rugk

So the German ESET department tweetet about this. Basically they confirm that the SSL vulnerability is fixed now. Analysed version: 3.2.4 Fixed version: 3.2.60 (published in March 2016)

So what was actually deactivated? The mobile or the PC parental control? In case it is the latter you should have posted this in the appropriate section (ESS I think); because this is the mobile section. But probably a moderator can move it around.

Yes, ESET does. At least the Deep scan mode always also scans the sd card.

Windows phone is a closed platform. This means you cannot install apps from third-parties and all apps in the Windows store are scanned by Microsoft. So you should be quite secure. iOS uses the same approach and there are only few known malware samples for iOS. This is also one reason for ESET not to develop a security product for these platforms - it would not make much sense.

The Fraunhofer Institute for Secure Information Technology (SIT) published a research paper where they explain many different vulnerabilities they found in mobile security/antivirus software. They found vulnerabilities in products from Kaspersky, ESET, Avira, McAfee and Clean Master Security. Most vulnerabilities are already fixed in the latest version of the products. So of course we focus on ESET here... So they found two vulnerabilities: failed SSL/TLS verification and a broken encryption. Looking at the details in the PDF is interesting. They overwrote the Androids default SSL verification, which many anyone can easily intercept SSL secured traffic: This is a widespread issue on Android app developers, but I thought at least ESET would get it right... And then we have the license username/passwords. Basically this is more or less and old issue and we had (and AFAIK still have) it in desktop products of ESET too. To summarize the linked topic: The username/password were send in plain-text only BASE64 encoded (Base64 is easily reversible and provides no security). So in EMS they changed this a bit: At first they seem to use SSL/TLS now. But as said before, it was implemented incorrectly and therefore did not provide any protection. But they implemented an "encryption" for the username/passwords. So what does the Fraunhofer Institute SIT say about this encryption? So about the last sentence one fact has to be added: ESETs licenses passwords and usernames are generated automatically and users cannot use a longer password even if they would like to do so. But generally this "encryption" is useless anyway, because So IMHO the SSL/TLS flaw is much more serious than the second encryption flaw as username/passwords of ESET licenses can "only" be used to hijack this license and e.g. register additional devices using the license of the victim. However the TLS issue is really a basic flaw and I strongly suppose it also affects the username/passwords of ESET Anti-Theft e.g. when you connected your Android device with it. Also when anti-theft is triggered users photos, location and more things are uploaded - using an SSL/TLS connection. If that's not secured it can easily be intercepted. So there are still some open questions: Are these vulnerabilities already fixed in EMS? If so what is the latest (VSD or product) version affected by this issues? When the SSL/TLS verification is properly done, I highly suggest another thing: You should really implement key pinning to protect the SSL/TLS connection. Is this "encryption"-approach of ESET license username/passwords also done in other ESET products? If so is it already fixed/replaced by a proper SSL/TLS connection there? BTW: It is also interesting to read through the whole PDF and look at the flaws of other security products. There are SSL/TLS flaws, XSS scripting and remote code execution vulnerabilities.

Theoretically yes.

No this issue only affects the installer.

If you already have installed ESS you don't need to do anything. This vulnerability only affects the installer. However as for your question about how to uninstall an ESET product completely you can use the manual uninstaller. But again: As I said this is not necessary here. BTW: If you want to be secure when installing an ESET program a much more important recommendation would be to look at the UAC prompt (= the message which pops up to asks you for administrative rights) and verify that the downloaded file is signed by ESET. You can see this at the "Verified publisher" name: In contrast to this faked (and potentially malicious) installer: If you see such a faked thing when trying to install a software by ESET stop the process (click on "No") and report this issue e.g. in the ESET forum with a description of what file you've downloaded and if you can attach the file.

Well, ESET said all installers are already fixed and I also don't know whether the offline installers were affected at all. But in a more general way (which also applies for other installers) this answer is a bit longer: If there are really no files theoretically yes. However there may be hidden files or something like this, so the only way to be certain is creating an empty new folder, moving the file inside of it and running it from there.

Nice. I also did not knew of your vulnerability report guide.

Yes, it does. i know... it's quite easy.

