk scan with cleaning from a SysRescue USB or CD doesn't render the system 100% working, consider reinstalling the OS. For more information about ESET SysRescue, please read https://support.eset.com/kb3509/.

Hm, I don't see any download link there. The url that the malware was previously downloaded from seems to have been dead since Oct 19.

ESET has blocked the url with the malicious payload for 3 months already so even if it hadn't been blocked by LiveGrid, it would have been blocked because of the url being on blacklist. Therefore it surprises me that another AV could not protect the user from it.

ESET works alright even with Chrome v70. If you can reproduce the issue, you could try temporarily disabling advanced scanning of browser scripts and see if it makes a difference.

Is the agent service running? Does C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html show any issues? Are there any recent errors logged in the trace log?

In this case the issue doesn't appear to be related to the firewall. I was able to reproduce it and merely disabling SSL/TLS filtering helped. Switching the firewall to automatic mode didn't make any difference. I'll report it to devs and provide them with logs. We'll keep you posted.

Do the clients connect directly to the Internet or though a proxy server? If they are behind a firewall, agent must be allowed access to the repository, activation and update servers (refer to https://support.eset.com/kb332). You could also capture the network communication with Wireshark and check if agent actually receives a response from the repository server.

Are you having the issue only with that particular website or with any other website as well ?

It had been blocked by LiveGrid about 40 minutes before the sample was submitted to VT.

Actually my answer was not accurate since self-defense protects the AV itself as well as crucial system processes. However, an isolated scanner prevents potential (ie. not yet known) vulnerabilities in the AV itself from being exploited. This is crucial because AVs run with highest system privileges and exploiting vulnerabilities would give attackers highest privileges to do further malicious operations on a compromised system. As I've read, the sandbox feature is disabled by default in Defender. This is understandable since it will likely have adverse effect on performance. I'm also glad to inform you that we should add support for isolated scanning relatively soon as well, hopefully with negligible impact on performance which, however, takes a lot of time.

ESET has leveraged self-defense for ages which is not the case of Defender so MS had to obviously had to eventually address the Achilles heel.

Please click the "untrusted certificate" link and provide a screen shot of the certificate details. Endpoint v5 didn't have SSL/TLS scanning enabled by default. It was first enabled for browsers by default in Endpoint v7. If you temporarily disable protocol filtering in the advanced setup, do you get a warning from the browser itself?

Since this is an English forum, we kindly ask you to post in English, otherwise moderators and most of other users will not understand and will not be able to help you. Regarding the issue, please let us know what exactly you'd like to accomplish. If you have already created some firewall rules, gather logs with ELC and post the generated archive so that we can check the rules if they are correct.

There were only a few permissive rules in the exported cfg. Also if a particular communication had been blocked, it would have been logged in the firewall log. However, the firewall log was empty. To me it sounded like the window with action selection didn't pop up for some reason so Firefox's communication was effectively blocked. However, this is yet to be answered by the OP.

The firewall log doesn't contain any records about blocked communication. It only shows that access to this forum was allowed. Did you actually get a pop-up window with action selection in interactive mode? Did you reproduce the issue when advanced logging was enabled?

I'd suggest the following: - in the advanced setup -> tools -> diagnostics, enable advanced antispam logging - wait until you receive at least 2-3 undetected spam emails - disable logging - save each of the undetected spam emails in the eml or msg format - gather logs with ELC - post here: the archive generated by ELC + the eml/msg files

The website was already unblocked. Next time please follow the instructions for reporting blocked urls to ESET from the KB https://support.eset.com/kb141/.

Not sure what program renders files malformed. I'd remove any other security software and run a full disk to remove the malformed files.

Please carry on as follows: - delete all ESET firewall rules - make sure that the firewall is set to automatic mode - in the main gui -> help and support -> details for customer care, enable advanced logging - reproduce the issue - disable advanced logging - gather logs with ELC. Finally post the archive generated by ELC here.

As you can see in the screen shot,the certificate used by the website expired in March 2018. You can notify the owner or admin to replace the certificate with a valid one.