Enrico
-
Posts
73 -
Joined
-
Last visited
Posts posted by Enrico
-
-
It's a program related issue, not system startup (boot time).
The process added to exclusions in "real-time file system protection" is "C:\Program Files\Tebis_AG\Tebis V4.0 R8\program\tebis.exe".
Usually when I encounter slow program loading first I scan for malware then pause protection to exclude Eset detection engine from the possible causes, but even if the popup says that real-time protection will be deactivated this time I needed to add the executable to exclusions in order to totally exclude Eset process scanning.
The strange thing is that this behaviour doesn't happen under Win7: with/without process exclusion or pausing protection tebis.exe startup times are almost the same.
-
I've installed the latest version of my professional SW in both W7 and W10, but under W10 I've had long startup times (old version 6.5sec, new version 17sec) while under W7 they were almost the same (old 8sec, new 7.5sec), then under W10 I've paused protection to exclude Eset from the possible causes of the long startup, but startup times remained unchanged, clean-reinstalled the SW and nothing changed, so I've added a new process exclusion entry in real-time file sys protection and bam... New version started in 4.5sec!
Is it possible that under W10 the "pause protection" doesn't disable some modules?Best regards.
-
As anticipated in another topic EIS is stealing focus from active applications when updating database or starting scheduled scans, this behaviour is back with versions 13.0.22.0 and 12.2.30.0 (see this old topic with similar issue https://forum.eset.com/topic/19194-eset-keeps-stealing-focus-from-firefox/?tab=comments#comment-93512 ).
Best regards.
-
Here they come.
Win 10 Audit Failure events started after 12.2.30 was installed, they're still happening with the latest version. Note: during boot and shutdown the access point is kept offline.
Also the "stealing focus" problem was back with 12.2.30 (had no time to check if persist in 13.0, eventually I will open a new topic).
sec_log.zip Bootlog-2.zip Bootlog-1.zip Bootlog.zip eis_logs.zip
-
-
@ Pete : you can rename rules and change column size.
I think that EIS firewall UI is perfect as it is, clear, simple and fast. Add sorting by name and date can cause only confusion and problems when using the arrows for assign priority, which is essential to allow/block only some domains for an application or a set of applications.
-
@ Pete12 : Lets hope MS will be very carefull with next updates in the future!
Other AV's are having similar issues caused by W10 WSC (monthly change for the sake of change helps none).
-
Problem solved: went to KB2885 and downloaded 12.2.29.0
Best regards.
-
legacy_eis_nt64 installer don't ask for installation language as per KB3552 hxxp://support.eset.com/kb3552/?viewlocale=en_US
, once run the installer uses sys locale, there's a way to force english language?
-
That rules were set with the only purpose of identify the "offender", they were not present before finding "4.4.8.8" in tcplogview, now I'm back to the previous configuration "block untrusted IP ranges"->"ESET default rules"->"custom rules".
Anyway, custom rules with the wrong priority still were uncapable of explaining the presence of 8.8.8.8 and 4.4.8.8 in the logs.
In the last 24 hours the logs had no presence of strange DNS queries, so probably I will never be able to identify what happened last month... (yesterday)
...Until this morning! I left the pc unattended for some time, Interactive firewall was asking what to do with some windows processes, meanwhile Google DNS queries has been logged. My suspect is that when the endpoint could not be reached in the expected ammount of time then win services override user dns settings. -
This is what I've did:
1: Created an "allow" "all" rules for ekrn and egui with the only purpose of log network traffic and override another rule that was blocking Azure cdn traffic.
2° Created an "ask" rule for svchost
3° Everytime ESET detect a new svchost\DNS connection I add the IP to the custom "allow" rule, but only if remote/local are trusted destinations.
As you can see custom rules have higher priority than predefined "allow" rules, this way ESET can use all whitelisted IP's when needed and ask for other DNS connections when they're not present in the "allow" custom rule, except for the ones made to Google servers which are always blocked (I don't trust that corp. and won't use their sw).
I had to do that way because of data gathering code (GA) hidden here and there in some common freeware applications, drivers and purchased sw.
Probably ESET was only detecting attempts made by other sw, but better if I review/reorder all my custom settings.
Best regards.
-
As you can see it's all configured and working.
What I meant is that auto DNS is greyed out with static IP.
By the way: until now the Google DNS queries has quit in both W10 and W7, in the logs of W7 I see that ekrn is quering the configured DNS.
