mma64

oops, too late (2 answers before I sent mine). Read on nonetheless if you have the 108 MB ".rar" still... a definite no. Well done. If you have a Dropbox account, you could proceed as described here, https://forum.eset.com/topic/7274-eset-ss9-huge-memory-leak-with-outlook-2016/#entry40499, or, untested, so take the necessary precautions, you could upload it here, https://labstack.com/up,when uploaded proceed as mentioned above already. Whether using Dropbox, LabStack or any other 3rd party service think about privacy, ie. a memory dump, especially a complete memory dump, shouldn't go unsecured over the internet (no 'https') to ESET. (Ie. you should encrypt the compressed file locally on your PC and upload this. And PM the password too of course.) The primary question on the other hand is if you effectively have a memory leak. It could be a memory leak with higher probability, if and only if the memory size of ekrn.exe goes up and never (significantly) down. On my Win7 PC, ESS V9.0.349.0, memory size is between 180 - 437 MB. Thus 606 MB seems to be a little bit high, but ... Conclusion: check the memory size of ekrn.exe immediately after starting your PC / laptop, after every AV update, every half hour, and before shutting your PC / laptop down. And try to correlate with what you have done.

@SlashRose: don't despair. I'm fully dedicated to this nasty bug and will not give up until ESET approves and corrects it! (*) Video proof of a HIPS duplicates bug could be captured by me and will go online soon ('dllhost.exe', "file save as")... If you don't mind privacy issues it should be enough to export your ESS V9 configuration (see screenshot) and make a PM of this file to Marcos, preferably zipped, ie. (Win7) select the 'ESS-V9-Einstellungen.xml', right click, "send to" ("senden an"), "zip-compressed folder" ("ZIP-komprimierter Ordner"), a 'ESS-V9-Einstellungen.zip' will be created. (*= there was already one case where a lot of people complained about a seemingly "impossible" crystal clear bug until I chimed in and presented a ridiculously simple procedure to reproduce that bug, read on here, https://forum.eset.com/topic/2124-firewall-interactive-mode-not-working-properly/#entry13141...) This time it's not that easy, as it seemed first, but the bug producing patterns are visible for everybody that reads carefully my HIPS descriptions. Here are a few other HIPS duplicates rules: "User rule: allow conhost.exe (modify state of app, term. / susp. app, lpremove.exe, OUT OF NOWHERE, FREAKY Doublette!!!, 16.02.2015 presumably ~21.25)" "User rule: allow consent.exe (modify state of app, svchost.exe, UAC of PCAP re-ON, 40 min after last PCAP OFF (and a bunch of stone old HIPS rule TXT chgs + 1 stone old fw rule TXT chg), FREAKY Doublette!!!, 17.02.2016 04.05)" "User rule: allow svchost.exe (modify state of app, term. / susp. app, ashsnap.exe, ~6 min after last PCAP OFF (in total ~214 MINUTES (!!!) after last PCAP re-ON and NO PC activity), FREAKY Doublette!!!, 18.02.2016 ~03.32)" "User rule: allow SysWOW64 dllhost.exe (registry EnableLinkedConnections, file props, after HIPS duplicates rule TXT chg, (and still in 'PCAP OFF mode'), [this duplicate rule only /w delay of ~4 minutes (!!!) in HIPS edit view visible, 1ST TIME EVER!!!, 1655 rules now], THE NEXT FREAKY Doublette!!!, 18.02.2016 ~04.02)" "User rule: allow consent.exe (modify state of app, svchost.exe, UAC of PCAP re-ON, 54 min after last PCAP OFF (and a 2nd HIPS duplicates TXT chg), [no delay, this duplicate rule instantly visible, as USUAL, in the HIPS storage space], THE ***3RD*** FREAKY Doublette in a row!!!, 18.02.2016 04.20)" "User rule: allow explorer.exe (start new app, 7zFM.exe, after a day /w 2 + 1 fw popups + 2x 'prg chgd' HIPS popups (ok) + a whole bunch of fw rules TXT chgs), doch keine Doublette???, but WHY JUST NOW, OVER 4 MONTHS (!!!) after installing ESS V9?!!, 19.02.2016 00.14)" "User rule: allow svchost.exe (term./susp., modify state of app, IrfanView, <=~40 seconds after PCAP OFF (after, in total, ~187 MINUTES /w NO PC activity), wohl FREAKY Doublette!?! (there's one stone old rule /w 'modify state of app, IrfanView' for sure), 19.02.2016 ~03.50)" ---> Thus now I increasingly have HIPS (duplicates too) popups that take 3 - 4 minutes (!!!) until they get visible in the HIPS edit view (~4 cases), "partly" duplicates (HIPS popups /w single operation for HIPS events that are already stored otherwise, as multi-operations HIPS rules, see the IrfanView case), and new rules for HIPS events that for sure should have been triggered way earlier but had not (see the 7zFM case)... (And I even have to report the most epic and highly dramatic HIPS bug of ESS V9 yet!)

You shouldn't do this! Instead try it with a new HIPS rule, manually entered, see the screenshots (#4: you select 'winlogon.exe', of course). This way the 'winlogon.exe' crash (?) should go away. (In Win7 my HIPS log is full of the same entries as you have, but there's no crashing because of that. And there's no HIPS rule for 'winlogon.exe'. On the other hand I never log out and choose another user login: starting PC, restricted user login, PC shutdown, that's all...) The pictured new HIPS rule should be 100% safe anyway, and don't forget to reenable ESET Self Defense! (But I doubt, that indeed ESET V9 in combination with Win10 has to be blamed for the described crash.) Try it and report back. Thanks. HTH

- this is an easy one to reproduce, within 5 minutes (see the screenshots for proof) (ESS V9.up-to-V9.0.349.0, for sure in Win7 Pro 64-Bit): 0. enable HIPS interactive mode 1. run a 'cmd.exe' ("DOS"-box, in german "Eingabeaufforderung") 2. (You can do this with any program, but it has to be one without an existing HIPS rule for 'write to file, Rescache'!) type 'fc /b this.txt that.txt<ENTER>', store the two HIPS popups regarding 'svchost.exe' and 'conhost.exe' (I think these two popups will appear). 3. press UP arrow, to fetch previous command line, ie. the 'fc /b this that', and <ENTER> 4. repeat 3. (20 - 48 times) until a new HIPS popup appears, 'fc.exe, write to file, Rescache' -> screenshot #1 5. carefully look at screenshot #2 (radio button, 2 checkboxes, select 'C:\Windows\Rescache\*' in ListBox) 6. everything ok (screenshot #3)? Then click ALLOW button. New HIPS rule is stored. 7. check the newly created HIPS rule in the HIPS rule "storage space", ie. where all HIPS rules are -> screenshot #4, your selection disappeared!!! This may or may not be the case for all HIPS rule ListBox selection cases, be it "write to file", "delete file", "modify registry" etc pp. Plus, not bugs, but significant time consuming usability annoyances: - be it HIPS popup, be it firewall popup, the checkbox "log this incident" must be visible in the popup!!! (In case of the firewall popup it's a regression, ie. in previous versions it was there, not in ESS V9!) - be it HIPS popup, be it firewall popup, the description field must be visible. - HIPS popup: as in the firewall popup the full file path has to be visible. It's incredible how much user time is wasted without these three usability musts!!! Thanks.

@Marcos: isn't there a missing "- import the previously exported settings" in between the two steps quoted, is it?! As soon as I have screen recorded a HIPS duplicate popup I will uninstall and reinstall ESS V9. But I doubt that this will make any difference. @all: "[are a "lot" / lot of firewall and / or HIPS rules] a precondition for issue replication?" I'm not sure, but I think the more the higher the probability of HIPS duplicate popups, and the faster you will get these nasty popups... Thus...: it would be nice if some ESS V9 users could post their amount of firewall and HIPS rules. You haven't to count them, ESS V9 displays them. Approximate numbers are ok, ie. "1100" instead of the precise 1086. (I'm eagerly awaiting the numbers from SlashRose for example.) - After having installed Screen Recorder, a video capture tool, I tried to trigger a HIPS duplicate popup, 45 minutes long, without any success... Then I paused for 18 minutes, visited the ESET Forum, wanted to save a file (-> 'SysWOW64 dllhost.exe, registry EnableLinkedConnections') - and guess what, another freaky HIPS duplicate popup! Unfortunately without screen recording ON... (See screenshot #0.) - and the weirdness goes on, this time in the HIPS log, see screenshots #1 - #4: #1 (there's exactly ONE "modify state of app, vlc.exe" HIPS rule, this is fully ok) #2 (after a UAC ('consent.exe') for PCAP, and somewhat later, I looked into the HIPS log, only to see this strange log entry! Strange because 'svchost -> dllhost' might be correct, but the rule description is wrong for sure...) #3 (this is the corresponding HIPS rule for the one in #2, with a fully correct rule description, and with something multiple, this time multiple actions, so called "peOperations". HIPS rule is ok.) #4 (and this, you guessed it, the first HIPS duplicates popup of #3, though this time as single peOperations...)

