JxMcGeary

Checked in on our unmanaged computer list today on the ESET Protect console page. Several devices there are things that can't really be added- the network interface for a UPS, for example- but one or two of the entries are computers.... and we no longer have them. One of them is the machine name for a server that currently exists as a managed server. It appears on our list of unmanaged machines as PRODSERVER01, but our list of managed machines has PRODSERVER01.DOMAIN.LOCAL as the FQDN. There is no IP address, no MAC address, no other information of any kind on the unmanaged machine in the ESET interface. There is also no option to remove this machine from ESET's database in any way. How do we convince ESET PROTECT that it is no longer there? I have already run the built-in 'reset the rogue computers' task.

Thank you.

Nah, this was purely accidental. I was going back and forth between two screens and changing a couple of dropdown options and it resulted in me clicking things I didn't intend to click. It's happened in other apps with tickyboxes, too. Thank you for sending them off for analysis. I look forward to the results.

I don't recall clicking that option but I was having some trouble with my connection at the time (I'm working remotely) and may have checked it by mistake in the course of trying to get my options right. My apologies.

I ordered a scan of user computers this morning. This turned up: Malicious file JS/Exploit.JavaDepKit.A was detected on computer (redacted) Threat type: Trojan Threat name: JS/Exploit.JavaDepKit.A Computer name: (redacted) Logged user: Administrator initiated scan Time of occurrence: 1/21/22, 1:31:01 PM UTC Scanner: On‑demand scanner Action performed: Deleted When I looked it up at https://www.virusradar.com/en/JS_Exploit.JavaDepKit/detail I saw 'detection created 2010, world activity peak 2011, variant dates to 2010'. The file that the scan found was a temp file and was summarily deleted rather than quarantined. I can't find anything that indicates where it came from or what process or site created it. This is the second time this user has had this detection come up. The previous time was on January 12th and the detected file was much smaller- 148234 bytes as opposed to 1561050 today. Both times, ESET deleted it rather than quarantining it. Both times, ESET informed me that it had never been seen by LiveGrid. Is this an actual detection or is the current ESET definition set treating an old piece of code in a temp file as a threat? And is it possible to restore a deletion so that it can be uploaded to ESET for analysis, without causing the protection modules to automatically re-delete the file? User is on a Windows 10 box. ESET Endpoint Security 9.0.2032.6, ESET Management Agent 9.0.1141.0, Detection Engine 24658 (20220121), ESET Dynamic Threat Defense for Endpoint Security enabled.

Okay, that's fine, but why did my SQL server suddenly get recognized as a new machine out of the blue?

Last night around 8 PM I got an email from our ESET Protect installation (Server, Version 9.0 (9.0.1141.0), Web Console, Version 9.0 (9.0.138.0)) informing me that a new computer had connected for the first time. The computer in question was a production SQL server, Windows 2012 R2, running ESET Server Security 8.0.12010.0 and ESET management agent 9.0.1141.0. It has a static IP address and it hadn't rebooted or installed a Windows update; it was just running normal processes for that time of night. When I checked its event log there didn't seem to be anything unusual in Applications or Systems other than a notice that certain logfile writes were unusually slow, and a notification that the ESET agent service had stopped and then started. My web console now shows this machine twice, with one of them not having connected since last night. What happened, and why? And is it safe to remove one of the two versions of the server from the console? Tomorrow is our maintenance window for Windows updates and I'll be updating and rebooting the box in question then; should I wait until it comes back up before touching the ESET settings?

My company uses ESET Protect on-prem and recently got into a state where we had more machines activated than our license allows. I've deactivated the offending machines and removed them from ESET centrally, and our dashboard shows a total of 60 ESET machines, but when I go to License Management within our central console I still show 63/60 activations on the license and can't get the count to go down or synchronize properly. How do I fix this before we renew our license?

Okay, I was able to pause the protection and zip up the file, but before I submitted it I checked it out. It appears that ESET believes the one URL in the file points to a phishing site. The url in question points to https://www.mizuhoamericas.com , which is an investment banking site. Given that my company does legitimate business with Mizuho Americas, we believe this URL classification is a false positive. I'll submit the zipped file shortly.

I checked. Livegrid feedback's enabled. The instant I try to restore the file so I can upload it anywhere, ESET detects it again and deletes it again. I have had this happen both when restoring it on the machine itself and when restoring it from the security center. 'Upload' is apparently an option if I check the file in the security center rather than on the machine, but that asks for a Windows or SMB share to upload the file to, rather than giving me the option of uploading it to ESET.

Can't. Submit for analysis is grayed out. ESET appears to insist on deleting it even though it says it's in quarantine.

We got a scan result of phishing.a.gen on a PDF on one of our users' hard drives this morning. The file appears to have been legitimate, but I'd like to upload it for analysis since I know that pdf/phishing.a.gen can be triggered as a detection any time a PDF contains links to what ESET considered phishing domains. I can see the file in quarantine in the ESET Security Management Center. How do I upload it for proper analysis, or other examination for possible false positives in the event that a domain in the PDF's links is falsely marked 'phishing'?

Thank you.

Thank you, Marcos. Does that mean the file was adware, or just that the definition was an incorrect marking? I need to pass the information to my boss.

Merganser users this morning (we're on ESET Endpoint Security 7.2.2055.0) got pop-ups from their scanners saying that JS/Kryptik-BPH had been blocked from accessing their machines. I ordered a full scan with cleaning on all user computers and similar scans on our servers. We've had multiple users' scans complete with JS/Kryptik-BPH detections in the caches of Chrome, Edge, and the Bloomberg WebView In-Terminal Browser, but when I check these detections in the ESET Security management Center report, it shows 'scan time of completion' as a date significantly in the past- some users in January, some as far back as October. We had a module update this morning at 8:13; did something change? Here's an example detection detail report: File Hash 32A785BD991C229371E76CFA904A0800FBD32E13 Name JS/Kryptik.BPH Uniform Resource Identifier (URI) file:///C:/Documents and Settings/USER NAME REMOVED/AppData/Local/Google/Chrome/User Data/Default/Cache/f_0024a8 Process name C:\Program Files\ESET\RemoteAdministrator\Agent\ERAAgent.exe Scan Scanner On-demand scanner Detection engine version 21132 (20200408) Current engine version 21132 (20200408) Scan targets Operating memory;C:\Boot sectors/UEFI;D:\Boot sectors/UEFI;C:\;D:\ Number of scanned items 1273902 Infected 0 Cleaned 0 Time of completion 2019 Oct 13 04:23:16 Action cleaned by deleting Action error