-
I can't because I need static IP's for LAN shares and with Win it's impossibe to obtain DNS server address automatically when a static IP is used. (fyi modem default DNS are 151.99.125.1 and 151.99.0.100)
-
I've removed trafficmanager.net from blacklist and still have 4.4.8.8 - 8.8.8.8 connection attempts.
Now I'm logging only blocked programs (freeware tools with automated connections) and untrusted IP ranges, so ESET components should not appear in the list.
-
Update: in web access protection I've found a blocked address *.trafficmanager.net, which include " edfpcs.trafficmanager.net", was this rule that caused the dns queries?
-
Here it comes, it's a new pc so not all firewall rules are optimized. (previous admin user became corrupted because of the latest W10 bug)
The queries are made every 60 minutes even when the pc is in use.
-
I can confirm that Windows security is managed by ESET (all green). The "DNS client events - Operational" windows log need to be enabled in order to register DNS queries and responses. I forgot to specify that on my pc's only the monitor is put into sleep mode, all the other devices must remain active because of my professional CAD-CAM sw needs (HASP).
The lookup of "4.4.8.8" points to nothing, if it's not hard coded in the OS or in EIS, what else could be?
The other sw running from startup is nvcontainer (quadro -nvtelemetry), Logitech GS, 3DConnexion broker, MSI Afterburner.
-
@Marcos: I've created allow rules for all documented Eset (proprietary + MS Azure) IP ranges and block rules for all Google IP ranges and websites, ekrn.exe is only monitored (log-information).
If ekrn is performing dns poisoning detection or other things, why it's not using the OS DNS settings? (Cloud9 or OpenDNS)
-
I have two workstations protected by EIS, one with W7 and the other with W10, in the last month I've noticed strange DNS queries in the network logs, here an example:
<COLUMN NAME="Time">04/09/2019 11:55:10</COLUMN>
<COLUMN NAME="Event">Communication denied by rule</COLUMN>
<COLUMN NAME="Action">Blocked</COLUMN>
<COLUMN NAME="Source">192.168.1.193:57600</COLUMN>
<COLUMN NAME="Target">8.8.8.8:53</COLUMN>
<COLUMN NAME="Protocol">UDP</COLUMN>
<COLUMN NAME="Rule/worm name">Google dns</COLUMN>
<COLUMN NAME="Application">C:\Program Files\ESET\ESET Security\ekrn.exe</COLUMN>
<COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
</RECORD>
<RECORD>
<COLUMN NAME="Time">04/09/2019 11:55:16</COLUMN>
<COLUMN NAME="Event">Communication denied by rule</COLUMN>
<COLUMN NAME="Action">Blocked</COLUMN>
<COLUMN NAME="Source">192.168.1.193:57601</COLUMN>
<COLUMN NAME="Target">4.4.8.8:53</COLUMN>
<COLUMN NAME="Protocol">UDP</COLUMN>
<COLUMN NAME="Rule/worm name">Google dns</COLUMN>
<COLUMN NAME="Application">C:\Program Files\ESET\ESET Security\ekrn.exe</COLUMN>
<COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>These queries are not made by the OS services (SSL/TLS filtered), if you look at time of detection in DNS log they aren't present:
I'm not using Google DNS, nor DoH in FIrefox, TCPv4 is set to use Quad9.
This happens every time pc's are in sleep mode, could it be some kind of undetected/unquarantined infection, like Nymaim? https://www.welivesecurity.com/2013/10/23/nymaim-browsing-for-trouble/
Best regards.
-
Login at live.com is now ok, thank you for the support.
Best regards.
Enrico
-
This morning EIS anti-phishing blacklist denied access to mail.live.com, is it a false positive?
Best regards.
Enrico
-
I see the same event with Win 7 Pro (Without 2018 security updates, since i'ts a CAD-CAM workstation and I need performance).
Best regards.
"Pause Antivirus and antispyware protection" info
in ESET Internet Security & ESET Smart Security Premium
Posted
Smart optimization is enabled on both W7 and W10 machines, no threatsense options have been modified and folders containing relative executables and files are set in "performance exclusions".
But this does not explain why with protection paused I have to add an exeption in real-time scanning and why under W10 1909 (Ryzen 7 3800X, 32GB, NVMe) real-time scanning cause program startup to become three times slower than on W7 (i7-6700, 16GB, RAID 0 7.2k RPM).