murko

Thanks for clarification. About the ver. 16.2 - I am bit confused, as our ESET Endpoint Security shows latest ver. 10.1.2050.0.

In such case, would the firewall/ids rules be still effective?

Ha, maybe in future. It would be really handy to have such tool.

Most probably. Btw, is there some kind of scan option in Eset Endpoint, which could find all files containing such malware, based on some kind of its fingerprint? (layman speaking)

Already checked, nothin there. Also scanned all drives for such files/folders, nothing except the mentioned before.

Nice summary. As a preventive measure, its good to block that conhost.exe, but it doesnt solve the root of the issue - where does it came from/what causes exactly/how to detect it beforehand imho.

After removing the task schedule entries + WindowsMalwareProtection folder, it seems its finally resolved, at least for now - almost 45min without issue.

C:\Program Files\WindowsMalwareProtection : WindowsMalwareProtection.rar

This is for systemreset: For MicrosoftMalwareProtection there is nothing, only remotely similiar is: WindowsMalwareProtection

Well, the joy was only temporary. After around 13min, the issue is back. Also see the attached screen, apart from explorer.exe, cmd.exe is being also listed.

Hi, what would you need from the Autoruns?

Hi, seems it fixed the issue, so far no connection attempts to that IP.

Hi, I dont have that regedit entry anymore (I ran MalwareBytes in meanwhile, there were some entries which were deleted, cant remember now). In attachment is the req file.systemreset.rar EDIT: MalwareBytes log:mb-results.txt EDIT2: It does not make any difference, the issue still persists.

ees_logs-02102023-threatdetection.zip

Hi, I have exactly the same issue. Attached screen + logs (per instruction in the eset log collector). ees_logs-02102023.zip

Hi, thanks for the reply. As for the kernel dump, I`ll send it when I will do the next instalation/testing of EFS - also which one you need ? Complete or small dump? Btw, do you have some ETA when that mentioned issue would be resolved? Thanks.

UPDATE: I spent another hours tinkering with ESF and WS2016 network/firewall/policies settings, without any success. So, I uninstalled ESF and everthing is working silky smooth as before. This experience with ESF is very sad tbh, as only reason to buy ESF for our server was, that we were highly satisfied with Eset Smart Security / Internet Security.

Hello, we recently installed for the very first time latest EFS on our WS2016 server (simple domain server with AD services, DNS, RRaS VPN ... ) and it resulted in completely blocked network on the server side: - local clients cant connect to shared drives nor authenitcate on logon to domain - on server any attempt to test internet connection, or to ping even local clients machines fails - strangely enough - EFS is happily reporting that it sucessfully blocked possible RDP attack from outside (dozens of public IP addresses) - network utility in EFS reports blocking live IP adresses trying to connect via svchost.exe in RDP/Host role - none of blocked IP addresses in ESF are from our local IP addresses - complete disabling ESF wont change anything - complete disabling ESF and also Windows Firewall wont change anything - with or without exception in IDS for our local IP range ( starting IP/255.255.255.0 ) nothing changes - every test was made with complete server reboot At this point, Im really clueless what is causing such behaviour. I am completely sure that the problem is cause by EFS, since before EFS, the server was happily working for years without any hiccup. Only thing I am probably left with, is to uninstall EFS, but that is not solution for paying customer, right? (/sarcasm off). So, at least any meaningfull help would be nice to have. Thanks.