Peter Randziak

Sure, I understand.
A possible solution which comes to my mind is to use the Run command from ESET PROTECT, but you need to find a suitable way how to deliver the output...
Peter

Hello @avielc
your response was very quick, we are not real-time  
Sure, I understand your concerns as it is your production environment and making separate one for Linux would take time and resources...
The GA release will be announced as usually.
Peter

Hello guys,
Protoscan is code name for Internet protection module.
The version 1439 carrying the workaround will be distributed via standard module updates, but it will take some time until it will be released for the general public...
Peter

Back to the original topic.
We've had a discussion with Microsoft regarding this. They believe that the memory and CPU usage reported here is adequate to the size of the revocation list that is being processed. There are no plans to implement any changes in this part of Windows unless they are required for security. In their words it's not possible to avoid this behavior except disabling the cache which is not recommended.
I've identified some circumstances that were contributed to this problem. This will be solved in protoscan 1439. Unfortunately the problem might come back anyway since it's considered a normal behavior of Windows, although now it will be less likely.
It's possible to apply this workaround manually. To do that create a DWORD registry value called CryptnetCachedOcspSwitchToCrlCount under HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config (you may need to create several missing path components) and set it to 1047 (the special meaning of this value is that it will be reverted to default when the product is uninstalled). Then run the following commands elevated and reboot:
certutil.exe -urlcache http://crl3.digicert.com/ssca-sha2-g6.crl delete
certutil.exe -urlcache http://crl4.digicert.com/ssca-sha2-g6.crl delete
This needs to be done for each user separately.
It is also possible to completely disable the cache that is causing these problems. Doing it means that verifying certificates after reboot will be as slow as it is the first time they are encountered ever. This is not a recommended solution:
certutil -setreg chain\ChainCacheResyncFiletime @now+10000:0
To revert this use
certutil -delreg chain\ChainCacheResyncFiletime

Hello @avielc,
Glad to hear that 😉, if you are interested in BETA for it let me know.
The on the EI Linux Connector/Agent is in Release candidate quality and we would like to test it in the wild...
Peter

This method doesn't allow to inject data into the connection. This has several disadvantages:
No blocking pages (it's much easier to figure out which tab a message is related to if its displayed directly in the tab than in a separate dialog), no redirects for Banking & Payment protection. There's no way to implement HTTP2 flow control properly since we would be unable to send any messages: "Flow control is specific to a connection. Both types of flow control are between the endpoints of a single hop and not over the entire end-to-end path." (https://datatracker.ietf.org/doc/html/rfc7540#section-5.2.1) This could have unforeseen consequences. There's also no way to send HTTP2 RST message to inform the browser that it shouldn't use any data it has received so far. If an HTTP2 response is completely tranfserred but we haven't finished scanning it yet, we are only able to delay the entire connection, blocking access to other resources which the browser could be parsing in the meantime. This would result in degraded performance. This might be one of the reasons why Avast slows down your browsing more than ESET (see Slowing-down when launching popular websites):
https://www.av-test.org/en/antivirus/home-windows/windows-10/december-2021/eset-internet-security-15.0-211609/
https://www.av-test.org/en/antivirus/home-windows/windows-10/december-2021/avast-free-antivirus-21.9-211603/ As already mentioned this research is couple of years old. Most of the findings there related to ESET were fixed before the paper was published (we were contacted by the author beforehand), all of them are fixed by now, some were never correct in the first place. Unfortunately the author didn't respond to our request for corrections or updates.

Hello @dahlson,
current version is 15.0.23.0, download and install it from https://www.eset.com/int/home/internet-security/download/#download-manually ESET Internet Security is replacement product for ESET Smart Security, Support for version 10 ended in February 2019.
Uninstallation, system reboot and installation of current version should resolve it for you.
Peter

Hello @avielc,
yes I seen a report of the setting got lost after the upgrade, but also a gossip that it might be fixed in the version 1.8 🙂 
Peter

