qwerty

Hi there Detection engine at time of scan/detection: 23635 (20210716) Hashes of objects 7zip related, detected as PUA: DD1CB1163C5572951C9CD27F5A8DD550B33C58A4 5801F56A22AC5452663AC199BF92429F4A050BFD D0DC016DF5F9F9BF1A57B57DB0E9E82F097B02B6 The PUAs were originally detected during idle state scanning of some machines. We are now using an update detection engine 23637. Unsure if the problem still persists. I marked the issues as resolved and have initiated a re-scan of the machines. I have not added any exception for these objects.

Today I've noticed a lot of detections of PUAs, in relation to a 7zip package we deployed via Chocolatey, It is being detected as Win32/DealPly.VO. However as far as I'm aware this package does not actually contain adware. Detection screenshot attached. Not a big deal, I will do a remote scan and resolve the threat. However I wanted to highlight this here, as a potential false positive.

Hello this issue is still happening, so if anyone has a suggestion on how to resolve please let me know.

I have a weekly report I generate showing any active detections and problematic machines showing a critical/warning status. When I spot any unresolved/active detections here it gives me a chance to clear up what I may have missed during the week. However I have one detection which will just not clear from the report even though it is 6 weeks old. I believe the detection was found on an external device on this machine, and I believe it could not be cleaned possibly due to the USB being removed before the cleaning was complete. I believe that this external device has not been entered into this machine again so it has been impossible to re-scan that path. This is perhaps why this detection keeps showing up in the report. Although I have ran multiple remote scans from the ESMC console, the report still keeps on showing this historical detection which is a pain as I have to not the exception every week in our company weekly security review. Please note that this detection is "resolved" in ESMC, there are no threats in the ESMC dashboard requiring action. How can I clear this?

Hi Christian, I'm setting up Device Control myself and have not noticed this issue myself. Have you seen this by locally connecting it to two different PCs, go into device control and click populate, and a different serial is shown? It may be useful for you to show us a screenshot of the auto populated detected device, when entering the USB on two different PCs. I think the easiest way to do this is go to ESET Endpoint AV > Setup > Device Control > Groups <Edit> and then click Populate. This will show you the vendor, model and serial.

I have recently installed ESET File Security on one of our Windows servers, I have installed version 6.5.12013.0. I plan to set this server to create the mirror, for updating ESET Endpoint Antivirus on our 9 client PCs. Please can you confirm that the mirror will contain the correct definitions updates for ESET Endpoint Antivirus 6.6x? Or should I create the mirror from one of these client PCs instead of the server (not ideal). Many thanks in advance for your assistance. We are unable to use the HTTP proxy in our current environment, so we want to just use the simple mirror method.

Hi Michal, yes you are correct it is due to licensing. We will move to the file security product in future.

Hello All, can ESET Endpoint 6.3.2x update it's modules (AV definitions only) from a mirror created in ESET Endpoint 6.5.2x? I'm enabling a mirror and it would be a big help to do this now, and upgrade to 6.6x later when I have more time since it is workgroup deployment.

Hello, Just for anyone wanting to find out the solution to this problem. On one of the servers I just uninstalled and re-installed it, and it works fine. On the other server it would not uninstall, and parts of the installation such as one service were left behind. So I had to use an ESET uninstaller tool. All OK now.

Hi, yes this is enabled. There seems to be a further issue that this server can now no longer be pinged or it's shared cannot be access not the network either. I am investigating.

Hi Marcos. Yes I have checked and they are enabled.

I have recently upgraded from ESET Endpoint 6.5.3x to ESET 6.6.2046.0, however I have an alert that Web and mail protocol filtering is non-functional, and due to that anti-phishing is also non functional. I realise this is not the advised product for the platform, but this is on Windows Server 2012 R2, and the same thing has happened to two of the servers that I have upgraded. It is not my choice to run this version of the product on this platform and I will try to move to the File Security product in future. However for now I need to troubleshoot what I have to work with. I have tried to reboot twice, but this did not resolve the issue. If I go to enable the module in setup, it only gives the option to disable which means it is enabled and non-functional. Please could you advise what I can try next?

Hi Peter / Michal. Thanks for your help!! All understood now, my mistake regarding the 900MB. It should be more like 30MB after further reading!

Hi Michal, Thanks for the information, the table was very useful. The data suggests that a single client uses up around 23.9MB of data per month for updates, in an average month. Plus some other data for livegride / update.ver files. What I am confused about is that it suggests if you set up an Apache/HTTP web proxy, the data usage would be much higher in my scenario. I don't understand why this would happen, I thought it would mean all of the packages are downloaded only once instead of multiple times, perhaps with some extra additional files. The implication is 10 PCs direct to internet, internet data usage is 239MB. 10 PCs using Apache/HTTP proxy, the internet data usage is 900MB. So in my case it is suggested that I leave PCs going direct to the internet (as I have less than 37 computers), however I don't understand why the data usage is what it is.

Hi Peter, Thanks for your help. Much appreciated indeed. In regards to the local mirroring causing more bandwidth due to the complexity, can you point me to any information about this. Or perhaps you would care to explain? The reason I ask is these sites have an unreliable internet connection, so the thought behind it is the less downloads occurring the better, even if local network traffic increases. I connected to one client yesterdat, it was around 2-4 months out of date but somehow it was a 155MB download which took 2 hours, and so during the 2 hours the internet performance at the site becomes degraded. Perhaps this particular one was downloading application component updates, or there was some error in the request and it wanted to download too much I am not quite sure. However it wouldn't be too good if multiple clients fell out of date, and upon detection wanted to consume similar levels of data. Best Regards