Peter Randziak

Hello guys, @howardagoldberg The Antivirus and antispyware scanner module (do not confuse it with Detection engine module) is used for various purposes including such special tasks like setting the registry flag to signalize readiness for the patches. The second flag was set by the Ant-stealth module as this module contained also required fixes to be compatible with the new patches so i make sense to signalize the readiness as well,... The only issues we are aware of is possible BSOD, when someone installs old ESET product (with an old installer) on updated system. Users with installed version are O.K. as they received / will receive compatible Anti-stealth 1124. Users downloading installers from the ESET web site are O.K. as well as we repacked the installation packages with the new modules to be compatible as well. The generally do not contain other changes than modules / localization fixes, but this time it was an exception and it contains a new version of OppMonitor.dll (used in Banking and payment protection feature) which will allow us to upgrade it easily in the future and there are also changes allowing us to update eelam driver quickly,... @Jani / @all if you have a full memory dump from the crash you can send me a link to download via private message and I can check it If i remember correctly the updates were not offered to me on the first attempt, but not sure. Regards, P.R.

Hello guys, sorry for the misinformation so I will try to sum it up, it seems we had not full / correct information on this as well. Antivirus and anti-spyware module 1533.3 (released 2018-01-14 at around 7:45 CET) set the registry key needed to signalize readiness for MS January security patches (as we had no issues with them (for the x64 architecture as those were available only for this bitness)), it set it for all supported Windows systems. So Win10 RS3 was updated to 16299.192 Later MS prepared the fixes for x86 platform as well and MS decided that another registry key has to be set to signalize AV readiness for this update (for the x86 platform), this one should update to Win10 tp 16299.201 This time we needed to make a fixes to become fully compatible so Anti-stealth 1124 set this registry flag to signalize Windows that ESET AV is ready for the update. There happened some miscommunication and it seems that the second registry flag (set by Anti-stealth 1124) is required to receive the updates. The Anti-stealth support module 1124 has been released for general public today at around 10:30 CET so it should be sorted after next update. Thank you for bringing this topic and for detailed observations and analysis of the behavior. @howardagoldberg I may assure you we do our best to protect our users. @itman Anti-stealth is there not only for detection rootkits, it has various supporting features. Regards, P.R.

Hello guys, when it comes to the Anti-stealth 1124 release we understand the importance of the updates, but we do not want to get into more serious issues by releasing it without proper testing and feedback from the real world. The plan is to release it during this week, if everything will go as expected. @howardagoldberg not sure what is your update method, but that is not an easy task. The files can be replaced manually on the system, but that is not a very user friendly was especially in larger deployments. In case you use a local mirror to update, you can manually modify it, but that is not a easy task too so I would not go for it,... When it comes to the recent security updates, MS decided not push it to the machines with AV installed until the AV will signalize it is full compatible with it by setting a special reg value as the updates bring quite a serious changes under the hood and didn't want to cause trouble to customers, which showed to be a very wise decision,... Regards, P.R.

Hello @Micha-CGN , can you please capture: 1. Process monitor log from the boot time with enabled advanced output 2. ESET log collector output pack them together, upload them to a safe location and send me a private message with download details and reference to this topic to check? Thank you, P.R.

Hello guys, few moments ago we released Anti-stealth support module 1124 for pre-release users which allows latest MS security patches to be installed. If you want to receive it set your product to receive pre-release updates and let us know. The distribution should continue to general public users in upcoming days, if not issues will be found. Regards, P.R.

Hello @PaulP , we have this topic covered by an KB alert: https://support.eset.com/alert6664/ What version of MS exchange do you have? Does it happen with IMAP / POP3 as well, if you can test it with an testing account? Regards, P.R.

Hello guys, if I remember correctly we already had some "issues" with the disk benchmark tools. Synthetic tests usually use non-cached reads and in real life you use cached reads, mixing those type of requests might lead to poor results See for example https://forum.eset.com/topic/7072-nod32-90318-slows-down-samsung-pro950-per-magician-benchmark/?do=findComment&comment=39538 So to sum it up you might see a poor synthetic results data, but real life usage experience should not be affected. Regards, P.R.