TL;DR: the HIPS duplicates popup bug exists for sure, but it's not as easy as "HIPS rule with multiple targets = HIPS duplicates popup of some / all of these targets". (I've never done anything special with HIPS, and never outside ESS. HIPS popup? - "read, study, allow, log it, change description".) 'SysWOW64 dllhost.exe' and 'consent.exe', producing the most duplicate popups with me contradict this "theory" clearly, after verifying these two duplicate cases: for each of them there exists one crystal clear HIPS "starting" rule, followed by a whole lotta duplicate ones, that are 100% identical, except the description (and the ID), of course!... Nonetheless: would someone proceed as described in my posting #1, testing and confirming this nasty bug?!! Anyone? (Testing: it cant' get any shorter and snappier than this: 0. check that you have as much firewall and HIPS rules as possible. (I have 1086 firewall and 1542 HIPS rules (>200 HIPS duplicates, and counting)). 1. look that you have a HIPS rule as in ID=4FA (see below). 2. set HIPS to interactive mode. 3. PCAP ON. Wait 2 minutes. 4. PCAP OFF. Wait 5 minutes. 5. PCAP re-ON. 6. change a firewall description, OK, OK, OK - BANG, a nasty HIPS duplicates popup for, in my case HIPS ID=4FA! Save it. 6. look for it, now you have two of those already... 7. don't forget to turn PCAP OFF again.) Thanks. - the included HIPS rule, ID=16C, in posting #1 is the first "modify state of app" HIPS rule for 'svchost.exe' with (beside others) 'consent.exe' in it. - the following is the first HIPS rule, ID=4FA, "modify state of app" for 'consent.exe' with single target 'svchost.exe', thus definitely not a duplicate: (in all HIPS description fields I have removed "I REALLY, REALLY, ...", "Benutzerregel: " -> "Regel: ", """ -> "'", some "<" -> "<" and the like) <ITEM NAME="4FA"> <NODE NAME="enabled" TYPE="number" VALUE="1" /> <NODE NAME="name" TYPE="string" VALUE="Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette (duplicate)?!? 01/20/2016: no, the FIRST one!)" /> <NODE NAME="priority" TYPE="number" VALUE="80" /> <NODE NAME="action" TYPE="number" VALUE="1" /> <NODE NAME="log" TYPE="number" VALUE="1" /> <NODE NAME="notify" TYPE="number" VALUE="0" /> <NODE NAME="allAppSources" TYPE="number" VALUE="0" /> <ITEM NAME="appSources" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\consent.exe" /> </ITEM> <NODE NAME="hasFileTargets" TYPE="number" VALUE="0" /> <NODE NAME="hasRegTargets" TYPE="number" VALUE="0" /> <NODE NAME="hasPeTargets" TYPE="number" VALUE="1" /> <ITEM NAME="fileOperations"> <NODE NAME="File_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="File_Delete" TYPE="number" VALUE="0" /> <NODE NAME="File_Modify" TYPE="number" VALUE="0" /> <NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" /> <NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" /> <NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" /> </ITEM> <ITEM NAME="regOperations"> <NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Delete" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Rename" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Modify" TYPE="number" VALUE="0" /> </ITEM> <ITEM NAME="peOperations"> <NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Application_Debug" TYPE="number" VALUE="0" /> <NODE NAME="Application_Hook" TYPE="number" VALUE="0" /> <NODE NAME="Application_Stop" TYPE="number" VALUE="0" /> <NODE NAME="Application_Create" TYPE="number" VALUE="0" /> <NODE NAME="Application_Modify" TYPE="number" VALUE="1" /> </ITEM> <NODE NAME="allFileTargets" TYPE="number" VALUE="0" /> <ITEM NAME="fileTargets" DELETE="1" /> <NODE NAME="allRegTargets" TYPE="number" VALUE="0" /> <ITEM NAME="regTargets" DELETE="1" /> <NODE NAME="allPeTargets" TYPE="number" VALUE="0" /> <ITEM NAME="peTargets" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\svchost.exe" /> </ITEM> </ITEM> - this is the first duplicate HIPS rule (ID=502) of ID=4FA: <ITEM NAME="502"> <NODE NAME="enabled" TYPE="number" VALUE="1" /> <NODE NAME="name" TYPE="string" VALUE="Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette?!?)" /> <NODE NAME="priority" TYPE="number" VALUE="80" /> <NODE NAME="action" TYPE="number" VALUE="1" /> <NODE NAME="log" TYPE="number" VALUE="1" /> <NODE NAME="notify" TYPE="number" VALUE="0" /> <NODE NAME="allAppSources" TYPE="number" VALUE="0" /> <ITEM NAME="appSources" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\consent.exe" /> </ITEM> <NODE NAME="hasFileTargets" TYPE="number" VALUE="0" /> <NODE NAME="hasRegTargets" TYPE="number" VALUE="0" /> <NODE NAME="hasPeTargets" TYPE="number" VALUE="1" /> <ITEM NAME="fileOperations"> <NODE NAME="File_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="File_Delete" TYPE="number" VALUE="0" /> <NODE NAME="File_Modify" TYPE="number" VALUE="0" /> <NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" /> <NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" /> <NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" /> </ITEM> <ITEM NAME="regOperations"> <NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Delete" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Rename" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Modify" TYPE="number" VALUE="0" /> </ITEM> <ITEM NAME="peOperations"> <NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Application_Debug" TYPE="number" VALUE="0" /> <NODE NAME="Application_Hook" TYPE="number" VALUE="0" /> <NODE NAME="Application_Stop" TYPE="number" VALUE="0" /> <NODE NAME="Application_Create" TYPE="number" VALUE="0" /> <NODE NAME="Application_Modify" TYPE="number" VALUE="1" /> </ITEM> <NODE NAME="allFileTargets" TYPE="number" VALUE="0" /> <ITEM NAME="fileTargets" DELETE="1" /> <NODE NAME="allRegTargets" TYPE="number" VALUE="0" /> <ITEM NAME="regTargets" DELETE="1" /> <NODE NAME="allPeTargets" TYPE="number" VALUE="0" /> <ITEM NAME="peTargets" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\svchost.exe" /> </ITEM> </ITEM> - then come the HIPS duplicates with IDs 507, 513 is the first with a date, "Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette?!?, 10.10.2015 ~18:35)"), then: 514, VALUE="Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette?!?, 11.10.2015 ~01:39)" 51A, "Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette!!!)" 520, "Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette!!!, 17.10.2015 ~02:53))" 522, "Regel: zulassen consent.exe (modify state of app, svchost.exe, bei 2tem FW-Popup, Doublette!, 17.10.2015 ~18:35)" 523, "Regel: zulassen consent.exe (modify state of app, svchost.exe, switching PCAP OFF, Doublette!, 17.10.2015 ~19:02)" 52C, "Regel: zulassen consent.exe (modify state of app, svchost.exe, Doublette!!! Quasi direkt nach ~4 FW-Popups, 20.10.2015)" 53E, "Regel: zulassen consent.exe (modify state of app, svchost.exe, ~6 Min nach PCAP re-ON, Doublette!!!, 22.10.2015 ~00.51)" 53F, "Regel: zulassen consent.exe (modify state of app, svchost.exe, chg file privileges, kurz nach PCAP OFF, Doublette!!!, 23.10.2015, ~01.51)" 547, "Regel: zulassen consent.exe (modify state of app, svchost.exe, storing previous HIPS rule (ie all), Doublette!!!, 25.10.2015 ~02.12)" 548, "Regel: zulassen consent.exe (modify state of app, svchost.exe, beim PCAP re-ON, ~30 Min nach PCAP OFF, Doublette!!!, 25.10.2015 ~17.23)" 54A, "Regel: zulassen consent.exe (modify state of app, svchost.exe, storing previous SYSWOW64 contrl.exe duplicate, Doublette!!!, 26.10.2015, ~15.13)" 54D, "Regel: zulassen consent.exe (modify state of app, svchost.exe, trigger it: 1. PCAP re-ON, 2. chg firewall rule / OK / OK (/OK(?)) - BANG: this FREAKY Doublette!!!, 28.10.2015 ~02.29)" 54F, "Regel: zulassen consent.exe (modify state of app, svchost.exe, trigger it: 1. PCAP re-ON, 2. chg firewall rule / OK / OK / OK - BANG: this FREAKY Doublette!!!, 29.10.2015 ~01.46)" 553, "Regel: zulassen consent.exe (modify state of app, svchost.exe, beim PCAP re-ON, ~15 Min nach PCAP OFF, Doublette!!!, 31.10.2015 ~18.25)" 555, "Regel: zulassen consent.exe (modify state of app, svchost.exe, 1 FW-Popup (and stored), ~15 Min later wanted ACK 1st PCAP OFF, producing THIS FREAKY Doublette!, 01.11.2015, ~17.31)" 55F, "Regel: zulassen consent.exe (modify state of app, svchost.exe, beim PCAP re-ON, ~22 Min nach PCAP OFF (dazwischen EnableLinkConnection-Doublette), Doublette!!!, 07.11.2015, 20.07)" 562, "Regel: zulassen consent.exe (modify state of app, svchost.exe, storing chgd previous HIPS rule (ie 2 in all), FREAKY Doublette!!!, 09.11.2015)" 56D, "Regel: zulassen consent.exe (modify state of app, svchost.exe, vor UAC wegen file ACL chg, ~30 Min nach PCAP OFF, FREAKY Doublette!!!, , 12.11.2015 04.02)" 56E, "Regel: zulassen svchost.exe (modify state of app, consent.exe, ~2 Min nach PCAP re-ON nach ~78 Min PCAP OFF, FREAKY Doublette!!!, , 12.11.2015 ~17.29)" 57B, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, FREAKY Doublette!!!, , 20.11.2015 ~18.52)" 581, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~12 min after PCAP OFF, FREAKY Doublette!!!, , 21.11.2015 ~20.10)" 582, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, ~30 Min nach PC-Start mit direkt FW-Popup, chgd, später 2x 'file save as', FREAKY Doublette!!!, (...), 22.11.2015)" 583, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, >4 HOURS after last PCAP re-ON, NO ESS V9 activity in-between!!!, FREAKY Doublette!!!, , 23.11.2015 ~03.28)" 58C, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, ~18 Min nach PC-Start mit direkt FW-Popup, chgd, FREAKY Doublette!!!, , 29.11.2015)" 58D, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~15 Min nach PCAP OFF, FREAKY Doublette!!!, , 30.11.2015)" 58E, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~24 Min nach PCAP OFF + 1x (DAYS old) FW rule TXT chgd, zeitgleich AV-Update trial, xDSL aber OFF, FREAKY Doublette!!!, , 01.12.2015 03.44)" 590, "Regel: zulassen consent.exe (modify state of app, svchost.exe, (UAC for) storing chgd days old firewall rule, <4 min after PCAP OFF, FREAKY Doublette!!!, , 03.12.2015 ~03.19)" 598, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC for storing chgd firewall rule TXT, ~23 Min nach PCAP OFF, FREAKY Doublette!!!, , 06.12.2015 04.07)" 59A, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, <=6 Min nach PCAP OFF, FREAKY Doublette!!!, , 07.12.2015 03.52)" 59C, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~18 Min nach PCAP OFF + FW-Popup + FW rule TXT chg, FREAKY Doublette!!! [THIS IS A VERY CLEAR BUG LEADING PATTERN], , 07.12.2015 23.25)" 54A, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, ~37 Min nach PC-Start (no EnableLinkedConn before during 3 'file save as'), FREAKY Doublette!!!, 10.12.2015)" 5AA, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~39 Min nach PCAP OFF, FREAKY Doublette!!!, , 12.12.2015 ~03.42)" 5AB, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC of storing chgd HIPS rule TXT, FREAKY Doublette!!!, , 12.12.2015 03.47)" 5AD, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC of PCAP OFF, HOURS after last PCAP re-ON, FREAKY Doublette!!!, , 15.12.2015 03.43)" 5B9, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC of an '.exe', <5 min later (!!!), FREAKY Doublette!!!, 17.12.2015)" 5BB, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~14 min after PCAP OFF, FREAKY Doublette!!!, , 18.12.2015 04.11)" 5BC, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~4 min after last PCAP OFF, (and a WHOLE bunch of other PCAP OFF/ON /wo these BLOODY) FREAKY Doublette!!!, , 18.12.2015 ~19.42)" 5BD, "Regel: zulassen consent.exe (modify state of app, svchost.exe, UAC of 'show all programs'; in task manager, <=~3 min after last PCAP OFF (or re-ON), FREAKY Doublette!!!, , 19.12.2015 ~01.24)" (now installed ESS V9.0.349.0 over previous ESS V9.first) 5BE, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC of firewall popup, ~25 Min nach PC-Start, FREAKY Doublette EVEN WITH ESS V9.0.349.0!!!, , 20.12.2015)" 5C3, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC file ACL chg, ~7 min after last PCAP OFF, FREAKY Doublette EVEN WITH ESS V9.0.349.0!!!, , 23.12.2015 ~02.32)" 5C8, User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~8 min after last PCAP OFF, (and a WHOLE bunch of other PCAP OFF/ON /wo these BLOODY) FREAKY Doublette!!!, , 26.12.2015 ~02.57)" 5D2, User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, ~30 min after last PCAP ON, FREAKY Doublette!!!, even with ESS V9.0.349.0!!!, 28.12.2015 03.31)" 5D5, User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF (precisely @ or within AV-Update /w xDSL=OFF), HOURS after last PCAP re-ON, FREAKY Doublette!!!, , 29.12.2015 03.42)" 5D6, User rule: allow consent.exe (modify state of app, svchost.exe, UAC file ACL chg (still within AV-Update @xDSL=OFF), <=3 (!!!) min after last PCAP OFF (AND THE BLOODY SAME) FREAKY Doublette!!!, , 29.12.2015 03.45)" 5D7, User rule: allow consent.exe (modify state of app, svchost.exe, UAC of ONE PCAP OFF (after a whole bunch of UACs + PCAP OFF/re-ON/ON wo/ these) FREAKY Doublette!!!, , 30.12.2015 ~00.09)" 5DA, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, <=3 min (!!!) after last PCAP OFF, (and a WHOLE bunch of other PCAP OFF/ON /wo these BLOODY) FREAKY Doublette!!!, , 01.01.2016 04.14)" 5DB, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC of ONE PCAP OFF (last re-ON before HOURS, 1 old fw rule TXT chg ~10-20 min before this PCAP OFF) (after a whole bunch of UACs + PCAP OFF/re-ON/ON wo/ these) FREAKY Doublette!!!, , 04.01.2016 ~02.59)" 5E0, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, 8 min after last FREAKY Doublette, THE NEXT FREAKY Doublette!!!, , 05.01.2016 03.54)" 5E2, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC of ~5 fw rules TXT chgd, <=6 min after last PCAP re-ON, THE NEXT FREAKY Doublette!!!, , 06.01.2016 04.11)" 5E9, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP OFF, HOURS after last PCAP re-ON, THE NEXT FREAKY Doublette!!!, , 07.01.2016 ~03.39)" 5EB, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~9 min after last PCAP OFF, THE NEXT FREAKY Doublette!!!, , 10.01.2015 04.22)" 5F2, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, ~59 min after last PCAP OFF, THE NEXT FREAKY Doublette!!!, , 13.01.2016 04.04)" 5F8, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, <=5 min (max.) after last PCAP OFF, THE NEXT FREAKY Doublette!!!, , 17.01.2016 ~17.57)" (time for the last four HIPS duplicates) 5FF, "User rule: allow SysWOW64 dllhost.exe (registry EnableLinkedConnections, file props, ~10 min after last PCAP OFF, FREAKY Doublette!!!, , 18.01.2016 04.19)" 600, "User rule: allow VistaGlance.exe (start new app, SysWOW64 control.exe, ~14-17 Min nach PC-Start mit direkt 1x FW-Popup (+ rule TXT chg), FREAKY Doublette!!! (vgl. mit 06.01.2016), 18.01.2016)" (these two are the last - after having written posting #1 and loosing everything, because of a timeout of your Forum Software (hint, hint!), ie. I had to rewrite posting #1 - ok, effectively reformatting it "only", because I still remembered having lost all previous postings of mine to the cryptic error message this Forum Software generates ("you have no right"?!? - No, "timeout, you were disconnected" would be more precise. Still no fun at all!!!): 603, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC des PCAP re-ON, HOURS, HOURS after last PCAP OFF, THE NEXT FREAKY Doublette!!!, , 19.01.2016 ~05.4?)" 