Yes, it may be not that easy to exploit, but it is certainly possible. And according to his "Proof of concept" you do not need a specially crafted DLL in this case. It is a generic DLL. Tricking the user into downloading a DLL is another thing, but it is certainly possible too. Just imagine how much files may resize in some users download folder. Here are more information about this. But do not take this too easy. Oracle, which had this issues in their installers too, seem to have taken it quite seriously: And the thing to note is that it can be fixed. So I would at least expect a fix with the next installer release. And I also would have expected that ESET at least replies to the researcher in some way... So what is ESET going to do about this?

Why is that? Previously you just had to confirm your mail. Or is the mail verification still broken?

A security researcher recently discovered vulnerabilities in many software installers including Java, WinRAR, Python, Panda Security, TrueCrypt/VeraCrypt, Emsisoft, Trend Micro, Avast, McAfee and more. ESET is also a part of the list. Basically the vulnerability is an issue with DLL files, which are automatically loaded by the installer (which is usually executed from the downloads folder). If wrongly implemented these files are loaded from the current folder, which is the download folder. As most installers request admin rights this is a privilege escalation, because some untrusted DLL files are loaded and executed with admin rights. If an attacker can convince a user to download some badly crafted DLL files and later an installer with such a vulnerability is executed by the user, the DLL is loaded and malicious code may be executed. A way to prevent such attacks is to copy all installers into an empty directory before executing or to make sure there are no rogue DLL files in the Download folder. So why I am posting this is not only because of the general suggestion, which is a good thing to know, but also because of the Timeline included in the error report for ESET: So according to this ESET has not yet replied or releases a fix in the installer. Can someone of the mods comment on this and possibly say whether the installers are still vulnerable and when this will be fixed?

This is certainly related to the SSL scanning of ESET. Usually revoked certificates should be denied. You may also check this setting and choose "Block communication that uses the certificate" for invalid or corrupt certificates. AFAIK revoked certificates should also be part of this.

I assume you mean virusradar. There Iran is displayed in grey, which means that there is "no data" as the tooltip shows. And it is easy to find out why: ESET does not and is not allowed to sell their software to Iran. So as there are no (official) users ESET cannot receive any data. I don't want to ask how you got your ESET version, but at least you did not get it from an official ESET reseller unless you bought it from a foreign country.

This only happens when going to forum.eset.com and no other HTTPS site? And it only happens with SSL scanning enabled? In the ESET SSL scanning dialog can you please click on the certificate and post a screenshot here? Please also click in the Firefox message on "Add Exception..." and click on "Show..." (or similar) to display the certificate. Please make a screenshot of this too. In both cases you can also find an "export" button somewhere (e.g. in the details tab), so you can save the cert and attach it here too (or link to it as I think the file extension is not allowed).

Yes you can't get updates any more. The program itself will still work, but obviously without updates you do not have sufficient malware protection, because also the scan modules (and not only VSD updates) are affected.

I would just test it in a VM, so you'll see whether it works. Also looking in this forum part may help. There are also a few support articles for Ubuntu e.g.: hxxp://support.eset.com/search/?search=ubuntu

Technically it does of course not matter, because you set up the whole OS, but I think I know what you're asking: Whether this is a license issue. And AFAIK it is not. Even a dual-boot version would be okay - the only thing you must not do is running too much (= more than included in your license) versions of ESS simultaneously. That said it obviously does not hurt to uninstall the Windows versions before. It does only accept the old license details (username/password), because the Linux version is quite old. Also note that there is no ESS for Linux, but only NOD32.

Alternatively you can also restart the GUI of ESET (egui.exe) with admin rights, but usually this should only be done for debugging purposes. In any case you should close the egui.exe again after you did everything you wanted to do and restart it in a normal way. Here you can see video instructions: https://vimeo.com/120283413

BTW I have to praise you for reconfiguring HTTPS at forum.eset.com. Now it got scored much better than the last time: https://www.ssllabs.com/ssltest/analyze.html?d=forum.eset.com You finally get A-. (Previously it was C if I remember correctly and this was a really out-of-date config) But you can still improve your config... As far as I see the cipher suite (especially the order) might be optimized and if you also apply the HSTS header you can also get an A+ from SSLLabs.

Actually you can access it through a desktop shortcut created when installing v9 or - in case you deleted it or it was no0t created - you can add it back by adding this shortcut: "%programfiles%\ESET\ESET Smart Security\ecmd.exe" /startprotectedbrowser Depending on your installation path you may have to adjust this value.

I've already reported this...

But you do it like that. I've seen it on some sites which do so. Additionally why do you ask if you don't use it? What would have been your answer if he had said "Yes"? That everything is alright? IMO this was implied by this question.