PodrskaNORT

The error message "Error communicating with kernel" appears hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2280 -t-

Hi, In regard to ESET's program - you will be protected just as fine as you were using MSIE11. Tomo

Hi Ahmed, Can you please clarify "...make path for every employee computer..."? As stated, I understand that you are trying to create a mirror for every computer on network... Tomo

Hi I think there is, as always, a lot of "IF...THEN" situations and a number of compromises. You can jump to Linux ;-) In these circumstances - your XP is left without security fixes (as SweX stated - it's essential security measure) + you are hesitating to migrate to Win7 / Win81 - could be the perfect time for switch? Ubuntu is now polished.. if new GUI is too hardware intensive - you can select Lubuntu. Unless you have some superimportant unique custom-made hardware / software.. in which case you shouldn't connect to the Net with this machine in first place - thus, patches are not important at all (as they can smash OS, too). ESET will do its best in a nonpatched environment for years... you can install some ESET's programs even on Windows 2000, cca four years after its EoS! <OFFTOPIC> Can you guys please elaborate why not switch to 8.1? :-) I was a bit of "hesitating Win8 type", too, but now that I installed 8.1 on two computers - I love it! And one of them is not-at-all-new laptop with rather small and slow disk. Of course, it takes some time to adjust to changes. I *do* miss classic Start button and I try to hit it about 500 times a day :-) But I still don't want to tweak Win8 to enable it - I just want to train myself into "new interface"! </OFFTOPIC> Tomo

Hi Team, After several days (weeks?) of testing "ESET HIPS against CryptoLocker" I can confirm that I sure would recommend it, at least regarding the part that it does not interfere with legitimate applications. This is the resulting page when "something" (an .EXE) tries to execute itself from %AppData%: (see attached image 01) So, HIPS will ask customer for action, and also an "automatic" exception rule can be added from within alert window (as this example for some Java's module): (see attached image 02) The original rule (named "CryptoLocker") looks like this: (see attached image 03) Rule asks me whenever an EXE tries to execute. At the start, I was not sure whether subfolders will be included in rule, but this proves they are. The only "problem" is that I did not manage to create generic rule (using %AppData% variabla) – I had to enter full path. So, from my point of view – I will give this rule a go :-) Tomo

Interesting... it looks to me like the appearance of fixed IP caused DHCP server mess :-) I have some questions: All other computers showed same IP address (*.180) in message? All other computers are on DHCP? Did it stop after you unplugged the "problematic" one from the network? Tomo

Arnie, Do you have Windows XP? If YES - "Automatic updates" are the most probable cause. Check the process SVCHOST - it may be using 99% of CPU Tomo

If I may put my $.2... There is no 100% security - not in a real life, not in an IT life. I believe AV industry is by far the most successful security IT branch - should other security branches have been such successful in stopping hack-attempts, we would have much safer environment. Yet, if attacker has physical & Admin access to machine (Admin access would be enough) - I don't believe there is *any* security (not only AV) program that could stop even "kiddie-script" kind of attacks, not mentioning any serious malware-attempts. So, yes - with physical & Admin access anyone can kill the machine in 5 seconds with, let's say, one-line batch script, no matter if it has 9 AV programs installed or none :-) Tomo

hxxp://www.av-test.org/no_cache/en/tests/test-reports/?tx_avtestreports_pi1[report_no]=134532 Detection of a representative set of malicious apps discovered in the last 4 weeks (AV-TEST reference set): 100% Usability Score: 6/6 Tomo

Another cause *could* be missing/corrupt DDA (Direct Disk Access) modules in Windows due to, well, pretty much any reason.. Windows failure, rootkit, ... I am just about scanning the Net for the solution.. Tomo

I can confirm same procedure as @jimwillsher mentioned when upgrading ERAS 5.0.119 to ERAS 5.1.34. Everything was migrated / upgraded perfectly, although it does look like fresh installation. Tomo

One thing comes to my mind... It could be that CPU / GPU / MoBo is overheating during this intensive task and then PC shuts down to protect from burning. Try installing something like HWInfo and monitor temperature. If it is the reason - just clean the dust from fans in PC. Tomo

It could be also the problem of rights in Registry HKLM\Software and/or HKCU\Software. You may want to refresh them and add full rights to Administrators (I think there will be one key that will not allow you do that). Tomo

