[Icon spinning forever]

I wasn't able to grab a dump from ekrn.exe as it's protected from tampering. Tried doing it after disabling self-defense stuff in the HIPS settings but it didn't work.

[Icon spinning forever]

9 hours ago, Marcos said:

Please provide a dump of egui_proxy.exe and ekrn.exe when the icon is constantly spinning. If you hover the mouse cursor over the icon, does it say that update or scan is in progress? Does the icon keep spinning for hours?

OK, next time it does it, I'll also grab a dump of ekrn.exe. This link has an archive with two dumps of eguiproxy from two sessions with the icon spinning, if that's helpful on its own: https://drive.proton.me/urls/9R2X65Q1EG#sYgQHNEBmGd2

And yeah, I tried hovering the cursor over the icon and it doesn't show any active operations, just says the product name and version. It will spin until I reboot the system.

[Icon spinning forever]

Hi,

I saw several other threads about this issue occurring with v 16, but figured I'd make my own. Same issue as the others, on every cold boot, after the product starts and performs its start-up scan and stuff, the icon spins forever. I reinstalled 17.1.9.0, tried enabling pre-release updates, etc. Spinning usually stops at reboot (but not always). I took the liberty of generating two dumps of the proxy gui from different windows sessions and zipped them up if you're still interested in those.

If anybody happened to figure out what causes this and can give me an idea what setting to change, please let me know!

Thx

[Smart Security Premium & Webcam Access Notifications]

yeah, i'd also like to shut it up - it wasn't working before (webcam detection bug) and now that it's working, I wish it wasn't, haha.

[Is ESET able to detect HTML5 malware?]

the blog both articles refer to is really light on details beyond inferring that bad actors are using html5 redirects on mobile devices with specific criteria; my guess is that eset would protect the user from the domain a browser is redirected to. imo, the html5 "malware" referenced doesn't seem like "malware" so much as using html5 features to do sketchy stuff.

[Banking and Payment Protection Issue]

23 hours ago, mar122999 said:

Also, why the limited support on extensions for password managers in Banking Protection? Ones I've had problems with are:

Sticky Password
Dashlane

not sure whether dashlane is a typically supported pw manager (gave up on it a while ago) but it seemed like eset needs to release updated banking protection modules to keep up with supported pw mgrs; this is part of why i've given up on banking protection altogether.

[Steam not looking right]

Are there any other sites/services that don't load correctly? Does the network in question have WPA or similar encryption, or is it an unencrypted public network with a captive portal?

[Steam not looking right]

21 hours ago, Ladderman said:

I temporarily disabled ESET's firewall and temporarily disabling protocol filtering.Bth didn't work.Thanks for the suggestions though,i'm at a loss as what to try.

Colin

I think Marcos was asking about whether the issue goes away if you completely uninstall ESET and reboot your machine.

[Changed LiveGrid Behavior Under Ver. 11.1.42]

my client fires the same 6 requests over and over, with different values based on date/time. afaict, this telemetry hasn't changed since 2013 or so (if you search for chsquery you'll find weirdos posting stuff about ESET participating in NSA/CIA SIGINT ops, lol)

 

POST https://ts.eset.com:443/query/chsquery.php HTTP/1.1
Host: ts.eset.com:443
Content-Type: multipart/form-data; boundary=------------------------3kMBisMe5ab5274
Content-Length: 3021
Connection: Keep-Alive

--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="chc_pversion"
Content-Transfer-Encoding: 8bit

6
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="chc_sversion"
Content-Transfer-Encoding: 8bit

88
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="chc_gmdatetime"
Content-Transfer-Encoding: 8bit

2018-03-23 16:11:56
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="chc_datetime"
Content-Transfer-Encoding: 8bit

2018-03-23 10:11:56
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="datatype"
Content-Transfer-Encoding: 8bit

�f
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="key"
Content-Transfer-Encoding: 8bit

<redact>
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="priority"
Content-Transfer-Encoding: 8bit

�
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="hitcount"
Content-Transfer-Encoding: 8bit

�
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="firsthitdate"
Content-Transfer-Encoding: 8bit

�gT�[U�L^^ ZV[BS�G_
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="lasthitdate"
Content-Transfer-Encoding: 8bit

�gT�[U�L^^ ZV[BS�G_
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="firsthitdatedelta"
Content-Transfer-Encoding: 8bit

�fQ�O
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="attributes"
Content-Transfer-Encoding: 8bit

<redacted encoded data>
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="sessionid"
Content-Transfer-Encoding: 8bit

�gS�C]�U^
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="file"; filename="file"
Content-Type: application/octet-stream

<redact encoded data>
--------------------------3kMBisMe5ab5274
Content-Disposition: form-data; name="chc_valid"
Content-Transfer-Encoding: 8bit

1
--------------------------3kMBisMe5ab5274--

 

[Changed LiveGrid Behavior Under Ver. 11.1.42]

might just be a keepalive. wireshark would be more helpful, tbh.