Hello Bogdan. 1. No the use of proxy is not mandatory at all, it is used for saving Internet traffic so in case you have corporate proxy with caching on, you do not need the ESET Apache http proxy 2. The proxy cache should contain the cached files if it is working properly 3. The list of domains used by our products is listed in this KB article https://support.eset.com/kb332/ 4. The update.ver file containing metadata about the updates has no cache policy set so clients always download in from our servers, only the update data files should be cached. Regards, P.R.

Hello Christopher, thank you for sharing your experience I'm glad it works for you now. The colleague who shared the workaround with me told me that this issue happens only on some distributions. Regards, P.R.

Hello @Debian, a colleague shared a workaround, which might help you, can you please try it and let us know how it went? Please create a symlinks and type "libesets_pac.so" into the "ld.so.preload" file. A/ create symlink for 64bit "n -s /opt/eset/esets/lib64/libesets_pac.so /usr/lib64/libesets_pac.so" B/ create symlink for 32bit "n -s /opt/eset/esets/lib/libesets_pac.so /usr/lib/libesets_pac.so" C/ set in ld.so.preload file only "libesets_pac.so" In case you perform all mentioned steps and the issue will persist please provide us with a new set of logs. Regards, P.R.

Hello @Debian were you able to resolve the issue or you need an assistance from our side? If yes please provide us with a log created according to this article https://support.eset.com/kb6159/ from our knowledge base. P.R.

Hello @CASPARI we had some issues with the licensing services yesterday. Can you please retry it now and let us know how it went? Regards, P.R.

Hello Steffen, not an issue, thank you for providing us with the additional details. Huawi devices are known to have such issues, it is tracked on our side so our developers will look into it and will try to come up with an solution, if possible. Regards, P.R.

Hello Steffen, I assume it is a device specific or better said manufacturer specific issue. May I ask who is the manufacturer of your child's device and what is the device model? Regards, P.R.

Hello @TomFace I assume yes, but I never used the Emisoft product,... Regards, P.R.

Hello @TomFace O.K. please let us know than what was the response. Or you can send the file to me to do the check if you want. Regards, P.R.

Hello @TomFace you will probably have to recover the file from the quarantine to be able to do that. On Windows just right click on the file -> Properties -> Digital Signatures -> Details as shown on the screenshot. The tool is quite old so probably it will have same SHA1 as mine "c553a7d911b531c7faa4c9aa821c4d2c4f4c31d5 " (I downloaded the actual one) Regards, P.R.

Hello, @TomFace check the digital signature of the file, the tools released by us should have a valid one,. If the signature is O.K. you can send the file to Emisoft as a false positive report. If the file is not signed or the signature is not valid, please send it to me to check. Regards, P.R.

Hello In case the issue persists, can you please collect output from ESET Log collector tool (before the upgrade attempt) and dump from erkn.exe - ESET service (after the issue occurred) If you have them just send me a private message with a reference to this topic to check. Thank you, P.R.

Hello @0xDEADBEEF you can send me a private message with a link to download or you can upload it to ftp://ftp.nod.sk/samples/ with a unique name, you can use the file hash and let me know once, the upload is complete, we will check it. Thank you, P.R.

Hello @Olli, we already had a banking and payment protection module with support for Chrome 64 (version 64, not 64 as a bitness) released, but we had to replace it with an older module due to an issue on older version of our product still used by our customers. Once we fix the issue we will prepare a module with Chrome v.64 support, which will be distributed to users automatically. Regards, P.R.

Hello, thank you for your report, I opened a ticket with the devs to check it. Regards, P.R.

Hello , support for Firefox 64bit is in the backlog, so is planned, but it will take some time to come. Regards, P.R.

Hello guys, the Ransomware Shield is another layer of protection added. As you know we used layered approach so even if one layer does not detect the threat, there are others to do so, moreover some layers need the others to work completely. So even in case you have been vaccinated, you probably won't stop washing your hands. Regards, P.R.

Hello itman, when it comes to the registry keys protection as the keys are under HKEY_LOCAL_MACHINE, the attacker would need the full admin rights. Once attacker has them, he already has full access to the system, so no need to enable further vulnerabilities in the system from my point of view. When it comes to the mentioned bug, can you please share the direct URL to the post? I had quite a longer holiday so I do not have an overview,... Regards, P.R.