tzuzut

I can see that the root cert in the browser is ESET, so I assume its working. I thought I recalled years earlier that when enabling this feature, one could view the log and watch the list of https connections and files being scanned... or is this only active during a detection? I am seeing "allowed" status white listed domains showing up under 'filtered websites', and thats about it when it comes to internet activity.

I was already on the pre-release update channel. I just manually updated and it pulled a couple, but the problem persists.

I enabled advanced logging for browser protection, will that suffice @Marcos?

Any logs I can pull?

Working fine in firefox, but not in msedge,

Thank you.

That is a work around I can confirm works, but what of those who wish to use global keys?

Update: It will also play if a video is loaded and not just paused, but also if it is stopped, or if no video is loaded currently, but was previously played.... so as to automatically open and play last opened video, when clicking on the eset gui from the taskbar, or from the start menu.

If a video is opened in MPC-BE x64, and it is paused, opening Eset GUI will un-pause the video.

I get the following error in eventviewer, with both the Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe and wmic process call create "notepad.exe" commands. They only open notepad one time on an a clean boot, then the error persists each consecutive execution from then on. Initially when it works, it appears to load the legacy notepad, with an option to open the 'updated' version. 0x80070005: Cannot create the process for package Microsoft.WindowsNotepad_11.2306.15.0_x64__8wekyb3d8bbwe because an error was encountered while adjusting the token. [GetPackageToken]

I run it Just from a powershell terminal

So, oddly, I am getting inconsistent results with windows. I've disabled exploit protections for wmic, and restarted the service, and though it claims notepad launch was successful, it does not appear, not even temporarily, according to task manager. At times it does; perhaps on a fresh boot of windows. I had strange issues like this before... and other issues, where exploit protection child process blocking for wmic would work on one windows system and only partially on another. On one system it worked for wmic.exe only, but not the powershell command. In the other system, it blocked both. I tried disabling the following attack surface reduction rule as well, but the same issue (if it is one) persists. I'm not sure if attack surface reduction rules actually work when using a third party av. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide

As for the VBS in the zip:

I'll have to disable AGC and then test your suggestions, this requires a restart so I'll post my results as I find the time.

another tip, add audits via exploit protections; event id 3, 2, 12, 1,

Oh, looks like I still have exploit protections enabled, Arbitrary Code Guard, (AGC) probably why I'm not seeing anything popping up. Process '\Device\HarddiskVolume7\Windows\System32\wbem\WMIC.exe' (PID 13756) was blocked from generating dynamic code.

I wasn't able to get this effect for some reason... eset is not blocking it.

Thanks for the excellent tips! I originally created a scheduled task that monitored for wmic implants based on eventviewer ids, which executed a batch script (see comment) upon detection that scanned the wmic repository for consistency, and stopped the service. The method I used previously was blocking child process of wmic.exe and wmiprvse.exe via windows exploit protections, in part because they can be used to easily bypass constrained language mode, but it doesn't offer the granularity of a hips setup, and caused compatibility issues with certain applications. I had months ago created a hips for both processes in eset, but neither worked when spawning a processes from cmd or powershell. I don't understand why eset can't detect this. But I guess blocking CMD and Powershell from running wmic would go a long way. Id prefer blocking to logging... a hips/whitelist approach would be most useful in my circumstance; to immediately stop it in its tracks. Attached is my scripts. wmi.zip

No matter what I do with custom hips, eset will not ask to block wmi from creating child process via the following commands: Powershell: Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList notepad.exe CMD: wmic process call create "notepad.exe" It had only some success, for example, when loading Adobe After Effects, hips asked if wmi should call up 'conhost.exe'. Why is this not working as intended via the aforementioned commandlines? System Informer clearly shows that notepad is a child process of wmi.

Worked perfectly Thank you!

I'd like to prevent applications or installers that automatically open a URL in a browser without asking first... are ESET products capable of creating such a filter? If not, can you point me where I can make a feature request? Thank you! T

Just found out the ram on my pc is starting to die... getting errors in memtest. So is is likely that could be the source of one or the other, or both.

111222-14390-01.7z.zipAnother crash related to eset occurred.

So a stacks memory can run out organically? is this a bug? could it be caused by overclocking or ram memory corruption?

Ok. Did you locate the source of the crash in the dump? What caused it?