604, "User rule: allow consent.exe (modify state of app, svchost.exe, UAC of task manager alt-b (all prgs), a FEW minutes after last FREAKY Doublette, THE NEXT SAME FREAKY Doublette!!!, , 19.01.2016 ~05.54)" - yes, it's a little bit weird that HIPS ID=4FA, "allow consent.exe (modify state of app, svchost.exe)" should generate this amount of crystal clear HIPS duplicates, of which I have saved all. And it seems to contradict my "theory" of "it's a multiple targets => the HIPS duplicates popup bug "thingy", only in ESS V9"... - oh no, SysWOW64 dllhost.exe, modify registry EnableLinkedConnection is contradicting it too: (first entry, a very, very, very old entry, HIPS ID=1D) <ITEM NAME="1D"> <NODE NAME="enabled" TYPE="number" VALUE="1" /> <NODE NAME="name" TYPE="string" VALUE="User rule: allow dllhost.exe (registry EnableLinkedConnections, was soll das? Beim 'file save as' im Opera (!). Nur dort? Keine Doublette, das uralte Original)" /> <NODE NAME="priority" TYPE="number" VALUE="80" /> <NODE NAME="action" TYPE="number" VALUE="1" /> <NODE NAME="log" TYPE="number" VALUE="1" /> <NODE NAME="notify" TYPE="number" VALUE="0" /> <NODE NAME="allAppSources" TYPE="number" VALUE="0" /> <ITEM NAME="appSources" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="C:\Windows\SysWOW64\dllhost.exe" /> </ITEM> <NODE NAME="hasFileTargets" TYPE="number" VALUE="0" /> <NODE NAME="hasRegTargets" TYPE="number" VALUE="1" /> <NODE NAME="hasPeTargets" TYPE="number" VALUE="0" /> <ITEM NAME="fileOperations"> <NODE NAME="File_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="File_Delete" TYPE="number" VALUE="0" /> <NODE NAME="File_Modify" TYPE="number" VALUE="0" /> <NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" /> <NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" /> <NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" /> </ITEM> <ITEM NAME="regOperations"> <NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Delete" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Rename" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Modify" TYPE="number" VALUE="1" /> </ITEM> <ITEM NAME="peOperations"> <NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Application_Debug" TYPE="number" VALUE="0" /> <NODE NAME="Application_Hook" TYPE="number" VALUE="0" /> <NODE NAME="Application_Stop" TYPE="number" VALUE="0" /> <NODE NAME="Application_Create" TYPE="number" VALUE="0" /> <NODE NAME="Application_Modify" TYPE="number" VALUE="0" /> </ITEM> <NODE NAME="allFileTargets" TYPE="number" VALUE="0" /> <ITEM NAME="fileTargets" DELETE="1" /> <NODE NAME="allRegTargets" TYPE="number" VALUE="0" /> <ITEM NAME="regTargets" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections" /> </ITEM> <NODE NAME="allPeTargets" TYPE="number" VALUE="0" /> <ITEM NAME="peTargets" DELETE="1" /> </ITEM> (and that's the first HIPS duplicate I saved, ID=4FB) <ITEM NAME="4FB"> <NODE NAME="enabled" TYPE="number" VALUE="1" /> <NODE NAME="name" TYPE="string" VALUE="Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Doublette?!!)" /> <NODE NAME="priority" TYPE="number" VALUE="80" /> <NODE NAME="action" TYPE="number" VALUE="1" /> <NODE NAME="log" TYPE="number" VALUE="1" /> <NODE NAME="notify" TYPE="number" VALUE="0" /> <NODE NAME="allAppSources" TYPE="number" VALUE="0" /> <ITEM NAME="appSources" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="C:\Windows\SysWOW64\dllhost.exe" /> </ITEM> <NODE NAME="hasFileTargets" TYPE="number" VALUE="0" /> <NODE NAME="hasRegTargets" TYPE="number" VALUE="1" /> <NODE NAME="hasPeTargets" TYPE="number" VALUE="0" /> <ITEM NAME="fileOperations"> <NODE NAME="File_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="File_Delete" TYPE="number" VALUE="0" /> <NODE NAME="File_Modify" TYPE="number" VALUE="0" /> <NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" /> <NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" /> <NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" /> </ITEM> <ITEM NAME="regOperations"> <NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Delete" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Rename" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Modify" TYPE="number" VALUE="1" /> </ITEM> <ITEM NAME="peOperations"> <NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Application_Debug" TYPE="number" VALUE="0" /> <NODE NAME="Application_Hook" TYPE="number" VALUE="0" /> <NODE NAME="Application_Stop" TYPE="number" VALUE="0" /> <NODE NAME="Application_Create" TYPE="number" VALUE="0" /> <NODE NAME="Application_Modify" TYPE="number" VALUE="0" /> </ITEM> <NODE NAME="allFileTargets" TYPE="number" VALUE="0" /> <ITEM NAME="fileTargets" DELETE="1" /> <NODE NAME="allRegTargets" TYPE="number" VALUE="0" /> <ITEM NAME="regTargets" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections" /> </ITEM> <NODE NAME="allPeTargets" TYPE="number" VALUE="0" /> <ITEM NAME="peTargets" DELETE="1" /> </ITEM> - comparing these two HIPS rules with 'Meld', a file comparison tool, reveals that they are 100% identical, except ID and rule description, of course... - ... though these two are 99.999% identical, I have a whole bunch of HIPS duplicates popups of them stored: 4FB (the first ever), "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Doublette?!!)" 503, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Explorer:Computer, Doublette!!!)" 50D, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Explorer:X-temp, Doublette!!!)" 510, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Explorer:M-temp, Doublette!!!)" 517, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 'Opera save as', Doublette!!!)" 525, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Explorer:W-temp, freaky Doublette #1000, 19.10.2015 ~03:26)" 526, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 'Opera save as', freaky Doublette!!!, 19.10.2015, ~21:50)" 537, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, unklar bei was (war's nicht file properties?!!), aber rel. nahe nach switching PCAP OFF, Doublette!, 21.10.2015 ~02.34)" 538, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, DEFINITIV file properties, kurz nach save settings, freaky Doublette #2000!!!, 21.10.2015 ~02.59)" 53D, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, DEFINITIV Rechtsklick:Eigenschaften, ~7 Min nach PCAP re-ON, freaky Doublette, 21.10.2015 ~22.51)" 546, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~7 Min nach PCAP re-ON, freaky Doublette, 25.10.2015 ~02.06)" 552, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~6 Min nach PCAP re-ON, freaky Doublette, 31.10.2015 ~02.06)" 557, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~10 Min nach PCAP re-ON, (bestehende) Doublette(n) so leicht provozierbar, 03.11.2015 ~02.13)" 558, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, after storing ESS V9 settings, FREAKY Doublette, 03.11.2015 ~02.49)" 55E, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Opera 'file save as', ~18 Min nach PC-Start, NO ESS V9 activity, FREAKY Doublette!!!, 07.11.2015)" 560, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~18 Min nach PCAP re-ON, FREAKY Doublette, 08.11.2015, ~02.24)" 567, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~2 Min nach HIPS-Popup (ok), chg + save same HIPS rule, HOURS after PCAP re-ON, FREAKY Doublette, 10.11.2015 ~01.59)" 568, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, (same) directory properties, ~21 Min nach PCAP re-ON, FREAKY Doublette, this is getting ridiculous, 10.11.2015 ~02.37)" 569, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Opera 'file save as', ~20 Min nach PC-Start, NO ESS V9 activity, FREAKY Doublette!!! (100% same behaviour as on 20151107), 10.11.2015)" 56B, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, ctrl-c (!!!) (prep file copy) in alternativem Explorer, ~21 Min nach PCAP re-ON, FREAKY Doublette, this is getting ridiculous, , 11.11.2015 ~03.00)" 56F, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~4 Min nach PCAP re-ON, (bestehende) Doublette(n) so leicht provozierbar [ie A SAFE BET FOR PRODUCING A DUPLICATE], 14.11.2015 ~02.59)" 570, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, Opera 'file save as', ~23 Min nach PC-Start, NO ESS V9 activity, FREAKY Doublette!!!, 14.11.2015)" 571, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, directory properties, ~63 Min nach PCAP re-ON, (bestehende) Doublette(n) so leicht provozierbar [ie A SAFE BET FOR PRODUCING A DUPLICATE], 15.11.2015 ~03.36)" 573, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, (after 'failing' 1x 'fav dir' plus 4x dir props) , @7th min after PCAP re-ON, FREAKY Doublette!!!, 16.11.2015 03.13)" 575, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 1st Opera 'file save as' (~33 Min nach FW-Popup und chgd new FW rule), ~36 Min nach PC-Start, FREAKY Doublette!!!, 18.11.2015)" 578, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 3rd Opera 'file save as' (~60 Min nach PC-Start, NO ESS V9 activity), FREAKY Doublette!!!, 19.11.2015)" 579, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 1st Opera 'file save as', ~3 Min nach PCAP re-ON, FREAKY Doublette!!!, 20.11.2015 ~03.35)" 57C, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, dir props, 8 Min nach PCAP re-ON, 4 Min nach ESS settings save, FREAKY Doublette!!!, 21.11.2015 03.00)" 57D, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, 1 min after previous FREAKY Doublette!!!, 21.11.2015 03.01)" 57F, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, dir props, <=1 min after previous FREAKY Doublette!!!, [i CAN DO THIS ALL NIGHT LONG, ESET!!! ELIMINATE THIS CRYSTAL CLEAR BUG!], 21.11.2015 03.1x)" 586, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, dir props, ~27 Min nach PCAP OFF, FREAKY Doublette!!!, 26.11.2015 04.09)" 589, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, ~6 min after PCAP re-ON + ESS settings export, FREAKY Doublette!!!, 27.11.2015)" 58F, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, ~9 min after PCAP re-ON + new HIPS rule TXT chgd + ESS settings export, FREAKY Doublette!!!, 01.12.2015 ~3.56)" 593, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, (immer noch gleiche file props), direkt danach,FREAKY Doublette!!!, 04.12.2015 ~04.1x)" 596, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, file props, ~14 min after PCAP OFF, (erst danach storing chgd fw rule TXT), FREAKY Doublette!!!, 05.12.2015 03.14)" 597, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 1st Opera 'file save as', ~25 Min nach PC-Start mit direkt FW-Popup + FW rule TXT chg, FREAKY Doublette!!!, 05.12.2015)" 599, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 1st Opera 'file save as', ~18 Min nach PC-Start, 100% NO ESS V9 ACTIVITY BEFORE, FREAKY Doublette!!!, 06.12.2015)" 5A5, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 'file save as', ~2.5 HOURS after last PCAP re-ON (and NO PC activity at all), FREAKY Doublette!!!, , 11.12.2015 ~02.37)" 5A6, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, file props, <<1 min after PCAP OFF, FREAKY Doublette!!!, , 11.12.2015 03.36)" 5A9, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, NOT 1st (~6th) 'file save as' - minutes after 1x FW rule TXT / 1x HIPS rule TXT chgd, FREAKY Doublette!!!, , 12.12.2015 ~00.37)" 5AC, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, '100th file save as', but HOURS after last PCAP re-ON (and last 'file save as'), FREAKY Doublette!!!, , 14.12.2015 03.17)" 5AE, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, 1st (Opera) 'file save as', ~16 Min nach PC-Start mit direkt FW-Popup + FW rule TXT chg, ONCE AGAIN FREAKY Doublette!!!, 15.12.2015)" 5B8, "Regel: zulassen dllhost.exe (registry EnableLinkedConnections, exporting chgd ESS settings, <= 1 min after last PCAP re-ON, FREAKY Doublette!!!, , 17.12.2015 ~04.26)" 5C9, "User rule: allow dllhost.exe (registry EnableLinkedConnections, '100th file save as', ~4-5 min after last PCAP OFF, FREAKY Doublette!!!, , 27.12.2015)" 5D0, "User rule: allow dllhost.exe (registry EnableLinkedConnections, sticky Explorer : right click : fav dir, FREAKY Doublette!!!, , 28.12.2015)" 5D1, "User rule: allow dllhost.exe (registry EnableLinkedConnections, file props, <=2 min (!!!) after prv FREAKY Doublette yet ANOTHER (and the SAME) FREAKY Doublette AGAIN!!!, , 28.12.2015)" 5D3, "User rule: allow dllhost.exe (registry EnableLinkedConnections, 'file save as' (export ESS settings), <=1 min (!!!) after last PCAP re-ON, FREAKY Doublette!!!, , 28.12.2015 03.50)" 5E1, "User rule: allow dllhost.exe (registry EnableLinkedConnections, 1ST 'file save as' HOURS after last PCAP re-ON (AND some fw popups), (as EXPECTED, THIS IS A CLEAR REPRODUCIBLE BUG PATTERN!!!) FREAKY Doublette!!!, , 06.01.2015 03.xx)" 5F3, "User rule: allow dllhost.exe (registry EnableLinkedConnections, file props, HOURS after last PCAP re-ON, FREAKY Doublette!!!, , 14.01.2016 ~03.51)" 5FF, "User rule: allow dllhost.exe (registry EnableLinkedConnections, file props, ~10 min after last PCAP OFF, FREAKY Doublette!!!, , 18.01.2016 04.19)" (this was the last EnableLinkedConnections HIPS duplicate of 'SysWOW64 dllhost.exe' until now) HTH

