Marcos

https://www.trustwave.com/Resources/SpiderLabs-Blog/Mass-MikroTik-Router-Infection-–-First-we-cryptojack-Brazil,-then-we-take-the-World-/ ESET had recognized this hack a couple of days or weeks before the reports went public.

Aren't process exclusions locked by a policy?

If you are using a Mikrotik router, reset it to factory settings and upgrade the firmware to the latest version. If that doesn't help, it could be that your ISP is using a compromised Mikrotik router.

Filtering by attachment extensions or file types is possible only in products for mail servers.

This detection requires user's interaction. No action is logged if the user selects "No action" when asked to select the desired action. Setting strict cleaning mode in the Web access protection setup should terminate the connection automatically in such case.

That was already discussed here: https://forum.eset.com/topic/16623-how-do-i-see-what-objectwebsites-are-being-scanned-in-real-time. In order to prevent duplicate topics on a subject, we'll draw this one to a close.

Attachments are not accessible to other users, only to moderators and ESET staff. If the generated archive is not too big, you can send it via a personal message. Otherwise upload it to a file sharing service, such as Dropbox, OneDrive, etc. and provide me with a download link.

Please gather logs with ELC and post the generated archive.

There was a 3rd party FP on this host. Although it was blocked with a path, it might have caused false positives. You should be now able to access the host alright.

Did you create some custom HIPS rules? Never had nor heard of any issues launching Chrome 69 with ESET installed.

Updates of Endpoint products have nothing to do with ERA/ESMC. Do you use ESET HTTP Proxy or another proxy server? Most likely it alters update files and Endpoint cannot apply such files if integrity is not ensured.

If you mean the issue when both the previous and new agent are reported to be installed, this will be addressed in the upcoming service release that is planned to be released within a few weeks.

Micro PCU (uPCU) updates are intended for upgrading the program from ESET's repository. Are the servers are completely offline or it's possible they could connect through another machine running HTTP Proxy? If that's not an option, then you could create an offline mirror using an ESET Endpoint or server product on a machine with Internet connection and make it accessible to the offline server (e.g. via a local http server or by transferring the mirror content, e.g. via a USB flash disk).

Also does temporarily disabling SSL/TLS filtering in Endpoint make a difference?

Download era.war from ESET's download page and copy it to /var/lib/tomcat7/webapps/ (https://help.eset.com/era_install/64/en-US/index.html?component_installation_webconsole_linux.htm). It may take a few minutes to extract files from it automatically. Afterwards you should be able to log in to the console.

The "issue" is being investigated. The reason why this started after upgrade to v11.2.63 is that in previous versions Webcam protection didn't work with Windows 10 RS4/RS5 due to internal changes in Windows.

If you want to migrate to ESMC from ERAv5, use the Migration assistant downloadable from https://www.eset.com/int/business/security-management-center/download/#standalone For help with migration from ERAv5, please read https://help.eset.com/esmc_install/70/en-US/migration_assistant.html?migration_from_era5.html. If you would like to start from scratch: 1, Install ESMC (ideally using the All-in-one installer or importing a virtual appliance into a hypervisor). 2, Add an EBA account in the ESMC License manager to manage your licenses. 3, Deploy agent on clients. The clients will become manageable by ESMC afterwards. 4, Send a software install task with the appropriate security product and license selected. Should you need further help, feel free to ask.

I've just checked what versions of the protoscan module are released and 1347b is currently not released on any of the update servers. Maybe you received it from tech support for testing.

To prevent multiple topics on a subject open, we'll draw this one to a close. Please continue with discussion at the link above.

1347b is a beta module which is not released to regular users.

If you don't monitor any of the following features by Windows Security Center, make sure that agent is not configured to report the status of the feature(s):

The release of v12 is planned for Q4/2018.

UEFI detections cannot be cleaned. You have the following options: 1, Upgrade the UEFI firmware to a version that doesn't contain the Computrace application, if available. 2, Exclude Computrace from detection by the detection name. 3, Disable detection of potentially unsafe applications (not recommended).

Do you know by chance what malware it was? It could be a Filecoder which encrypts also binary files and thus renders the system unusable. In case of ransomware infection, it is very common that an attacker performs a brute-force RDP attack, connects via RDP as an admin, disables or uninstalls the AV and then runs ransomware to encrypt files. The question is if you have RDP disallowed from outside the network, whether ESET's settings were password protected and detection of pot. unsafe applications enabled.

Disabling it will definitely help but it will also cause https communication not to be scanned. Please don't forget to re-enable it as per the instructions in my previous post.