Marcos

If possible, temporarily uninstall ESET NOD32 Antivirus, install ESET Internet Security (EIS) and activate a trial version. With EIS installed, enable creation of advanced logs as follows: Next reboot the machine. After the reboot, disable logging and gather logs with ESET Log Collector again. After we have pinpointed the issue, you can downgrade to EAV through "Change product" in the "Help and support" section and reactivate it using your paid license by clicking "Change license" and entering your license key.

If you open https://edf.eset.com/edf in a browser on that machine, do you get an xml like as follows? If that works, could you try activating Endpoint manually and capture the network communication with Wireshark during the activation attempt?

If you are using a firewall, make sure that activation and edf servers are accessible from the troublesome client: https://support.eset.com/kb332/

Currently only a notification is displayed when you connect to an unsecured network.

Not on Endpoints but in EMSX you can create a mail transport protection rule to block attachments with specific extensions: https://help.eset.com/emsx/6.5/en-US/index.html?idh_wizard_rules_list.htm

If you have v11 installed,it should update automatically without popping out any notification.

The problem had been there even before, it's just that we didn't notify about it. As a result, it could happen that Windows Defender ran simultaneously and the user didn't have any indication about issues in ESET's gui. I'd recommend contacting customer care so that the case is properly tracked and can be looked into by developers.

If you run sysinpector.exe, you'll see there's no such option, probably mainly due to security reasons. Also running an unsigned service script requires confirmation from the user via gui.

Your license for consumer product ESS/EIS doesn't entitle you to active ESET File Security for MS Windows servers. Please contact your local distributor.

I have replied to this in the topic you quoted. ESET had detected Filecoder.Crysis for months before the user got infected. That happened most likely because RDP was not properly secured and virtually anybody could get into the system with administrative rights and disable ESET easily prior to running the ransomware. However, the fact that RDP was not configured properly in no way means that ESET failed to protect the user. General advice: - disable RDP if not really needed, or limit its use to users who really need it - make sure users with RDP access don't use weak passwords that are easy to guess or bruteforce - use RDP only within VPN - use 2FA - restrict RDP to specific IP addresses or ranges on a firewall - keep the OS and all applications updated, regularly install critical security updates - use the latest version of the ESET Security product (preferably ESET Endpoint Security with the Network protection module to protect machines from exploits coming from unpatched computers and exploiting vulnerabilities in network protocols to proliferate over LAN) - use default settings of your ESET Security product and customize settings only if you are aware of the impact on security (otherwise consult it with customer care first) - enable detection of potentially unsafe applications to prevent ESET from being disabled - protect ESET settings with a password I kindly ask anybody to stay on topic. Any unrelated posts may be removed or moved elsewhere.

Don't pick just the sentence that suits you best without quoting the rest: " In vast majority of cases it is that the user hasn't applied security measures and RDP is allowed for every user even if a strong password is not used. " If one doesn't pay attention to locking a car which would also turn on the car alarm and a thief steals the car, then it's not the fault of the vendor of the alarm that the car was stolen. In case of Filecoder.Crysis which was also reported by the OP you quoted, we find out that the ransomware had been recognized by ESET for months before users got infected simply because the users didn't pay enough attention to security and let virtually anybody connect via RDP easily and with admin rights do whatever they wanted to, including disabling or uninstalling the AV and subsequently running ransomware. Since everything has been said and to prevent further bashing and ranting, we'll draw this topic to a close. We are open to constructive discussion and criticism as well if there's a reason for it, however, trolling in our forum will not be tolerated. Discussions must be reasonable, polite and without ranting and personal attacks.

If uninstallation from ERA fails, are you able to uninstall EES manually on the client? If not, you'll need to resort to uninstalling it in safe mode using the Uninstall tool. As for using ESET Endpoint Antivirus vs ESET Endpoint Security, I'd strongly recommend upgrading your license to the latter and keep EES installed. Unlike EEA, EES protects machines from threats exploiting vulnerabilities in network protocols and therefore can stop new threats originating from unpatched systems from infecting them.

First of all, please check if the time of the last connection is more-less current and that agent is still connecting to ERAS. Did you uninstall ESET Endpoint Security and reboot the machine prior to sending a new software install task? By the way, downgrading from EES to EEA is not a good move. EES provides also Network protection layer which protects the machine from various exploits in network protocols. For instance, it had protected ESET users for 2 weeks already from the EternaBlue SMBv1 exploit when the infamous WannaCry outbreak occurred and millions of machines in the world got encrypted. On the contrary, ESET Endpoint Antivirus does not provide this level of protection.

We recommend deploying agent via GPO or an all-in-one installer via the ERA Deployment tool where deployment via psexec is provided as an option.

Files with the arrow extension were encrypted by Filecoder.Crysis. Unfortunately, decryption is not possible. It is common that Filecoder.Crysis is run by attackers after performing a bruteforce RDP attack on a system and getting in with administrator rights. Subsequently they either disable or remove the security product in order to be able to run ransomware and encrypt files. I will drop you a personal message with further instructions shortly. If you had important files which were encrypted, we suggest keeping them in case that decryption would be possible in the future.

The reason why it pays off investing into a good AV is that such vendor has more resources not only for paying gui programmers but also also for investing into research and development. And ESET has increased investments into R&D in recent years a lot. Another advantage of a paid AV is that users receive technical support. In our country, in urgent matters even developers can pay a visit to VIP customers having issues that are not reproducible in-house. Also remember that the more computers an AV is installed on, the more attractive it is for malware writers since focusing on that AV will enable them target more victims with less effort. And by the way, this is a new malware that I've just run into and that was dropped by TeamViewer, probably misused by an attacker. Names of other AVs were removed except the first letter. Of course the results don't tell if it would be detected upon execution or if the payload would be detected but it at least tells something about detection capabilities on systems where malware is not executed (e.g. mail servers, gateways, etc.). ESET Win32/TrojanDownloader.Nymaim.BA trojan S clean A clean M clean D clean B clean A clean A clean K clean

Why do you need that version? It contains bugs and suffers from issues that were fixed in later builds.

AS from boot means that Anti-Stealth was started with the start of the OS and was not loaded by SysInspector itself.

First of all, there's no security solution that would detect 100% of malware. You could pick an AV with 100% detection in tests and sooner or later you could get infected. Real world and tests are different things and what matters is how an AV performs in real world. On behalf of ESET I can say that I hardly recall a malware-related ticket where the infection was caused by ESET letting malware in. In vast majority of cases it is that the user hasn't applied security measures and RDP is allowed for every user even if a strong password is not used. Secondly, there is nothing like free AV. You "pay" for it e.g. by displaying ads, limited settings, features, or the price is included in the price of the OS.

A couple of inappropriate posts were removed.

Kedze uloha sa vykonava o 2 hod. rano, bezi v tomto case system? Nie je nahodou v hibernation/ sleep / stand-by mode?

Please submit the whole zip file to ESET as per the instructions at https://support.eset.com/kb141.

I'm unable to reproduce it with Chrome v"67.0.3396.87 (Official Build) (64-bit)" and ESET Endpoint Antivirus 6.6.2078.5. If anybody knows how, please let us know.

Basically all you need to do is send a Remote administrator components upgrade task. Only to upgrade non-ESET components like Apache HTTP Proxy or Tomcat, it takes more steps to upgrade them.

Installing RDS in each of the subnets should do the trick.