Jump to content

Carl S

  • Content Count

  • Joined

  • Last visited

Everything posted by Carl S

  1. Re: 3, I don't have the management agent installed on that computer yet. Do I need to install that first? Seems like just to see it in the list I wouldn't have to do that. I saw all my other items like network printers, and bridge routers as "Rogue" at first. Seems like it should at least find it even if it isn't in there. But regardless, I should just go to the server itself and install the management software it should make it start showing up? Ours is supposed to be "Advanced" so, I think it's supposed to include the server(s).
  2. Absolutely. For now, I'm holding off on any more changes until Marcos posts again to the thread. One of my main concerns was that the logs said ESET was cleaning by deleting repeatedly over several days, but clearly it was either not deleting or something was putting it back. For now, though, it's gone 16 hours or so without being re-detected and it is still not in the registry since manually removing it yesterday.
  3. We have EES installed on all the client desktop machines, but also have servers running. Read this: https://support.eset.com/en/kb2299-which-eset-security-solution-should-i-install-on-a-server 1) One server has Exchange on it, but it is not our primary Exchange (which we have moved to Office 365 in the cloud), but our old Exchange which we have no new mail coming in, but occasionally need to connect to because it does have some old emails we need to retrieve on occasion for legacy reasons. It also has a SQL server instance on it. Is the Mail Security for Exchange Server the option
  4. Hi Marcos, here is attachment. I removed the value of the authHost line. But other than that, everything else is the same. FWIW, I have no new detections since the 4th. 10485-baker01-ees_logs.zip
  5. I was thinking that myself, even though I'm not all that familiar with the registry, it was clear the powershell string was pointing to that other registry item.
  6. Marcos, I re-ran the collector on a whim, and this time, it worked. I now have the zip file ready.
  7. Am I deleting the whole key / value pair or the value and leaving the key?
  8. Hmm. I get a message from the Log Collector that says "An error occurred during collection of files. See the log for more info."
  9. Working on this. I killed off the ESET agent accidentally, while trying to uninstall the competitor's product that wasn't successfully uninstalled before installing the ESET agent. Now up and running again, and will get the logs. (Ok, it's collecting right now) It's been years since I've submitted these type of logs, so remind me, do I attach them to the post, or send them in some other way? Seems like they may have some confidential stuff.
  10. The suspicious part seems to be: key: authHost value: rundll32 shell32.dll,ShellExec_RunDLL "cmd" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E').Auxibrkr))
  11. OK, found it by navigating to it. Could not get search to work. In the meantime, I have ESET client issues on that machine, probably due to my own fault.
  12. Duh, didn't catch that, I just cut and pasted. Thanks.
  13. When I search for that key I don't find it in regedit.
  14. This keeps showing up in one of our client machines in registry with the Registry scanner Detection engine 20939 (20200303) : Hash 8ECE3FFE602D59D1E38F9506F5DA1FC280AADAF8 \REGISTRY\USER\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run the ESMC says that it was "cleaned by deleting," but then it shows up a few hours later. Is there some way to identify a process that is reinserting this? Or what else should I do next?
  15. After fifteen years of using various versions of ESET NOD32 on my home computers and small offices, I have been trying to use it to replace our previous solution at the office. Today, after having a computer that got rolled back before the install of ESET endpoint client on 2/27 due to becoming unresponsive, I now see that client computer twice in the list with two different names. Not totally sure which is the new one and which is the old instance. I decided what needs to happen is that one of them needs to be removed from the ESMC. Is that right? In the ESMC, when I click on it a
  16. No, no other web sites have this problem, only this forum, but I tried it with multiple browsers and computers, all had the same problem. I have since changed authorization to use Facebook to login. I don't have this problem with it, (although I really didn't want to connect using Facebook.) It was only when using email and password that I have the problem. Before using the Facebook login, I was having to reset my password each time I returned to the Eset forum site.
  17. As an FYI, the online cybersecurity training that comes with ESS has a link to a page called "Take away PDF of tips and tricks." If you click on that link, it opens a pop-up window in the browser, but the server responds with error 404. The missing file is https://www.eset.com/us/resources/netropolis/embeds/ESETCybersecurityEducationTips.pdf
  18. Yes, if you read my post to itman, you'll see that as part of the debugging of version 9, which was having problems starting the EGUI both from the start menu as well as displaying ESS in the system tray, I had added EGUI to the start menu. After upgrading to version 10, this addition remained. I had added by putting shortcut to EGUI.exe in the folder C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup While that didn't work for version 9--about 2/3 of the time I could not get to the GUI--once I had upgraded to 10, I was now getting the UI to pop up every time.
  19. Nope, but that got me thinking! If you'll look at my original post, one of the problems I had previously was that the ESET icon was not starting at all and not appearing in the system tray. I have a vague recollection that one of the things attempted to get it to go was adding it manually to one of the autostart places on the computer. That didn't work, though. Now, I'm thinking I never removed that and the startup is because I moved on to another strategy to get it to work.Eventually, moving to 10 seemed to get it to work. Now, I think I'm just seeing the results of my a
  20. Yes, I reinstalled version 10, it grabbed 10.0.390.0 during install, and after installing and rebooting, the ESET GUI stays open on logging in.
  21. KingSoft.D is the signature name by which ESET labels the unwanted program. It is the unique identifier that goes along with the definition in the ESET database that is used to name the PUP. The file in question is either the WPS Office installer or one of the files inside it or that it retrieves from the web during the installation process. Without further details, it's hard to tell exactly what file that is, and it may not be important. If the software is not working correctly, you might try installing and clicking Ignore instead of Clean if you're sure you really want WPS Office. Yo
  22. Well, it's doing exactly what it's supposed to be doing. ESET is warning about files that may be "harmless" because you have PUP detection turned on. If you don't want it to be so aggressive and that ESET's being too cautious, you can turn PUP detection off. Or, you can temporarily turn off ESET's detection while you install the software, and turn it back on later. It is clear that software from Kingsoft has been determined to be a Potentially Unwanted Program by ESET and/or some of its users. Otherwise, they wouldn't have named the detection after the software publisher itself. This
  23. Since it's called Kingsoft.D, I suspect that's not a false positive, but a PUP that was specifically found in WPS Office. If you don't like it, turn off PUP detection.
  24. I'm finding that the last few times I have tried to log in the forum does not recognize my password. I am forced to reset my password every time. I change it, save it locally on my computer, and the next time I try to log into the forum, it says it is wrong. I am cutting and pasting, so I know it is right. I have tried multiple browsers with the same result. Anyone else experiencing this? I've resorted to just resetting my password each time I return here.
  • Create New...