Plagued by this bug since installing (german) ESS V9.first over (english) ESS V8.last from the first second, and afterwards even after having installed (english) ESS V9.0.349.0 over (german) ESS V9.first, I think I have found a snappy procedure to reproduce this bug in no time (you can look for some more infos about this bug here, https://forum.eset.com/topic/6867-new-build-available-349/page-4#entry38878): (read carefully, and you can trigger this bug in no time. Yes, once again you have to read far more than I thought, but following it you will trigger HIPS duplicates...) 1. no, the HIPS duplicates bug doesn't exist in ESS V8 2. it has nothing to do with Win10, because I'm using Win7 Pro 64-Bit 3. german version over english version? Should have nothing to do with this, I think how to reproduce this bug (preliminary important informations): - the key to trigger it should be this HIPS rule (I haven't checked any other HIPS rules for the same analogous pattern, but...): <ITEM NAME="16C"> <NODE NAME="enabled" TYPE="number" VALUE="1" /> <NODE NAME="name" TYPE="string" VALUE="User rule: allow svchost.exe (modify state of app, Stapel, u.a. consent.exe!!! 28.12.2015: führt dies etwa auf Spur der FREAKY Doublette?!?))" /> <NODE NAME="priority" TYPE="number" VALUE="80" /> <NODE NAME="action" TYPE="number" VALUE="1" /> <NODE NAME="log" TYPE="number" VALUE="1" /> <NODE NAME="notify" TYPE="number" VALUE="0" /> <NODE NAME="allAppSources" TYPE="number" VALUE="0" /> <ITEM NAME="appSources" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\svchost.exe" /> </ITEM> <NODE NAME="hasFileTargets" TYPE="number" VALUE="0" /> <NODE NAME="hasRegTargets" TYPE="number" VALUE="0" /> <NODE NAME="hasPeTargets" TYPE="number" VALUE="1" /> <ITEM NAME="fileOperations"> <NODE NAME="File_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="File_Delete" TYPE="number" VALUE="0" /> <NODE NAME="File_Modify" TYPE="number" VALUE="0" /> <NODE NAME="File_DirectDiskAccess" TYPE="number" VALUE="0" /> <NODE NAME="Image_GlobalHook" TYPE="number" VALUE="0" /> <NODE NAME="Image_LoadDriver" TYPE="number" VALUE="0" /> </ITEM> <ITEM NAME="regOperations"> <NODE NAME="Registry_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Registry_ModifyStartup" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Delete" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Rename" TYPE="number" VALUE="0" /> <NODE NAME="Registry_Modify" TYPE="number" VALUE="0" /> </ITEM> <ITEM NAME="peOperations"> <NODE NAME="Process_AllOperations" TYPE="number" VALUE="0" /> <NODE NAME="Application_Debug" TYPE="number" VALUE="0" /> <NODE NAME="Application_Hook" TYPE="number" VALUE="0" /> <NODE NAME="Application_Stop" TYPE="number" VALUE="0" /> <NODE NAME="Application_Create" TYPE="number" VALUE="0" /> <NODE NAME="Application_Modify" TYPE="number" VALUE="1" /> </ITEM> <NODE NAME="allFileTargets" TYPE="number" VALUE="0" /> <ITEM NAME="fileTargets" DELETE="1" /> <NODE NAME="allRegTargets" TYPE="number" VALUE="0" /> <ITEM NAME="regTargets" DELETE="1" /> <NODE NAME="allPeTargets" TYPE="number" VALUE="0" /> <ITEM NAME="peTargets" DELETE="1"> <NODE NAME="1" TYPE="string" VALUE="C:\Windows\System32\audiodg.exe" /> <NODE NAME="2" TYPE="string" VALUE="C:\Windows\System32\consent.exe" /> <NODE NAME="3" TYPE="string" VALUE="C:\Windows\System32\mobsync.exe" /> <NODE NAME="4" TYPE="string" VALUE="C:\\\wmpnscfg.exe" /> <NODE NAME="5" TYPE="string" VALUE="C:\Windows\SysWOW64\control.exe" /> <NODE NAME="6" TYPE="string" VALUE="C:\Windows\SysWOW64\rundll32.exe" /> <NODE NAME="7" TYPE="string" VALUE="C:\Windows\System32\taskhost.exe" /> <NODE NAME="8" TYPE="string" VALUE="C:\\\opera.exe" /> <NODE NAME="9" TYPE="string" VALUE="C:\\\pluginwrapper\opera_plugin_wrapper.exe" /> <NODE NAME="A" TYPE="string" VALUE="C:\\\pluginwrapper\opera_plugin_wrapper_32.exe" /> </ITEM> </ITEM> ("User rule: allow svchost.exe (modify state of app, Stapel, u.a. consent.exe!!! 28.12.2015: führt dies etwa auf Spur der FREAKY Doublette?!?" - in english: "a whole bunch of targets, for example consent.exe!!! Is this the reason for these nasty HIPS duplicate popups?!!") - I have some / "a lot" HIPS rules with multiple targets, but I have deleted the corresponding rules with single targets, for sure.) - thus the bug triggering key is: in this one HIPS rule (modify state of app, allowed) with multiple targets you can see at least five targets that are for sure leading to sporadic, but consistent, HIPS duplicate popups in my ESS V9 configuration!!! (Ok, at least six, 'audiodg.exe' has triggered a HIPS duplicates popup too, I think - but I will not verify this at 5 o'clock in the morning, not now...) - to accelerate the triggering of a HIPS duplicate significantly you should / must work with fiddling PCAP ON / OFF, ie. "setup : advanced setup : tools : diagnostics : enable personal firewall logging [check box]"! (Don't forget the PCAP OFF, and the deletion of the PCAP file ('C:\ProgramData\ESET\xxxxxxx\Diagnostics\EpfwLog.pcapng'), after your tests!) - to speed up the triggering of a HIPS duplicate even more you should include changing existing firewall and / or HIPS rules (one is enough) between your trigger attempts (ie. "directory properties", "file save as" (from any program with it), "sticky explorer : favorite directory (any) (more detailed below)". Phew! Now it's high time for the HIPS duplicates bug reproduction procedure: 1. enable HIPS interactive mode 2. search for a HIPS rule in the style of the one you can see above, and add multiple targets, choose wisely, 'consent.exe' (UAC) is a good one and several other heavily used programs, and delete the corresponding single targetted HIPS rules. 3. another HIPS rule with 'SysWOW64 dllhost.exe' (search for it), modify registry, EnableLinkedConnections, triggered on every "file save as", "directory (and file) properties", "sticky explorer : right click : favorite directory : back to root directory" is a good candidate 4. do the same thing with consent.exe, look at this HIPS rule of mine: "Benutzerregel: zulassen consent.exe (modify state of app, svchost.exe, trigger it: 1. PCAP re-ON, 2. chg firewall rule / OK / OK / OK - BANG: this FREAKY duplicate!!!, 29.10.2015 ~01.46)" (@ESET developer team: this nasty bug seems a little bit more convoluted than just the HIPS rules with multiple targets "thingy", ie. here I seem to have a 1st good HIPS rule, single target. And after that, starting with ESS V9, a whole lotta duplicate HIPS rules!... Interesting tidbit (look at the HIPS rule in XML format above): I can't remember that 'opera.exe' ever triggered a HIPS duplicate popup, but I'm more than sure that the Opera Plugin Wrappers trigger quite a lot!!!) 5. thus, create a HIPS "modify state of app" rule, with 'svchost.exe' as target and 'consent.exe' as application source, and then do the above stated steps, ie. 1. PCAP re-ON, 2. chg firewall rule / OK / OK / OK - BANG. 6. work with PCAP ON / OFF, ie. "setup : advanced setup : tools : diagnostics : enable personal firewall logging [check box]", ie. enable it save files like hell, in between disabling PCAP and waiting some minutes (2 - 5), then save files, PCAP re-ON, save files, PCAP OFF, wait, PCAP re-ON, save files. The HIPS duplicate popup bug should trigger sooner or later. Combine this with making multiple "directory properties" and the "sticky explorer" stuff, and (eventually - HIPS duplicate popups are more sporadic here) starting / stopping heavily used normal programs 7. fiddling with PCAP ON / OFF / re-ON, in combination with the two precious 'consent.exe' HIPS rules (with changing HIPS and / or firewall rules descriptions, another good bug triggering accelerator) you should be able to trigger the HIPS duplicates bug in (nearly) now time! HTH

