itman

Have you properly configured your router? Standard procedure for game use is a port has to be opened on the WAN side of the router to allow access to your server. This is commonly referred to as a "pinhole." Many routers have preset settings for commonly used games that can be deployed. Check with the game manufacturer. Many have guidelines on how to configure the router for its game use. Note also that opening of any port on the router border edge is considered a security vulnerability.

Make sure all Win updates have been applied. In particular:

Refer to the screen shot you posted. A Start Mode of Minimal will only allow notifications to be displayed. Appears the Manual setting is what you desire: https://download.eset.com/com/eset/apps/business/ees/windows/latest/eset_ees_7_userguide_enu.pdf

A few other details on what the specific issue is in regards to Eset issues with UPnP. To begin, I use the Public profile. There are no issues with UPnP when I cold boot or restart the PC. No Network Wizard detections about blocked UPnP traffic. Since the Public profile is in use, Eset appears to silently block any incoming UPnP or something on this order. The issues with UPnP manifest when return from Win 10 sleep mode occurs. The Eset firewall goes spastic at this point is the best way to describe it. I get constant incoming UPnP blocks from the other Ethernet devices on my network. I don't know if the issue is Win 10 or Eset. In any case, the firewall should have the capability to follow users block rules w/o constant Network Wizard recording of this blocked activity.

Sorry but I don't buy this. The user should always have absolute control. Is there anyway to disable Network Wizard?

To begin, I like that the Network Wizard alerts of blocked activity. What I do not like is when I create a specific firewall rule to block that activity and the Network Wizard keeps alerting me of the same blocked activity. My opinion is if a user rule exists to block something that rule should override any Network Wizard detection of the same activity. For example if I create a rule to block inbound port 1900 UPnP activity after Network Wizard initial detection, I should not have the Network Wizard recording that this blocked rule has been triggered. It is my understanding that the Network Wizard only triggers when no existing firewall rule exists? -EDIT- Maybe this is the problem. I changed a previous Network Wizard allow created rule from block status. Is it possible the Network Wizard knows what rules it has created and will always monitor those regardless of block/allow status?

I have had constant issues with Eset blocking UPnP traffic from other Ethernet connected devices on my network when using the Public profile on the device where Eset is installed. Only solution I have found is to disable the Win SSDP service.

Way back in 2017 it was shown to be unsafe: https://www.pcworld.com/article/3173791/stop-using-sha1-it-s-now-completely-unsafe.html It was officially deprecated as an Internet encryption standard last May: https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html

If you exclude the entire directory, any malware and the like resident there will also be excluded from detection. One should always chose the least permissive solution when it comes to security exclusions. Therefore, the performance exclusion for utorrent.exe is the best solution.

Actually these use a Windows "living of the land" trusted executable to perform hidden privilege escalation. This ransomware variant to date has been delivered via e-mail archived attachment. So macro use is a definite possibility. As far as I am concerned, anyone that has not by now permanently disabled Office macros deserves to get nailed by malware.

One possibility is that Eset's default scans are not running as they should be. As shown by the below Scheduler screen shot, these scans should only run for a very short duration:

Ekrn.exe is constantly running. Also high ekrn.exe CPU usage does not mean absolutely that this usage is scan related.

Note that to drop an .exe to C:\ in Win 10, you need full admin privileges. So either a UAC bypass was deployed or user is tricked into manually elevating.

It's definitely ransomware.

Looks like someone is trying to impersonate equi.exe. Detailed analysis here: https://www.hybrid-analysis.com/sample/5d178be58d8588c9b7460343f6c8a6fa8d0fd554df6450ab0beec905052371a0?environmentId=100 Interesting that Eset doesn't detect it.

If Eset is running a scan of any type, you will see the Eset desktop icon animated. If you hover your mouse pointer over the icon, it will show a popup of what scan is running. If the Eset desktop icon is not animated, the ekrn.exe activity you are observing is not related to scan activity.

The malware code comment can be interpreted two ways. The first is as commented upon in this thread. That is the malware author has issues with bypassing Eset's protections. The second interpretation is the opposite. The malware author has no issues bypassing Eset. Without clarification from the malware author, it is impossible to determine what he meant by the code comment.

The only thing I can think of is Smart Optimization has been disabled under real-time scanning options. Refer to the below screen shot and verify that it is check marked; i.e. enabled. This setting causes Eset to bypass process startup and file scanning of processes/files previously scanned and deemed safe.

To begin, you originally posted: We assume you are referring to a manually created scheduled scan. There is no option there to control cleaning other the option not clean per the above posted screen shot. A manual scan initialed via the Eset GUI "Computer Scan" option likewise has no options. What I believe you are referring to is the "Malware scans" settings accessed via Advanced Settings option. Those configuration options only apply to the scans specifically referenced in that section as far as cleaning option is concerned. Again as posted in the above screen shot, you must specifically state the No cleaning option for scheduled or on demand scanning.

No. The ThreatSense settings apply to real-time scan behavior. Do as @Marcos posted previously and you will have no cleaning issues with your manually created scheduled scan.

Verify that Eset firewall mode is set to default Automatic setting. Also check Eset Network log for any entries. These might shed some light on what is going on.

I will also add that there is a locked screen RDP bypass vulnerability affecting Win 10 1803+ versions plus Server 2019 that has never been patched as far as I am aware of. You can read what this vulnerability is and recommended mitigations for it here: https://www.kb.cert.org/vuls/id/576688/

This recent article related to this specific STOP ransomware variant might be informative: https://malwaretips.com/blogs/remove-mbed/ Of note:

You might also want to read this thread on how STOP ransomware is distributed: https://forum.eset.com/topic/20926-for-individual-users-this-is-one-ransomware-you-should-pay-attention-to/?tab=comments#comment-101795

Never saw that error before. If it appears again, click on "More information" and post a screen shot of what is displayed. Appears to me you may have presses the OK button multiple times without realizing it or something on that order.