[12.1.31 GUI bug]

30 minutes ago, itman said:

So I don't know what is going on in regards to @0xDEADBEEF issue

This issue has now also surfaced on my laptop (yesterday was desktop). was a bit surprised that no other people have encountered this in beta phase.

[12.1.31 GUI bug]

35 minutes ago, Marcos said:

please confirm or deny that you are able to reproduce the issue, e.g. by downloading the eicar test file.

yes, EICAR also result in the same behavior. Seems it is not dependent on the threat type, because now that the camera protection popup will also bring up the main GUI window

Another observation is that when I close the main window, the egui.exe will stay in the process list for some while. During this time if another popup is triggered, the main window will not be brought up. It happens only when egui is not in the process list.

[12.1.31 GUI bug]

attached is the zip containing the GIF recording

demo.zip

[12.1.31 GUI bug]

Seems there is a bug with 12.1.31 GUI. Sometimes when the main GUI is not opened (egui.exe not in the process list), and when a threat is detected, the main GUI window will popup along with the notification on the bottom right corner.. I don't think this is expected. Please let me know what needs to be logged because the issue can be reproduced.

[Malware removal being extremely slow]

8 hours ago, Marcos said:

You could try enabling pre-release updates since some optimizations have been made recently, however, we don't expect any big difference in this particular case.

After updating to 12.1.31, the performance issue gets largely resolved. The sample that originally takes 15 sec to delete now only needs 3~4 sec in the latest version. 

Anyway I've messaged u the new log on 12.1.31

[Malware removal being extremely slow]

1 hour ago, itman said:

I have observed a slight lag in the malware resolution process but nothing as extreme as you posted

seems the performance issue is largely resolved in the latest version that is just released today. The deletion latency has dropped from 15 sec to 3~4 sec.

[Malware removal being extremely slow]

On 3/5/2019 at 3:57 PM, itman said:

I am "dying of anticipation." Has "block at first sight" LiveGrid cloud scanning been added?

did you observe the same thing on your side? The samples, upon being detected, will show in explorer as 0kb and takes a long time before being deleted and the notification.

[Malware removal being extremely slow]

28 minutes ago, Marcos said:

Please reproduce it.Beforehand, enable advanced operating system logging in the advanced setup -> tools -> diagnostics and start logging with Procmon as well. After the cpu utilization drops down after cleaning, stop logging.

Then gather logs with ESET Log Collector and together with a compressed Procmon log provide it to us for perusal.

I have sent u a message containing the log

It takes more than 15sec to delete this sample and when the logging is enabled it takes several minutes

[Malware removal being extremely slow]

I think this doesn't happen until recently... Generally when the ESET scan engine detects a malware, it is taking unusually long time to delete that specific malware sample and show notification popups (I think it is definitely more than 40s to process one sample with very high cpu utilization on a high-end CPU). The EIS version is 12.0.31.0. Any changes under the hood that leads to such behavior?

[Ransomware Undetected]

SHA256: 1f15a3e297b9017c40276ad1c32d606c8beebbf432227b47360f3674bfb60127

already 30/70 detected in VT but still pass through all defense layers by ESET

[HIPS and FIREWALL in default installation]

12 hours ago, novice said:

"Assumed is Eset is concentrating on malware with the greatest risk to its customers" sounds like ESET had the undetected samples in hand, but , what the heck , they were not prevalent, so ESET dumped them, focusing on other "prevalent" malware.

But on AV Comparatives ,  surprise-surprise, the dumped samples were on the test, that's why ESET scored only 98.5%

On the other hand , MSE decided not to focus on prevalent malware only,  and scored 100%

My personal view on these discussions is that the two products are not comparable with such drastic difference in false positive rate.

It is much easier to achieve a "100%" rate in such test if you are willing to sacrifice the detection accuracy (i.e. mark benign files as malicious) by tuning your detection knob of the model to be a bit more aggressive. ESET can definitely do this, but ESET chose not to do such thing for a good reason (there are more reasons but those are beyond the scope of this post) : in reality users are more likely to be bugged by FPs instead of real threats if the detection threshold is too aggressive. When users are getting used to dealing with FPs of a security product, they are more likely to blame and turn off the AV to use unknown riskwares next time. This generally makes a security product useless. Therefore, controlling the FP is of great great significance.

And honestly speaking, even some products have very nice looking FP scores in this test, in reality they do noticeably worse than ESET. For many products which perform flawlessly in AVC's FP test (like those 0 FP ones), I can easily find FP PE files distributed by large IT companies with valid digital signature every month or two (yes, they still make such mistakes even with the help of very mature reputation cloud), but it is really hard to find such FP cases in ESET products. FP is much harder to be measured by a standardized test like AVC because there are grey zones. Plus the realworld situation of white files are far more complex than the training set in the lab. Only extensive real-life use experiences of these products will tell.

[LiveGrid Feedback auto turn off]

3 hours ago, itman said:

LiveGrid feedback is enabled on my Win 10 Home x(64) 17763 build and has been so since upgrade to EIS 12.0.31.