"not aware of any bugs in HIPS": I'm able to report 2 bugs in HIPS, that have nothing to do with Win10, because I'm using Win7 Pro 64-Bit. I call the first bug "The Dreaded HIPS Duplicates Bug, even with ESS V9.0.349.0" and the 2nd one "HIPS Definitively Stops Logging And Working". Bug #1 started immediately after installing 1st ESS V9 version (german) over ESS V8 (english) - but this has nothing to do with german version over english version. Later I installed ESS V9.0.349.0 english over the previous V9 (german) version. "in HIPS and I've been using rules personally for ages without issues": the same with me - until ESS V9 came out and I installed it... @SlashRose: keep on writing german, as a native german speaking person I'm understanding your german far better than your english (no insult intended here). Thanks. @Marcos: SlashRose is meaning that the german ESET support has confirmed that the HIPS duplicates bug exists really and he doesn't understand why english support (this forum) is denying it (still). I will describe bugs #1 and #2 in separate threads far more detailed than now (it's 5 o'clock in the morning...), but here a sample screenshot of bug #1 in advance (1525 HIPS rules (thanks for counting, if it's correct, a new feature of ESS V9), and around 200 highly annoying time consuming duplicates ("Doublette" in german)! And counting...). regarding the screenshot: - "I REALLY, REALLY, REALLY, REALLY, REALLY, REALLY, REALLY, REALLY HATE ESS V9!!!": please add " - but only until the highly capable ESET developers have eradicated a bunch of very nasty / nasty bugs, and highly annoying regressions". - lines marked yellow: 'consent.exe' (UAC) and 'dllhost.exe' ("file save as", other functions) are very common HIPS duplicates, mostly daily. - enabling / disabling PCAP, new firewall popups (and being forced to change them immediately - hint, hint: one of the highly annoying regressions, ie. firewall rule without check box "log it"...) and new HIPS popups (especially changing the description afterwards, ie. being forced to change it afterwards - hint, hint: the 2nd highly annoying regression, I think) accelerate the probability of duplicate HIPS popups significantly.

