Jump to content


Most Valued Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by itman

  1. 14 minutes ago, Marcos said:

    As for home users, I'm not sure there would be enough of them who would be willing to pay an extra fee for EDTD.

    I would!

    Also the best way to provide this for the consumer market would be to offer an Eset Internet Security "Professional" version where the fee would be added to license amount. Throw in further enhancements such as global wildcard support in the HIPS to support "living off the land" attacks. Or better, build those rules in the HIPS using NoVirusThanks OSArmor rules as guide and now you have a truly "awesome" Eset product.

  2. 1 hour ago, flutterby said:

    From the earliest I can recall learning about MBAM, they have always prided themselves on being sufficiently different from other AV products that they can run alongside with no issue and to date

    This was true until version 3.0 was released.

    In prior MBAM versions, creating exceptions for MBAM in AV product and likewise creating exceptions in MBAM for AV product prevented most conflicts. Additionally with the introduction of Win 10, Microsoft "clamped down" on the use of multiple real-time solutions and only supports one active real-time solution in the Windows Security Center environment.

  3. 1 hour ago, flutterby said:

    Sounds pretty useless at this point. But in all fairness, MBAM has worked great for me for a very long time, and it's ESET that I'm struggling with and thinking that perhaps I shouldn't have purchased...

    MBAM real-time protection is substandard to that provided by Eset as shown consistently in one of the few AV lab tests it participates in: https://www.av-test.org/en/antivirus/home-windows/windows-10/april-2020/malwarebytes-premium-4.1.0-201613/ .

    MBAM does have some strong attributes such as detection of entrenched and hidden malware which are detected via off-line scan method.  

  4. 33 minutes ago, Marcos said:

    It takes some time to process the file and to delivery the result in case a detection is created for it or if the file is blocked in the LiveGrid blacklist.

    OK. "We're back on the same page again"

    Also the difference between LiveGrid and EDTD which can block execution till Eset cloud server verdict is rendered, We just need like capability made available in the client versions of Eset.

  5. 7 hours ago, Marcos said:

    The alert reads "Suspicious" detection which means the file was blocked by LiveGrid

    This is news to me. Are you stating LiveGrid actually now blocks something? Or is the blocking occurring after LiveGrid analysis has rendered a verdict?

    Also are not "Suspicious" detection's supposed to throw an Eset alert requiring user action? Or does that only apply to AML "Suspicious" detection's?

  6. 36 minutes ago, Antoine42 said:

    Is it possible that this is caused by the Xbox App installing a virtual disk driver (when using Xbox Game Pass)? I could see a new drive labeled : "msft xvdd".

    You could temporarily uninstall Game Pass and see if the Eset issue disappears. If it does, you have identified the source of the problem.

  7. 2 hours ago, Peter Randziak said:

    Hello @itman,

    the .exe itself is not malicious, it loads the .dll, which is being detected...


    Depends how you look at it. Since the .dll is embedded in the .exe, it is in reality part of the .exe.

    Also the AV detection's on this one are a bit strange. Eset was one of the few who detected the .dll. On the other hand, Kaspersky and Checkpoint, plus now others, originally detected the .exe. Note that Eset does not detect the .exe version on VirusTotal.

    Detection of .dll after .exe startup is post-execution detection. As Eset points out in its write ups on post-execution detection, it is a less desirable detection method since system modifications may have occurred prior to detection. However in this case, it is N/A since the .dll is actually not being run by the .exe.

    Finally as I understand this bypass, it is using a .Net based .dll that only runs on .Net 2.0 or 3.5. In other words, the .dll is running actually via .Net. Therefore all the .exe version is doing is the equivalent to e.g. rundll32.exe PowerShdll.dll.

    So the question remains why can't Eset detect by signature the .dll code embedded in .exe as it can for the standalone .dll? I do not beleive the code in the .exe is hidden in any way by packing, encryption, or obfuscation.

  8. 2 hours ago, Antoine42 said:

    Computer starts again and works just fine after a cold boot or a hard reset (no hang).

    Are you stating the PC hanging occurs when when booting via Win 10 Fast Startup option?

