Nightowl

Attacks shouldn't reach ESET as they were stopped by the Firewall in first place , how could they reach if the Firewall blocked them in first place? Something is weird or I just don't understand it. If ESET is still showing things in Network Troubleshooting area and Blocked IP Addresses List area , then the Windows Firewall is not blocking properly. When Windows Firewall is blocking properly , then ESET shouldn't see anything because it's already stopped before it can even see them by the Firewall.

Just to note , Checkpoint uses Kaspersky engine hence why they both detect it.

This is more active topic about it , but I believe you have been already there :

Check if you can make connections to these ports and IPs , see if your firewall is blocking connections to these

Most router brands will have a sticker on them that will tell you user/pass and login link In CMD/Command Prompt as ITMAN said , type ipconfig /all , you should see a part that says Default Gateway.

If you feel that your router has been compromised it's better to reset it and change the Wireless password and if there is a firmware update , update it to the latest version As for the unknown devices one seems to be a Windows computer that is trying to communicate with your PC and the other I can't know because the title is blurred Normally Windows systems communicate with eachother like for Update sharing from PC to PC Port 137 looks like to be used by NETBIOS I wonder if the other PC is infected and is trying to spread again through Port 137 , Port 445 , to infect you again with some ransomware again as you've said For MalwareBytes if it's running in realtime it's better to disable the real-time scanning as it would conflict with ESET real-time scanning as they would fight eachother to claim files , then they will start bringing up false positives and then protection would be useless from both , as both cannot do what they are designed to do. ---- As for the Ransomware you should have taken it from some place , whether it was downloaded from the internet , or the PC was exploited through another PC from the LAN It's better to clean off unknown devices from the network by securing your router again, then you will be sure only your devices remaining in the LAN, and then you can start by working to isolate and fix the troubled computer

If I am not mistaken , the v4 version will be replaced by a version that is based on the ESET Endpoint Linux 8

You can upload your version to virustotal for more checking by AV engines to be more sure It seems that this WaasMedic is related to Windows Update.

1 year before I had a similiar attack to a Windows Server that was being constantly attacked in Port 445 Once that port was closed in Windows Firewall , ESET stopped showing any signs of attacks , If I would enable the port again in Firewall , ESET will start showing attacks again as the scripts didn't stop , they will just attack all the time.

I doubt so , once Windows Firewall is blocking properly , ESET should not be able to receive these attacks , because they were stopped in first place by the Firewall

@kamiran.asia, Check in your Firewall rules if you have this enabled File and Printer Sharing (SMB-In)- TCP 445 Deny this rule or filter it by IP And does this server have HTTP opened? And they also try to come by HTTPS. About HTTP/HTTPS , if it's a server that serves websites , then you cannot filter them unfortunately if I am not mistaken. If Windows Firewall is properly configured then ESET should stop showing you alerts about attacks , because the Firewall would render them useless(Ports blocked).

Mostly Cloud Servers/services , will start to get attacked as the first moment they are deployed online , doesn't matter which company you rent from them , seems that lot of hackers have scripts on their IPs ready all the time I would still try to get something from OVH for a Firewall plus the Windows Firewall solution, it's not safe at all to stay under attack , even if it was ESET usage very low under these attacks , still the server is constantly being attacked and one day they might be able to exploit or penetrate the server , then it will go bad. I read that you can enable this : https://docs.ovh.com/gb/en/dedicated/firewall-network/

Glad to hear it's working , it seems that they supported newer kernels somehow.

My kernel is 5.4 LTS , that's why I'm a bit different

That's how VPS are offered , they normally won't give you a Firewall protection , or will give you a simple IPTABLES to configure , to have more control and a better firewall , you will need to have a seperate machine that would be a firewall whether it's open source one or something like sophos firewall or fortinet firewall EDIT : I mis-understood your post , you are right about disconnecting the server once there is an attack , but maybe that could make him lose connection to it? , but connectivity to work places yes should be cut.(isolate the server)

Maybe OVH can provide some kind of a firewall to eliminate those attacks , or by applying another firewall as virtual machine for example like Fortinet or Sophos etc...

Version 8.1.3.0 Added: ESET Dynamic Threat Defense support Added: SecureBoot support Added: Process Exclusions Added: Ability to check for update in GUI Added: Ability to copy support-related information from GUI Improved: Warning when product is being activated with an overused license Fixed: Update doesn't work from a mirror created by ESET Mirror Tool Fixed: Device control could block the keyboard and mouse required to log into the system Other bug fixes and minor optimizations New version was released but there is no mention of supporting new kernels , so I doubt your issues are fixed sadly.

Could be your Windows Firewall is misconfigured and not blocking properly , could be there is a malware inside the server that is making way for the communication for all these attacks Try to see TCPView https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview As per the photo you are blocking only TCP 445

Put your Windows Firewall to log dropped attempts and see what is being dropped since you denied all INCOMING it must be logged there

You don't have a port when you click Details in Network Protection Troubleshoot?

So the next second best tactic would be having different languages like Eastern Europe languages and Arabic so the ransomware can evade me because it was built so? , or I must use Protected Folders that Microsoft introduced but actually nobody knows that it exists or the normal user won't even know how to use it.

Add uBlock origin to your Firefox/Chrome in your phone.

Having an SSD or HDD can make a difference with system's speed , as same as dust buildup inside the computer etc many reasons that could slower the the bootup process , same as Windows 10 isn't that much friendly with old computers , if you have an old one.

Rufus is trying to download 2 files missing for Linux , which is sysrescue built on linux. so it can work as a liveboot if I am not mistaken. it's normal

Enable the detection of potentially unwanted and unsafe applications (2 options)can be balanced or aggressive and then from Threatsense Parameters the Cleaning level should be set as Always remedy detection , so it will always pick and remove without asking anything.