@Bakugane: don't throw ESS out the window too fast. There will be a solution for your issue, I'm sure. What Windows version are you using? And what version of ESS? I had a similar issue like Bakugane with ESS V6.x and if I'm remembering it correctly, it was like this: a firewall popup appears and if you pressed the DENY button "too fast" and / or there were even more firewall popups and then you pressed the DENY button too fast, then with a quite high probability you got a blank firewall popup appearing and beneath of that was the correct one! Thus moving the blank popup aside, the correct one appeared, I answered it dutifully and that was it. Thus, look at my ancient screenshot carefully and you know what I mean. HTH

You can prevent it from happening, read how to do it here, https://forum.eset.com/topic/2124-firewall-interactive-mode-not-working-properly/page-2#entry13169. (Ie. almost always, read here, https://forum.eset.com/topic/2124-firewall-interactive-mode-not-working-properly/page-2#entry13531, ie. "1. (20140428) ...". But this is, I'm sure, a problem very distinct from the hiding firewall popups bug you're experiencing. Read my just mentioned 2nd posting and this thread, https://forum.eset.com/topic/2278-getting-fed-up-with-firewall/, to dive deeper into this problem...) If you're "in this bug", restarting is your only (and by far the easiest) option. You can request a corrected version, I think (others have it, and I too), look at this: With this version the hiding firewall popups bug should be fixed.

[@Marcos: PM received, ESS V7.0.317.5 downloaded and installed, thanks. Do you know whether in this version the following, https://forum.eset.com/topic/2278-getting-fed-up-with-firewall/#entry13035, has been fixed too?: ] The good [ESS V7.0.317.5]: Problem #2 (see previous posting, Flash video) can't be reproduced with this version - 2 firewall popups stored as rules (same remote address, ports 80 and 1935) and video starts playing. But...: as being a professional programmer, I doubt very much whether having exclusively fixed the hidden firewall popups limbo now (well done) has fixed problem #2 at the same time. There is a big difference between "pressing DENY leading to suppression of the other firewall popups and hiding them until PC restart / shutdown" and "repeating the same two firewall popups forever, even if storing each of them, even if storing the rule(s) with changing them to allow all remote ports, addresses, on TCP and UDP multiple times, including that not all of them were actually stored (!) at all, and all of a sudden one of the newly created rules kicks in!". (Carefully look at screenshot #3 in my previous posting, this is not Photoshop, this is what really happened!) Of course, the ESET developer team might have seen and fixed other things in this patched version too! Everybody can totally ignore the following "lenghty", "time consuming", but valuable bug reproduction description, if Marcos or anyone from ESET can acknowledge that "[Marcos, 16 April 2014] The current version of ESS has a bug which causes that no prompt window pops..." is eliminated. But if not yet fixed, then I'm more than sure that you, ESET, will find the root cause (in the source code) for these seemingly erratic and "random" problems (see here, https://forum.eset.com/topic/2278-getting-fed-up-with-firewall/) by using my reproduction procedure! @xxJackxx (plus the highly capable ESET developer team: really, the key to reproduce this problem (or any other "variant" of it) is "launcher mode" (parent-child relation) and first run of a previously updated program): Carefully reading through the thread "Getting fed up with firewall", I come to the conclusion, that problem #2 is highly reproducible, (@xxJackxx) if you want to still test it. (ESET should go through it anyway.) But it's of the highest importance to follow this guideline precisely: 0. you must use ESS V7.x before ESS V7.0.317.5 (ie. the original one). You need Win7 64 bit, Win8 64 bit should be ok too. 1. (HIPS: automatic, firewall: automatic) install Opera V12.16, 64 bit, if you have the installer. Otherwise get the nearest available to V12.16 from here, hxxp://arc.opera.com/pub/opera/win/1211/int/Opera_1211_int_Setup_x64.exe 2. create one custom firewall rule for Opera (TCP, OUT, remote ports 80 + 443, all remote addresses, enable logging). There may be no other firewall rules for Opera. 3. create one custom firewall rule for the Opera Plugin Wrapper, see screenshot (TCP, OUT, DENY, remote port 443, all remote addresses) 4. launch Opera V12.16 / V12.11, call any website, works, close Opera. Safety check: task manager, is Opera closed? (If not restart your PC / your VM instance of Win7 / Win8.) 5. Adobe Flash Player must be installed. 6. (HIPS: interactive (always enable "remember this", then just press ALLOW button), firewall: interactive) launch Opera V12.16 / V12.11, force update to V12.17 with "Opera (click on Opera icon in the upper left corner) : help : check for updates", store each firewall popup (it's the Opera Update Installer) appearing as a custom rule, enabling logging. Opera Update Installer launches the updated Opera, a "thank you" web page appears. Close it. Safety check: task manager, is Opera closed? Presumably yes, but is Opera Update Installer closed?! Probably not. Only then (or if 'opera.exe' appeared in task manager) you have to restart your PC / your VM instance of Win7 / Win8. 7. launch Opera V12.17 for the first time after having updated it, press <F12> and enable cookies, JavaScript and plug-ins 8. click the following URL, hxxp://www.srf.ch/konsum/themen/multimedia/wettstreit-mit-schnellem-internet-teure-abos-oft-unnoetig, click the video 9. now you should be in the firewall popup death loop hell, hopefully: store 1st one as custom rule as often as you like, it will always reappear, even if you change it to include all remote ports / addresses / OUT + IN / TCP + UPD (see previous posting for getting to the 2nd popup and how to get out of this mess) 10. or it could be that you are in any other weird variant of the problem. (Besides of the death loop that I had experienced it could be that Opera doesn't show the web page / gets unresponsive / hangs or the like.) 11. or after having stored two custom firewall rules the video begins to play. 12. as soon as the video begins to play you can stop it.

