mwhalenhtc

No, I don't say that it does. Rather, when the issue comes up, I can dismiss the prompt to do something with the files and then either re-scan the file itself or re-run an on-demand scan. The file will not flag again. Whether or not I've upgraded the agent makes no difference.

I'll give you what I can, but I've not been able to reproduce the problem which, as I understand it, is part of the reason why ESET hasn't been able to resolve it. I'll send what I have via PM, but it's probably not enough.

I think that the ticket I have with ESET has run its course. What I've learned is the following: They don't know the root cause of the problem. It's intermittent. There's no ETA on a fix. They have seen some instance in which going to 6.6.2072.4 resolves the issue but since the problem is intermittent, it's hard to know. Thanks to everyone who responded.

Yeah, I can understand that. My client base is about 300 and I don't have this issue appearing everywhere. It only seems to come up _sometimes_ after a computer restart and ESET performs its startup scan. I haven't seen it in any other instance, but I'm also only seeing it on the ProduKey item. I don't have a lot of exclusions, honestly. I also don't know what the actual problem is. Marcos above said it's about excluding a path _and_ a threat that falls within an excluded path. I haven't tested that. My tech hasn't commented on that, but has said: (I don't know what 'First Time Scan' means. If it's a scan that occurs one-time after installation, then I am sure that I've seen this issue in at least one different scan.) Also, my tech has said to me that there's no way to test whether upgrading a faulting client to 6.6.2072.4 fixes the problem. This seems ridiculous, but I'm afraid that's all I can report at the moment. Clearly, somehow, this problem crept into existing builds. The machines that have started complaining haven't been upgraded in at least two months. So, something has changed that wasn't introduced by a whole new build. ConnectWise has been advising to turn off detection of all PUPs. At first, that sounded crazy to me, but the ESET tech pointed out that PUPs that graduate to DUPs (Definitely Unwanted/Unsafe Programs) are classified in ESET accordingly. ("DUP" is my word. Don't go using that with Connectwise or ESET. They'll think you're DUM.) So, while you'd miss RealPlayer and MyWebSmileyFaces, you will hear about them if they become actual threats, security or otherwise. I don't know how your ERA is setup, but I have every client segregated into groups. I can, for instance, create a policy that modifies the base and turns off PUP detection for one client but leaves it on for another. Maybe you can do that if this issue is affecting only PUP detection. I definitely advise talking to ConnectWise about the new solution regarding ProduKey. They had me install it a couple of weeks back. Although the tech assured me that installing the new solution would remove ProduKey from anywhere it's been deployed that has not occurred. (I was skeptical of that claim anyway.) If ProduKey getting detected when you excluded it, you could create a script in Control to remove the program from each of your deployed Agents. At least, that'd cut down on some of the noise. I'm sympathetic to your problem and wish I could relay better information.

Either that or I misunderstood. I am getting clarification. Thanks.

Marcos, That is _not_ what I've heard from another agent at ESET. He tells me that 6.6.2072.4 will fix the problem. Are you saying that's not accurate?

I have been speaking with my favorite tech at ESET. He says to update the endpoints to 6.6.2072.4. I am doing that now. Is that what you're running?

That's disappointing, but knowing that and having a live phone call means I'll lean hard to get this resolved. I am especially inrigued Marcos's note:

I'm hopeful to have a better answer soon. ESET has given me one of the best experiences I've ever had with tech support. Unfortunately, I only have experience with one person who was on the ConnectWise/ESET migration team. I hung on to that ticket for dear life because the tech was so good. I don't know what I'm going to get this time.

Well, that's how I have it setup and it's not working. Fortunately, I've got a ticket open with ESET and I have a call scheduled with them tomorrow. I'll update here when I have an answer. :-)

Any further news on this topic? :-/

Thanks, nasaeed. Good to know I am not the only one at any rate! :-) ConnectWise support told me that the ProduKey scanning method for keys is deprecated and had me install their update for product key scanning via the LabTech Solution Center. It can't hurt to do that. You have to run the solution center on the Labtech server directly. (We are hosting LT "on-prem." The method may be different for hosted LT.) I haven't been crushed with client calls (yet) and I have at least one workstation in which I can run a log collector without much fuss.

Hi Marcos, Thanks so much for your response. I seem to have a lot of users who click buttons. :-) I can't find that particular line since the detection threats log is currently clear. The item I can find is below. C:\Windows\LTSVC\scripts\ProduKey.exe - a variant of Win64/PSWTool.ProductKey.A potentially unsafe application - action selection postponed until scan completion Does that help? Or do you need something else? I ran the log collector on the Detected Threats with a 30-day window. Would that contain information you'd need? Most agents are running 6.6.2052.0.

Hello, Full disclosure: We have ConnectWise and buy our licenses through them. However, ConnectWise takes... what? ... a week to get back to people for technical support issues. I am posting here in the hopes that it won't be slower. ;-) Just recently, ESET agents started flagging Win64/PSWTool.ProductKey.A as an Unsafe Application. This tool is one that our remote management system uses and I'm aware of what it does. I've also put in the 32-bit variety as an exclusion and that's been there for some time. I've not had any trouble with. However, I can't seem to exclude the one for some reason. What's more, I already have excluded the directory that the executable lives in so I am unsure why two exceptions are failing. I have a base agent policy. In there, I've defined Exclusions with the drop down for the Exclusions section listed as "Replace." The 32-bit variety exclusion is defined like so: Exclude for this computer has a three check. Exclude all threats does not have a check. Threat name is defined as: @NAME=Win32/PSWTool.ProductKey.D@TYPE=ApplicUnsaf The 64-bit variety is defined like so: Exclude for this computer has a three check. Exclude all threats does not have a check. Threat name is defined as: @NAME=Win64/PSWTool.ProductKey.A@TYPE=ApplicUnsaf I have checked agents and see that the exclusion definitions have made it to the agents themselves but they're still flagging @NAME=Win64/PSWTool.ProductKey.A@TYPE=ApplicUnsaf. I've attached screenshots in the hopes that will help.