We cannot stop validating certificates.
We don't do it because some browser might do certificate validation incorrectly. We do it because if TLS scanning is active for a particular web site, a browser cannot validate the original certificate of that site. (Note: As already discussed previously, we validate certificates also in several cases when TLS scanning is not active for a web page in question.)
What would happen if we stopped validating certificates can be simulated like this:
As per https://help.eset.com/eis/15/en-US/?idh_config_epfw_ssl_known.html add the certificate for https://untrusted-root.badssl.com/ and set the Access action to Allow. This way, the server's certificate will be considered valid by our product with the same effect as if we didn't validate it. (Note: As already mentioned, the revoked certificates won't be considered valid even if configured so.) Then try to open that web site. It will succeed.
I managed to find a few links which might be helpful for anybody reading this forum:
https://medium.com/@ethicalevil/how-http-proxies-read-tls-traffic-from-browsers-f15364e91226
https://security.stackexchange.com/questions/133254/how-does-ssl-proxy-server-in-company-work
https://docs.mitmproxy.org/stable/concepts-howmitmproxyworks/#transparent-https
https://en.wikipedia.org/wiki/TLS_termination_proxy
According to Wikipedia, we use "TLS termination proxy" of "TLS Bridging" type in order to be able to do TLS scanning.

Thank you for yours reply. 
I found my problem, which is due to "hard firewall"  (Fortinet ), on my firewall apply policy filter "security Profiles". Remove it
i can download producr virus by Create All-in-one Installer on Eset Protect.

As of now, version is marked as out-of-date because it is older version than version marked as compatible with your console (for your PROTECT version compatible version is 8.0). Even it works properly in this case, there might be missing support for more recent functionalities in older version of AGENT, i.e. environment as a whole might not work as expected.

In case of other ESET products, version check considers latest version supported by operating system, instead of functionalities and thus ESET Endpoint Antivirus v6.5 is not reported as outdated when deployed on Windows XP, even it might be considered as misleading, especially now when product is communicating its outdated status directly and it has EOL status.

The product already detects connection issues with a delay and does not report problems immediately. It also retries several times to connect before a problem is reported.

This has been resolved by ESET. Thanks. 

Artemis,
 
There is a difference between "Events" and "Detections" which you might be confusing.
Events are the low level data that is logged by EEI (file and registry writing, Tcp connections, WMI events, etc).  This data can take up the bulk of disk space for an EEI server.
Detections are made from rules which parse the logged events.  If EEI was not optimized after install, it can lead to a large flood of detections which can slow down the EEI server if never resolved.
Your description of the the issue leads me to believe you EEI environment has not been optimized to create a baseline on your environment and the number of detections is overwhelming the server.
There are a couple things you should backup and try before purging the entire Database.
 
Items to backup
Exclusions Log into the EEI Web console and navigate to: Admin > Exclusions Remove any filtering from your view. Checkmark all exclusions, and click "Export" and save the exclusions in a safe location. You can re-import these after the database is purged and recreated Event Filters Log into the EEI Web Console and navigate to: Admin > Event Filters Remove any filtering of your view Checkmark all filters, and click "Export" and save the exclusions in a safe location. You can re-import these after the database is purged and recreated One thing to try before purging the data
Change the "Database Retention" and the type of data retained by "Data Collection" Log into the EEI Web console and navigate to: Admin > Server Settings Change how long to retain both of the following settings: Store low-level data for: 7 days  (this is very standard to only retain the low level event data for 7 days) Store detections for: 1 week (we are only temporarily changing to this and after the EEI console is usable again, change it back to your desired retention) The next time EEI performs its nightly tasks of purging data, it will start purging the excess data.  Please be aware that it is possible that it could take several days to fully purge all the excess data. Other things which could cause your same issue:
If EEI's SQL DB is installed to the same drive as the OS, it can lead to slow downs.  The SQL DB should be installed to a secondary drive. If the SQL DB is using the OS's Temp folder, it can lead to failed nightly purges due to not enough free disk space.  You will want to edit the my.ini and set the tmpdir to point to an existing folder on a secondary drive Edit the "...\MySQL\MySQL Server 8.0\my.ini" (preferably with Notepad++ to prevent file encoding from being changed. Locate the [mysqld] and add the following line below it (change the path to be the path to the temp folder you create on the secondary drive):
tmpdir = D:\My\Exeternal\temp If the drives your SQL DB is installed on, does not meet the minimum IOPS needed to support the amount of data EEI is actively handling, then you can see performance issues like what you are seeing. Test the IOPS of your SQL server with DiskSpeed (if you need help reading the results, post them in a reply): Change "C:\iotest.dat" to point to the drive hosting SQL diskspd -b32K -d60 -o4 -t8 -h -r -w65 -L -Z1G -c20G C:\iotest.dat > C:\DiskSpeedResults.txt download: https://github.com/microsoft/diskspd/releases/download/v2.1/DiskSpd.ZIP  
 