@Marcos, @xxJackxx: good to hear that. Unfortunately, I think, I have yet another bad news: there are lurking one to two other bugs in the firewall in interactive mode, ie. not that related to the hidden firewall popups hell bug. (This has nothing to do with Opera, but with ESS V7.) Probably both happening only in "launcher mode", ie. one programm calls (/shells) another one (parent-child relation). Thus I can now partially acknowledge the problem(s) described here, https://forum.eset.com/topic/2278-getting-fed-up-with-firewall/#entry13051: 1. (20140428) during Opera's Auto-Update to V12.17, 64 bit, there were 4 firewall popups, which I stored as rules. All these rules came from the Opera Update Installer, that launched the new 'opera.exe' after successfully installing the new version, which I saw through some HIPS popups. Everything seemed ok, until I wanted to shutdown my PC and saw in task manager that the Opera Update Installer was still active... Exactly knowing what this means (hidden firewall popups), I triggered the hidden notification popups with 'cmd.exe'. And, wow: this was the first time the hidden firewall popups appeared, at the same time as a whole bunch of piled up (PCAP) notification popups! (See screenshot.) After having dutifully stored two more firewall popups, the nearly closed Opera Update Installer closed fully. ---> Conclusion: it seems there are cases where not all firewall popups appear, even if you are storing all as firewall rules - presumably only happening in "launcher mode". 2. (20140429) I wanted to play an embedded Adobe Flash video (using Opera) - and landed in the firewall popup death loop hell! Flash Player uses Opera Plugin-Wrapper, and that's another "launcher mode" case (ie. parent-child process, see screenshot). First firewall popup appears, storing it as custom rule. I'm pretty sure, it was port 80, single IP. 2nd firewall popup appears, exactly the same! Same procedure. 3rd popup, the same again! Now storing as port 80, all IPs. 4th popup, the same again! Now doing all ports, all IPs. Next popup, the same again! Back and forth fiddling around, the only circumvention was to not create custom rule, but enabling "temporarily remember", then ALLOW button. This led to yet another IP on Port 80. Back and forth fiddling around, looking whether these rules are really stored (during firewall popup, works - good): yes, but not all! See screenshot, the first you can see isn't the first for sure! And in between there are missing some too, I think. Doing the circumvention. Yet another IP, port 1935. I don't know how, but after about half an hour the video finally began to play... But it was certainly because of the above mentioned circumvention procedure, ie. "temporarily remember" plus ALLOW button. ---> Conclusion: the firewall popup death loop hell is a reality and in this case, for the first time, ESS V7, has not stored all firewall rules and was ignoring all of these new ones for a very long time. (The last one is a "TCP, all remote ports / addresses" too, but - screenshot! - there are identical ones before!!! (Looking carefully at this screenshot the question that pops up is: how was it possible to leave the firewall popup death loop hell?... Answer: at some time one of these new rules must have kicked in, presumably #5, unfortunately one of those that had logging disabled. Video began playing at around 16:21:42. See screenshot.) Could someone try problem #2 and acknowledge it? You need Opera V12.17, 64-Bit, plus Adobe Flash Player, switch firewall to interactive mode, one custom firewall rule for Opera (TCP, OUT, remote ports 80 + 443, all remote addresses, enable logging) and this URL (in Opera press <F12> and enable cookies, JavaScript and plug-ins): hxxp://www.srf.ch/konsum/themen/multimedia/wettstreit-mit-schnellem-internet-teure-abos-oft-unnoetig. Klick the video and you should be in the firewall popup death loop hell.

Don't despair, I'm a long time ESS user too and had some hard starting weeks with ESS V7, until I figured out what's going on: Opera being the only program that generated the well known firewall popup; every day, when shutting down my PC, strange firewall popup in the upper left corner of the screen, 'svchost.exe' ("why is MS$$$ phoning home now even on shutdown?!!"); seemingly "delayed" notification popups appearing out of nowhere (especially the AV-update notification popups, hours after the update); other programs where firewall rules had to be created manually; even using the learning mode (control these rules, with me they gave full access on all ports and addresses always, not what I expected); suddenly Opera with no firewall popup at all (new remote port, let's say 8080) ("but this worked before!!!"); then firewall popups appearing as they should; then Teamviewer with a new remote address (firewall popup appearing, but intermixed with a 'svchost.exe' one, where presumably I pressed just the DENY button - therefore hidden firewall popup hell, Teamviewer "locked" and once again PC restart time)... ... and how to prevent it happening easily: you must create a custom firewall rule for every firewall popup appearing, there you can decide whether you wan't to deny or allow it, whether you want to add more remote ports / addresses and the like, whether to enable logging or not. Never press just the DENY button (and the ALLOW button - just to be on the safe side). (I'm doing exactly this since a long time and never had the hidden firewall popups limbo again!) After having nailed down all this to be an easily reproducible bug (see my previous postings), I'm more than sure that ESET can hunt it down now. (But bear with them, finding a bug (root cause, in the source code) can be time consuming.)

Enabling PCAP logging isn't necessary, I mentioned it only because of the amount of popups this generates, easing the triggering by means of 'cmd.exe'. Yes, indeed one (firewall popup) DENY button press seems to be all that's needed to land in the hidden firewall popup limbo, that's all what I have done in 3 re-tries: 1st re-try (I had waited too long, thus Firefox was "phoning home" automatically, 4x DENY - and bugged), 2nd re-try (with the mentioned URL, scrye, one DENY - and bugged), 3rd re-try (2x DENY, 1st = scrye web page, 2nd = Firefox "phoning home", and bugged; then trying to force the hidden firewall popups to visibility with Process Hacker, see here (thanks, Nizrax000!), https://forum.eset.com/topic/2278-getting-fed-up-with-firewall/#entry13142, (unfortunately not that successful) - and bugged. Curiously 4 not exiting Firefox instances is all I can produce, with Opera Next it's just one. Ie. 5th / 2nd fail to show the URL, but are closing fully. It would be interesting to see what happens if a "malware found" notification popup should appear and one is "in the bug". (Presumably 'cmd.exe' triggering will show it.) Yes, it would be very nice if an experienced forum member could give it a try, it's nothing dangerous and can be done fast (5 - 10 minutes): you can leave out the PCAPS logging and enabling HIPS. After unsuccessful fiddling with flags (visible, enable, always to top, bring to front) in Process Hacker I had to restart my PC, the appearing firewall popup remained centered and 2nd crash of ESS V7 (both thanks to Process Hacker fiddling, I think). Thus I aborted the restart and could make a screenshot (3rd re-try, today), but firewall popup was unresponding which is clear, 'egui.exe' had crashed, after pressing ok, Win7 chimed in and suggested restart of 'egui.exe', which I did, but ESS V7 not showing up in systray, task manager showed that nearly all programs and services were closed already, and no 'egui.exe' at all:

