[ESET issue with Sandboxie - Persistent holding of registry keys]

1 hour ago, Page42 said:

I've been opening and closing browser sessions like crazy, trying to get Sandboxie to throw another  "Could not move the sandbox folder out of the way" error message, but all is well.  Sandboxie is deleting sandboxes like it used to.

Have you also tested it as follows:

Start a software (e.g. browser) in a sandbox.
Install or update a software outside Sandboxie.
Exit the program in the sandbox and try to clear it.

This is how the problem always occurred with me.

[zip bombs with zip64 not detected]

Yes, I can confirm the detection. I also use Firefox, but inside Sandboxie and the SSL/TLS filter no longer works if Firefox is inside Sandboxie.

https://community.sophos.com/products/sandboxie/f/sandboxie-forum/113772/ssl-filtering-with-eset-doesn-t-work-with-firefox-67-0-x-in-sandboxie

But the file was detected and deleted during the download. :-)

[zip bombs with zip64 not detected]

Yes, the Eset lab could do it. ;-)

[zip bombs with zip64 not detected]

Because of this article I have downloaded the three Zip archives:

https://www.bamsoftware.com/hacks/zipbomb/

Only zblg.zip was detected as a zip bomb by Eset after the download and therefore deleted. zbsm.zip was probably too small, but zbxl.zip was probably not recognized because of zip64. 7-zip can do zip64, but of course I won't open it and don't have the courage to do a context scan with Eset.

[SSL/TLS filtering doesn't work for many sites]

I was just playing with it. It's no problem to trust the internal list.  I think it will be updated automatically if one of the pages suddenly contains malicious code. For trusted domains with payment functionality it is better not to break the encryption. This is probably the intention of the internal trused list.

[SSL/TLS filtering doesn't work for many sites]

24 minutes ago, itman said:

Did you set the scan type to "Ignore?"

No, to "scan".

Example: Amazon.com is on the internal list of trusted domains and therfore it is not scanned by the SSL/TLS MITM. The displayed certificate is from Verisign. If I add this certificate to the list of known certificates and set it to "scan" (the same with "auto"), the displayed certificate should be Eset, but it is still Verisign (even after restarting the browser).

[SSL/TLS filtering doesn't work for many sites]

Hm, a domain on the internal list of trusted domains cannot be filtered by an entry in the list of known certificates? I have tested it and it seams to be that the internal list of trusted domains have always priority.

[SSL/TLS filtering doesn't work for many sites]

Thank you very much, Marcos. Sorry, I overlooked this setting.

[SSL/TLS filtering doesn't work for many sites]

I noticed, that the SSL/TLS-MITM doesn't work for many sites (like Eset, Google, Paypal, Ebay, Amazon, Youtube). The certificates are not shown as "Eset, spol. sr. o.". On Facebook and Twitter the filter is working. I have tested it with Firefox 67.0.4 and Internet Explorer 11 on Windows 7 x64 and also with the filter settings automatic and scan.

[ESET Banking and Payment Protection site - Not Secure]

Yes, you are right and it is possible to create exceptions in sandboxie, but you need to know exactly which files and registry paths are used by the Eset Banking Protection.

[ESET Banking and Payment Protection site - Not Secure]

Thank you very much itman, but Sandboxie recognizes applications only by their process name. The path doesn't matter. Therefore Sandboxie opens both IE versions (32 and 64 bit) sandboxed and Esets BPP then fails.

[ESET Banking and Payment Protection site - Not Secure]

I have set Internet Explorer as my default browser and Sandboxie is set to always force it into a sandbox. The mail program should open links in Internet Explorer, which then starts automatically in a sandbox. All browsers have their own sandbox, which will always be emptied, when the browser will be closed. That's why I can't use Esets secure banking. It would be very helpful when the browser for secure banking could be set in the settings of Eset.

Maybe then it would be possible to copy iexplore.exe to iexplore_2.exe and use it for Esets banking protection, as it would not automatically be forced into Sandboxies sandbox.

[EIS 11.2.49: How to see what file is actually scanned by the realtime scanner?]

7 hours ago, Marcos said:

Anyways, the file name that was reported by older versions was not always the last scanned one and also it didn't mean that the file was actually scanned. Reported was one of the last files that were processed by the real-time protection driver (which doesn't say anything about if the file was then scanned or not).

Tank you very much!

[EIS 11.2.49: How to see what file is actually scanned by the realtime scanner?]