Since you reference a Win 10 Pro ver., the only thing I can think of is he set on some Group Policy setting that is possibly interfering with Eset outbound uploading of LiveGrid data.

No, the user doesn't seem to have such configuration. I think this issue needs some troubleshoot tools from ESET to find out what flipped that switch automatically

[LiveGrid Feedback auto turn off]

A friend of mine experienced the issue that the LiveGrid feedback system will automatically be turned off some time after turning it on in EIS 12.0.31.0.

OS: Windows 10 Pro x64 17134

Is there a way do diagnose this issue? Reinstalling EIS doesn't help.

[Upgrade to 7.0.2091 failed]

On 11/29/2018 at 2:24 PM, MartinK said:

Could you please verify that ESET Mamagement Agents installed on those clients are configured to use production (AUTOSELECT) repository? It is possible that they were part of ESMC/EDTD early access and are using different repository?

It works after resetting ESET Management Agent settings. I think it was indeed due to the pre-release repository setting. Thanks!

[Upgrade to 7.0.2091 failed]

1 minute ago, MartinK said:

Could you please verify that ESET Mamagement Agents installed on those clients are configured to use production (AUTOSELECT) repository? It is possible that they were part of ESMC/EDTD early access and are using different repository?

ah, that's a good point. I will try tonight and see if it helps.

[Upgrade to 7.0.2091 failed]

On 11/21/2018 at 2:18 AM, Peter Randziak said:

Does the issue repeat, or it was just one time glitch?

The issue does repeat. I can't get any of the machine update to 2091 due to such issue except for one laptop.

Please let me know if any info is needed.

[Upgrade to 7.0.2091 failed]

When I tried to push EES 7.0.2091 update through the cloud administrator, the task failed saying cannot find the package in the repository. Has ESET withdrawn this update? The package list's update log corresponding to 2091 points to the update log of 2073.0

[Ransomware Protection Improvements]

4 minutes ago, novice said:

So, disabling HIPS disables Ransomware Shield.

Yes, as I said, HIPS is the foundation of Ransomware Shield.

In general, you can view the ransomware shield as HIPS + a complex rule set made by ESET that is not visible to end users. And that's why it is a behavioral-based defense layer.

[Ransomware Protection Improvements]

20 minutes ago, Hands said:

My apologies, I’ll try not to compare products next time.

In most cases it should be ok. But as the forum rules said: https://forum.eset.com/topic/76-rules-of-the-eset-security-forum/  I just don't want to touch any topics that fall inside the grey zone 

 

[Ransomware Protection Improvements]

37 minutes ago, novice said:

There is no behavior monitoring in ESET!!! See Marco's answer above.

I think Marcos was referring solely to the HIPS module (by default the auto mode indeed doesn't block most behaviors, but it is serving as a foundation for other protection layers like memory scanner and ransomware shield).

Ransomware shield is different. It is a behavior-based defense layer. It is more complicated than writing custom rules in the HIPS rule table because so far there is no simple rule in the world that can block ransomware with the guarantee of low FPs. I can say this for sure because I've tested the ransomware shield using my own code.

[Ransomware Protection Improvements]

4 minutes ago, Hands said:

Kaspersky’s System Watcher performs so well.

Kaspersky indeed has some decent behavioral defense mechanisms, but it is not without its issues. I tend not to compare products in this forum so I will stop here ? Generally there are always trade offs

[Ransomware Protection Improvements]

5 minutes ago, Hands said:

How does the ransomware shield work? Is it a behavior monitoring component?

yes it is a behavior monitoring component (potentially combined with cloud reputation and other methods).

8 minutes ago, Hands said:

while this was implemented a while back, ESET still misses some ransomware samples.

The thing to keep in mind is that it is hard to distinguish malicious file modification behaviors versus legitimate ones. So to balance the detection rate and false positives, there will be weaknesses of such protection layer. And that's why multi-layer protection is important. 

[Game downloader false positive?]

1 hour ago, itman said:

What is downloaded from the link you posted is an .exe file; not any .zip file

Yes I have the habit of zipping the sample sand name it using the sha1 hash before submission.

1 hour ago, itman said:

However, an entry still exists in the download directory but its file size is 0 bytes.

I have observed this for months(I was using Chrome), and I think it is a bug. Previously opera has this issue with vpn on, then this issue propagate to chrome and potentially more browsers. If you use the built in vpn in opera, you will find the quarantined sample downloaded through opera can’t even be restored to its original place

btw, nearly all FPs I’ve encountered in ESET product is such Generik detection, which makes sense

[Game downloader false positive?]

On 8/15/2018 at 8:01 AM, 0xDEADBEEF said:

The sample 768596273459d8c3e01c77ffcc0f631bf79f3b6c.zip

Is this sample indeed malicious/PUA? Though I didn't do careful analysis on this sample, judging from the source and digital sig it is likely to be benign with not-so-few users (according to LiveGrid). It is a bit unusual to see ESET holding a potential FP for such long time.

[website bug?]

2 hours ago, itman said:

Are you using an ad blocker in FireFox 61?

Nope, and I also tested two other browsers (Chrome and Opera, also tested the incognito mode), both have the same issue.