@ESET: though reading the following may seem lenghty and time consuming, doing it, as specialists, you will be in no time in the hidden firewall popup bug limbo! Now I have retried two times, both with full success, forcing ESS V7 into the hiding firewall notification popups bug (see my previous posting for full details) and here are the instructions to accomplish this, ie. it's all boiling down to "one browser, one DENY - and bug time": 0. tested setting is: Firefox plus Opera Next. (But it will work with any two programs accessing the internet.) 1. switch HIPS to interactive mode, switch firewall to interactive mode, disable all firewall rules for Firefox and Opera Next (/2nd browser) 2. (recommended) enable PCAP logging (though this seems to "mitigate" the hiding notification popups, after some time all popups will be hidden and piling up). This way you will have at least some hiding popups in a short time (PCAP notifications happen about every 10 seconds), go to Setup : network : advanced personal firewall setup : personal firewall : IDS and advanced options : troubleshooting : enable advanced PCAP logging 3. regarding HIPS: simply press ALLOW button if HIPS popups should appear 4. (important, you will know why if you have to restart your PC) center the firewall popup on your screen before pressing DENY button, move PCAP notification popup to upper right corner of your screen, ie. wait for first PCAP popup to do this 5. (keep ESS V7 GUI closed, but ESS V7 is running of course) fire up Firefox, enter hxxp://www.scrye.com/wordpress/nirik/2014/04/16/java-remote-console-on-drac7-and-fedora/ 6. there will be one firewall popup, simply press DENY button (do not create a custom rule, do not enable "temporarily remember") 7. after this you're "in this bug". You could wait for the web page not appearing, but it's better to close Firefox after some 10 seconds. 8. fire up task manager, you should see a first 'firefox.exe' instance... 9. fire up Firefox, which certainly has a new process ID, re-enter the same URL as above. Nothing happens. Close Firefox. 10. fire up task manager, probably you see two instances of Firefox 11. fire up another browser, that has no firewall rules, enter hxxp://planet.postgresql.org/, hopefully there will be no firewall popups. Nothing happens, web page will not appear. Wait some 10 seconds, close browser. 12. fire up task manager, probably you will see this browser instance still being there 13. if you have seen no notification popups for two minutes: trigger (!!!) all piled up "delayed" notification popups (except the outstanding firewall popups) by firing up 'cmd.exe' (DOS box) and enter "ping your_gateway_ip", for example something like "ping 192.168.1.1". Immediately after pressing <CR> the hidden notification popups are appearing... eventually you have to fiddle around a little bit with this setting, ie. (strange enough) not always closed browser instance will be still visible in task manager, not always will the (PCAP) notification popups be hiding. But after some time there will be not a single notification popup appearing any longer. And, most important, this single DENY was enough to send ESS V7 into the hiding notification popups limbo! 14. don't forget to disable PCAP logging, re-enable disabled firewall rules, close ESS V7 15. restart your PC looking at your screen with high attention, focusing your eyes on the upper left more than on the upper right: you will see in the upper right corner very shortly something happening and in the upper left corner one firewall popup (of your 2nd browser, with hxxp://planet.postgresql.org/ as remote address)... - @ESET: (probably not that helpful) doing the above gave me the first ESET V7 crash (during restarting my PC) since installing it back in October 2013, the ErrMsg is (german) "egui.exe: Die Anweisung in 0xf2c91609 verweist auf Speicher 0xff..ff. Der Vorgang read konnte nicht im Speicher durchgeführt werden. Klicken Sie auf OK, um das Programm zu beenden." - three screenshots: two proving the piling up of not fully closing browser instances that can't be killed (task manager, Process Hacker). These are not visible instances and seem to be near full exit, according to Process Hacker. 3rd screenshot showing the successful triggering of all piled up notification popups except the firewall popups. HTH

With ProcessHacker do you mean hxxp://processhacker.sourceforge.net/? I have tried this, but found nothing in Process Hacker to bring the hidden notification popups to the front. Could you please elaborate on this, ie. give more details about how you are able to force the hidden firewall notification popups to appear? This could be valuable input not only for me, but eventually for ESET too. (If interested you could try out my (upcoming) (shorter) description of how to force ESS V7 into the hiding firewall notification popups bug in no time, see here, https://forum.eset.com/topic/2124-firewall-interactive-mode-not-working-properly/. This involves no launchers at all: one browser, one URL, one DENY - and you're "in the bug".) Thanks

I'm forced to chime in... (Win7 Pro, 64 Bit; ESS V7.0.302.26) - installed ESS V7.0.302.26 several months ago and plagued with the dreaded interactive firewall bug from day one! - here are the symptoms I observed when hit by this bug: 1) delayed notification popups: there are no more notification popups (of any kind - AV-update, PCAP, firewall, HIPS, and (probably) malware alert popups, registry modification popups too) appearing until you restart your PC. 2) you can't imagine my astonishment (day 1, installation day) as Opera V12.16 was the only program that generated a firewall popup... Firewall rules for other programs (day 1 and following) had to be created manually or with the (dangerous) learning mode. Even another firewall rule for Opera V12.16 (with another remote port) a few days later had to be manually created (with similar rule): symptom in this case, no error message, no popup, I have forgotten whether Opera V12.16 was hanging at this point or not. I think, not. 3) (Firefox) You can start as many Firefox instances in this moment as you like, not a single one will ever appear, but they are piling up in task manager (and they can't be killed). (Condition: no firewall rule(s) for Firefox are yet created.) - fast forward a few months and I found a way to circumvent it, ie. this bug is highly reproducible (and easy too)... - steps to reproduce this bug: 1. HIPS: interactive, Firewall: interactive (if already using interactive mode and having rules, disable some of them, ie. Firefox, Opera, Chrome); other modules: of no relevance with this bug. (HIPS: respond with ALLOW / YES, no need to create rules.) 2. (optional, but this gives a notification popup about all 10 seconds - therefore recommended) enable PCAP logging, look at the PCAP notification popups showing up for some time, drag the first one popping up to the right upper corner of your screen. Good, notification popups work. 3. now fire up a browser of your choice and see the firewall popups popping up. Drag the first firewall popup to the center of your screen. Now you must create and store a firewall rule for every firewall popup (circumventing the bug), otherwise you are hit by this bug. For example you could create and store a custom firewall rule for 'www.yahoo.com' (TCP, OUT, enable logging, single remote port / address), a second for the next firewall popup, PCAP notification popups should appear. Then, 3rd firewall popup, press DENY, ie. not creating firewall rule, no "remember temporarily". Now all notification popups are piling up and will never appear, until you restart your PC. Then you will see shortly one firewall popup in the upper left corner. That's all, Windows is restarting... 4. If you are "having this bug" (ie. bug is active) fire up Firefox (disable firewall rules for Firefox before doing this, if necessary), it will never appear. Fire up a 2nd, 3rd, 4th instance. Nothing happens, but they are piling up in task manager, try to kill them (in task manager): no chance. 5. If you are "having this bug" (ie. bug is active) fire up a browser where previously you have created a firewall rule (TCP, OUT, logging enabled, remote ports 80 + 443, remote address: (all)). Now browse to a website which uses another port, for example 8080 (you could try 77.59.222.164:8080, a proxy server, gives http error, but that's enough for testing). There will be no firewall popup (for sure) and no error message whatsoever (ie. nothing is happening, but browser works ok, not hanging, except this tab - I think, from my memories)). 6. If you are "having this bug" (ie. bug is active) you are able to trigger (!!!) all piled up "delayed" notification popups (except the outstanding firewall popups): fire up 'cmd.exe' (DOS box) and enter "ping your_gateway_ip", for example something like "ping 192.168.1.1". Immediately after pressing <CR> the hidden notification popups are appearing... ("Twist": this works best, if only one notification popup is hidden. Look at the ping waiting some time until beeing effectively executed, ie. until the appearing popup is disappearing again. Ie. 'ping' is hanging, could even timeout. You can prevent this, if you close the notification popup manually, whereby 'ping' does its work immediately.) (There are a few other triggers, but 'cmd.exe' with 'ping' is by far the easiest and always working.) 7. Do the 'cmd.exe' plus 'ping' thing when bug is not active: HIPS popups are appearing (for 'cmd.exe', for 'svchost.exe'; and as already said: do not create HIPS rule, ALLOW is enough). Do the same when bug is active: no more HIPS popups (but 'ping' is working and piled up hidden notification popups are appearing). 8. Yet another "twist" (happened a few days ago): If you are "having this bug" (ie. bug is active) you can't trigger the "delayed" / hidden notification popups (as described above), if HIPS is in automatic mode. Switch to HIPS interactive mode and do the 'ping' "thing": works. - bear with me, hopefully everything written is accurate and to the point, directly from my memories... - now ESET should be really able to hunt down this persistent firewall popup bug, definitely introduced with ESS V7. (Not existing in (V3), V4, V5 and V6 - for sure.) kind regards