In version 11.1.54 ist was possible to see what file the realtime scanner is actually scanning. I miss this in version 11.2.49. It would be helpfull to know whether Eset is scanning certain files or not, if there are delays in some cases.

[EIS 11.2.49: Empty system log entry and empty right corner popup]

Thank you very much! I didn't have the same, but a similar popup. It had no  "i", in the lower third were two buttons and the blue bar was in the upper third. The translation support module should be updated very quickly via the regular update channel.

[EIS 11.2.49: Empty system log entry and empty right corner popup]

On 01. August 2018 I had an empty Eset popup in the right corner above the taskbar. It had a blue bar in the upper third and a blue button on the left and a white button on the right. But in the entire popup was absolutely no text, not even on the buttons. So I don't know, what was the reason. I did not click on any button and the popup was closed after a while. There is also an empty log entry in the Eset event log (for modul "system kernel", but the event field is empty) and it is between the hourly update cycle.Therefore an update can not be the reason. It is the absolutley first time, that I had this with Eset.

[EIS 11.1.54: Taskbar jump lists doesn't work after modul update]

The both exclusions does also exclude the subfolders "automaticdestinations", which contains the "automaticDestinations-ms" files. These files contains the jump list entries. The problem has also exists after deleting all files and links in "recent" and the subfolders and a Windows restart. Without the exclusions I couldn't pin folders to the jump list.

After the latest modul update the problem doesn't exists anymore.

[EIS 11.1.54: Taskbar jump lists doesn't work after modul update]

After an right click to the windows explorer icon in the task bar, the jump list is shown as empty and then the explorer.exe process consumes 13 % CPU usage and up to 100 MB RAM for 1-2 minutes. But after that, the jump list is still shown as empty. It seems to be, that this issue is caused by an module update.

Workaround:

Add the following paths to the scan exclusions.

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Recent

 

[11.1.54.0: Excluding bug with wildcards]

Since version 11.1.54.0 it is no more possible to exclude specified file types in a specified path.

Workaround:

Exclude the full path

Export the settings

Edit the xml settings file

Import the edited xml settings file

This works (tested with a context scan).

[Wildcards in "protocol filtering" "excluded applications"?]

Hm, but does the problem couldn't also be caused by the firewall or the file antivirus?

Edit: Eset isn't the reason.

[Wildcards in "protocol filtering" "excluded applications"?]

Yes, thank you! But I have tried so many things without any success (also add the SSL certificate of the used domain and set its filtering to ignore, or add 40 IPs to the exclusion list). So I think now that it will be the best to disable Eset completely and if this doesn't make any difference I can sure, that Eset isn't the reason. :-)

[Wildcards in "protocol filtering" "excluded applications"?]

I use an realtime application which have an builtin community chat and very often the new message notification doesn't disapperars when the new messages are read. It persists also after the application is restartet because the message state is saved in an file. It doesn't help to read the message again and again. It seems to be, that the correct state is sometimes not received from the server. I can solve it temporarily when I delete the file which stores the state. The application support cannot reproduce this problem which I have since some month.

The application uses internal some parts of the Internet Explorer (like winamp or Windows Live Mail), but I have cookies allowed for the domain which is used by the application.

I have also done antivirus exclusions for "\AppData\Roaming\application A\*" and  "C:\Program Files (x86)\application A\*" but it doesn't help.

I'm not sure that Eset is the reason and therefore I will now disable antivirus and firewall for some days. It should not be a security problem because I'm behind a router and I use always sandboxie for all browers and winamp. Each browser and winamp has its own sandbox, always cleared when the browser/winamp is closed.

[Wildcards in "protocol filtering" "excluded applications"?]

Is it possible to use wildcards in "web and e-mail" > "protocol filtering" > "excluded applications"?

Example:

C:\Program Files (x86)\Application A*\application*.exe

for:

C:\Program Files (x86)\Application A\application.exe

C:\Program Files (x86)\Application A 2\application.exe

C:\Program Files (x86)\Application A 2\application_2.exe

C:\Program Files (x86)\Application A 3\application.exe

C:\Program Files (x86)\Application A 3\application_3.exe

[[fixed] Action after a scan: hibernate & sleep are swapped]

This issue is fixed with 10.1.219.

Thanks!

[10.1.219: searching for updates doesn't end (after PC restart)]

Thank you! I doesn't see your thread before.