    Note with the PC previously powered off by case power button or by manually performing an in program Win restart, Fast Startup is not performed.

  9. 7 hours ago, Marcos said:

    We have tested a new cleaner module and the results are promising. Extensive scanning of WMI and registry will be probably accomplished only with the In-depth scan profile where the scan time doesn't matter.

    If anybody's willing to test it, please let me know.

    Marginal scan speed improvement with beta em005_64.dll.

    As posted previously, with existing 13.2.15 ver. em005_64.dll, the registry and WMI scan was 22 mins. With the beta em005_64.dll, scan time was 16:30 mins.

    Eset needs to implement registry and WMi scanning bypass option for default scan as I recommended and illustrated previously.

  10. 4 hours ago, deepblue2000 said:

    WindowsUpdate.log with the error:

    I really see nothing in the log pointing to failure of Win Updating due to a certificate error. Normally if there is a certificate problem there, it will be shown on the attempted connection to MS update servers as shown here: https://answers.microsoft.com/en-us/windows/forum/windows_10-update/windows-10-update-error-certificate-used-for-ssl/4c9e6867-fea3-422f-ae06-fd25d26ff5b4

    Most of the certificate errors in the above posted log relate to WebServices. And those reference an issue with the intermediate root certificate. Win will defer to Win intermediate root CA store for the certificate or download it as needed. With Eset SSL/TLS protocol filtering enabled, use of intermediate certificate is N/A and Eset's root CA store certificate is used instead.

    Is the network connection using a proxy or a VPN connection?

  11. 34 minutes ago, Marcos said:

    We have tested a new cleaner module and the results are promising. Extensive scanning of WMI and registry will be probably accomplished only with the In-depth scan profile where the scan time doesn't matter.

    If anybody's willing to test it, please let me know.

    PM it to me with instructions on how to replace existing cleaner module. I believe that has to be done in Win Safe mode as I recollect. I will rename existing module in the case I have to revert to it.

    I won't be able to test this morning but will do so early this afternoon.

  12. 10 minutes ago, r1man said:

    Also WMI crashes aren't "a big deal" if they are intermittent in nature. As noted in the Microsoft article referenced in my posting:


    After the issue occurs, you can just ignore the report about the crash in the WMI host program because the process will restart with the next request by itself.


  13. 29 minutes ago, flutterby said:

    I am aware of potential conflicts with protection s/w, but I was assured that MBAM and ESET would work together nicely before I made the purchase. Additionally, I Googled the question and found positive responses for MBAM/ESET on same computer. Have I been advised in error?

    Only if MBAM real-time protection is disabled.

    Even Microsoft advises only one real-time scanner be active at any given time on Win 10. If MalwareBytes is stating otherwise, they are wrong. Also reviewing MBAM Premium features, I see this:


    Protects you from malicious and fraudulent websites

    This would imply some type of network filtering capability that could conflict with Eset's Web Access protections.

  14. 3 hours ago, SlashRose said:

    For me the Windows Update runs error-free, which doesn't mean anything.

    Actually, there hasn't been a Win 10 Cumulative update since ver. 13.2.15 rolled out. That happens tomorrow and then we will know if versions prior to Win 10 2004 are also borked.

    So far, just checking for Win Updates works fine on win 10 1909 and Eset 13.2.15 versions.

  15. 3 hours ago, ingmarvanolffen said:

    what will it do ?

    It will delete the registry entry the malware added:


    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\gscmeme\gscmeme.exe.lnk" /f

    An example of what this reg key does is given in this General Bot! malware analysis:


    After decrypting the strings it show the following:
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "
    FlyFF Bot

    The registry key that the bot adds prevent the startup programs from running when restarting the computer. It can be resolved by deleting the key in registry.

    Delete the key named Load in registry located at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
    Goto %temp%\FlyFF Bot in the file explorer and delete the shortcut and the duplicated virus.

    Do not restart your computer before you've done these fixes. Otherwise a empty messagebox will popup and once you hit ok, the virus will kick in and do a bunch of naught stuff.


  • Create New...