As a last resort, you can use the following steps to purge the entire database.  Please only use this as a final resort, as it cannot be undone.  These steps are for MySQL.  If you are using MS SQL, the steps would be similar
Stop the “ESET EI Server” service: net stop EiServerSvc Change Directory to: “%ProgramFiles%\MySQL\MySQL Server 8.0\bin\” Enter the sql shell: mysql -u root -p Run the query: SHOW DATABASES; Drop the EEI DB: DROP DATABASE enterpriseinspectordb; Wait for this to complete.  It can take a bit Rerun the query: SHOW DATABASES; When ready, run a repair of the EEI Server

Hi obee,
yes, it is possible to install it on a machine without internet access, but you need to ensure, that all dependencies are already installed there. 
Dependencies could be checked by dumping deb/rmp packages from bin installer and then get info from packages. For example on Debian like this:

 
# dump packages user@machine:~$$ ./efs.x86_64.bin -n -y Extracting: efs-8.1.813.0.x86_64.rpm efs-8.1.813.0.x86_64.deb .... # get package info and grep dependencies user@machine:~$ dpkg -I efs-8.1.813.0.x86_64.deb | grep Depends Depends: gcc, make, perl, openssl, linux-headers-generic|linux-headers-amd64, linux-headers-generic-hwe-20.04|linux-headers-generic-hwe-18.04|linux-headers-generic-hwe-16.04|linux-headers-amd64, libelf-dev|libelf-devel|elfutils-libelf-devel, libudev1, cron|cronie|systemd-cron, libsqlite3-0  
Regards,
Peter 

That's because without KB2664888 the server could stop responding:
https://support.microsoft.com/en-us/topic/computer-stops-responding-when-you-run-an-application-that-uses-the-windows-filtering-platform-api-in-windows-7-windows-server-2008-r2-windows-server-2008-or-windows-vista-7e37fbbb-7fc8-a41e-6fd1-75f554501992
You can install EFSW in custom mode and select Web and network protection to install.
Also please bear in mind that the OS reached EOL in 2020 and no security updates are issued any more (https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-server-eos-faq/end-of-support-windows-server-2008-2008r2). We strongly recommend upgrading to a fully supported OS.

Dear skello,
I will write you a PM as I will need more data to analyze and check.
Thank you
 

Unfortunately I do not think this is related - installing HTTP proxy would help with "creation" of the installer itself, which is indicated by progress dialog in the console itself and it involves downloading of installer for ESET repository servers through HTTP proxy, and only in case installers are not cached locally yet.

Once generated installer is ready, download as reported in this issue is performed, and in this case, file is hosted by Apache Tomcat (where PROTECT console is hosted) and downloaded directly by your browser, so it might indicate problem with connectivity between browser and console, or performance degradation of Apache Tomcat. I would recommend to focus on those two aspects in case this issue reoccurs.

Hello everyone, I believe that the new Hotfix build 1.6.1766.0 should fix any issues with Exclusions not working correctly as mentioned by Peter. If this is not the case please let us know and we can investigate the particular problematic Exclusion further.
 
Thanks and have a great day,
 
Adam

Thank you for trying it out and sharing the positive results with us.
 
The release to standard update channel is expected on next Monday (February 21), if everything goes well..
Peter

While I can't switch my entire environment to the pre-release, I did change my test machines and it resolved the issue.  How long will it be the pre-release before going to the main channel?

Just to confirm, 1.6.1766.0 seems to have resolved our issue with exclusions being ignored.
Thanks for the heads-up.

Thanks for the update Peter, I'll be testing it out starting Sunday through our company.

Hello guys,
Just yesterday we released EEI 1.6.1766.0 and one of the changelog entries is "Fixed: EEI exclusions for new detections".
https://www.eset.com/int/business/download/enterprise-inspector/
Peter