Xaress, (+) Start SysInternals Autoruns (+) search for Conduit in its results (+) note the locations (+) disable all instances (it could autostart from several places) (+) delete all folders noted above (+) (if any of folder says it cannot be deleted because the file is in use - kill EXPLORER.EXE and delete folders from DOS prompt; restart EXPLORER afterwards) Also check for software that brought the Conduit (toolbars, games, ...). Recently, popular are: Absolutist_Games Magentic toolbar MyAshampoo Toolbar (not to be mixed with legitimate Ashampoo software!) Flipora search engine Incredimail (?) Tomo

Here is FileAlyzer 2.x info about that file on my disk. Maybe you can compare: filename: RegSvcs.exe filepath: C:\windows\Microsoft.NET\Framework\v2.0.50727\ filesize: 32768 timestamp[file]: 2010-11-21 03:23:56 timestampraw[file]: 3D751AFC age[file]: 1080 attribs: A+D-H-L-R-S- attribs: A+ attribs: D-H-L-R-S- filetype: PE crc32: C92CDC1B md5: D79F070423FDD3F01CE8C2BA3FBBC8ED sha1: 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8 crc32[file]: C92CDC1B md5[file]: D79F070423FDD3F01CE8C2BA3FBBC8ED sha1[file]: 2F8ED26EB714B4EFBE5D7A3167E33ADE82C51FD8

Flexi Did you try manual uninstall and reinstall? hxxp://kb.eset.com/esetkb/index?page=content&id=soln2289 (disable MalwareBytes if there is any active process during the whole process!) Tomo

Flexi, Can you send SysInternals Autoruns log? Or you can take a look at it yourself for what is starting with Windows and spot the unwanted modules... In addition - save & clean Application and System eventlogs, restart computer and check or send those logs. Tomo

Hi, Limiting web access to a list of addresses will always result in limited response. You should first use some HTTP "sniffer" or logger to see what pages/servers Yahoo mail app accesses and then allow them all if you want to see normal Yahoo interface. Otherwise - there will always be *one* address that is mistakenly not allowed and the most desired icon will be exactly on that address :-) Tomo

@MrWrighty Without access to logs I can not claim this, but - I *think* that an e-mail contained just a link, customer clicked on the link which opened web page with Java exploit that allows download and execution of .exe file; that exe encrypted files (could be any of dozens of perfectly legal utilities); it could also download an additional .exe which overwrote original documents (again, this could be one of hundreds perfectly legal tools for secure deleting files). So *i believe* there was no malware in game at all - just plain old application-exploit attack, which IMHO usually have the nastiest payload than malware. Should other types of security software be as effective as antivirus, it would be much prettier world :-) Maybe you could check browser history and/or logs, mail logs, etc. for further details. Upgrade Java, all browsers and applications! Tomo

@nod32user Can you try to deliberately quarantinte one file (eicar, for example) and then empty the quarantine? Maybe that will reset counter... I can not reproduce the problem so I could not test this theory, but this little trick works with Recycle Bin in Windows, maybe it would work here, too :-) Tomo

@nod32user 1) Try with this: hxxp://download.eset.com/manuals/eset_eav_7_userguide_enu.pdf -> 4.5.4 Access setup "Require full administrator rights..." Tomo

@igrikk Please check if following is what you want: - add for example *net* in blocked addresses - add *internet* in allowed www.net.com should be blocked www.internet.com should be allowed I did not test with *ads* and *downloads* but it should work, too... Tomo

@dst-ap There should be ESET File Security on servers. What version of Endpoint Antivirus you have installed on servers? Tomo

I beleve these files are needed: (1) check whether @esets link is in /etc/init.d (points to /opt/eset/esets/etc/init.d/esets) (2) /root/Startup/esets_gui OR (3) I found it also in /root/my-applications/bin/esets_gui on my Puppy (esets_gui is copied from /opt/eset/esets/bin/esets_gui; link would probably do the thing, too) I'm not 100% sure now which of (2) and (3) is *the* one. Try it :-) Tomo

Hi Alarik You will have to put it in "autostart" folder(s). I don't have links at hand what exactly these folders are but check the google.. Tomo