[Whitelisting 1Password (again) for BPP]

Looks like BPP pre-release module dated 03/20 added support for the current stable 1password extension. Thanks.

[What are you playing now?]

planetside 2, elite dangerous, x-plane, stellaris on pc for me. adding sea of thieves on tuesday.

[Whitelisting 1Password (again) for BPP]

New BPP module (3/9/2018) but still no support for the stable 1password extension. This extension build came out on 3/1/2018. https://app-updates.agilebits.com/product_history/OPX4

[Opera banking protection]

AFAIK, Webroot can apply their identitysafe protections to Opera, but they don't use sandboxing.

[Lots of untrusted certificates the past week]

16 hours ago, demonlight said:

I just started getting notifications from ESET Internet Security about a week ago regarding untrusted certifcates in Google Chrome.   Its happening on many of the pages I frequent, Slickdeals and Facebook to name a few.  Has something changed in a latest update?

do you happen to do any host file or DNS-level ad/tracker-blocking?

[Whitelisting 1Password (again) for BPP]

It looks like the current stable version of 1password's extension for Firefox (4.7.0.90) isn't functioning with BPP again. I've tried with both stable and pre-release updates enabled in EIS.

I'd really like to use BPP, but this stuff occurring on a regular basis forces me to leave it off. I understand the concern about vetting and curating a list of approved extensions, but this is disappointing.

Thanks

 

Detection Engine: 16987P (20180301)
Rapid Response module: 11690 (20180301)
Update module: 1013 (20171116)
Antivirus and antispyware scanner module: 1535 (20180202)
Advanced heuristics module: 1184.1 (20171212)
Archive support module: 1272 (20180122)
Cleaner module: 1154 (20180222)
Anti-Stealth support module: 1126 (20180219)
Firewall module: 1373.1 (20180103)
ESET SysInspector module: 1270 (20170808)
Translation support module: 1666 (20180220)
HIPS support module: 1312 (20180215)
Internet protection module: 1328 (20180226)
Web content filter module: 1058 (20170406)
Advanced antispam module: 6972P (20180301)
Database module: 1096 (20180202)
Configuration module (33): 1525.11 (20171227)
LiveGrid communication module: 1043 (20180205)
Specialized cleaner module: 1012 (20160405)
Banking & payment protection module: 1125 (20180228)
Rootkit detection and cleaning module: 1019 (20170825)
Network protection module: 1617P (20180228)
Router vulnerability scanner module: 1045 (20180131)
Script scanner module: 1033 (20180228)
Connected Home Network module: 1019.1 (20180220)
Cryptographic protocol support module: 1025 (20171106)

[ESET detected that malware]

FWIW, It wasn't an "unknown" threat - it's a PUA that's existed for a long time (July) and was stupidly bundled by the developer of that payware aircraft installer to try and catch a software pirate. That particular build of the PUA was first submitted to VT back in November, and the tool itself (Chrome password dump) has been around longer.

[Major HIPS Issue]

13 hours ago, Marcos said:

No problem with this here:

it worked fine for me as well, using an app that reads hosts and inserts an entry on startup. it didn't notify when i inserted a value to hosts via cli using echo, though, but i'd imagine that's not a common manipulation method

[Banking & Payment Protection Whitelist]

On 10/30/2017 at 9:09 AM, Marcos said:

Support for the latest version of the 1Password plug-in will be added in the Banking payment and protection module 1115.

Received the update to module 1115 today and can confirm it works - will ESET have to deploy a module update with every 1password extension or client update?

[Banking & Payment Protection Whitelist]

Thanks for the info @Marcos - does ESET have to issue a module update for every update to the extension?

[Banking & Payment Protection Whitelist]

25 minutes ago, Marcos said:

What version of 1Password do you use?

I'm on 1password client 6.8 build 469 on Windows 10

 

Chrome extension from here: https://chrome.google.com/webstore/detail/1password-password-manage/aomjjhallfgjeglblehebfpbcfeobpgk?hl=en-US

[Banking & Payment Protection Whitelist]

Hey,

I haven't been using B&PP since it was introduced since my password manager's extension isn't whitelisted, and thus can't be used within the secure browser without manual copy/paste. Is this something ESET will ever consider doing? I'm using 1password.

 

Thanks

[JsDownloader Alert when opening any Google site]

Could you possibly have a potentially malicious extension installed in your browser that happens to be injecting scripts into sites?

You could try loading google or youtube or whatever in incognito mode (assuming you don't load the same extensions in that mode) and see whether EIS reacts.

[Eset 10 network protection problems]

Same for me with ESS 10 on Win10 x64. Did a complete uninstall using the ESET uninstaller, and a fresh install. It seemed to fix it, but the issue came back after a couple of reboots.

[Merging Retail License Keys]

Hey,

 

Are you guys able to merge retail license keys (i.e. 2 1YR 3 PC licenses into 1 2YR 3PC license)? I spoke to tech support, they directed me to sales, and sales was unsure whether it can be done or not.

 

Thanks!