itman

I was also going to recommend the Eset Network wizard to create the rule. I suspect something is wrong with his existing firewall rules. If I recollect, Eset firewall Interactive mode adds a "global" block? rule for outbound connections at the bottom of the existing rules set. I have had issues with that rule in prior Interactive mode use. I believe I had to change that rule to "ask" to receive alerts. Also, I had to always ensure the rule was at the end of the existing rule set. -EDIT- I also noticed Abode Reader on Win 10 1809 for example is now dynamically creating Win firewall rules each time a .pdf is accessed. Only God knows why they are doing such nonsense. This app is also Abobe based and might also be doing such nonsense.

Perhaps they have disabled TLS 1.0 in IE11? Maybe something to do with their Group Policy settings? I use IE11 as my primary browser and have never experienced any profound performance issues with Eset installed.

Title of his post indicates he's using it in Interactive mode. So that's my assumption at present.

The firewall is obsolete and hasn't been supported since mid-2013. You're better advised to stick with the Win 7 firewall. If you want something to monitor outbound connections, check out the third party Win 7 firewall extensions such as Windows Firewall Control: https://www.binisoft.org/wfc.php or the like. Better yet, update to Win 10 with a better built-in firewall since Win 7 end-of-life is next year. Or even more advisable, just upgrade to Eset Internet Security which also provides IDS protection.

I just checked my Win 10 1809 Warning Event log entries and no such entries exist. Also those log entries are user profile related. Are you logged on under default limited admin account or a standard user account? What is your OS version?

Are you getting Eset alerts for other apps that request outbound access for which no existing firewall rule exist?

Normally, you would not have to add exclusions for a basic third party firewall in NOD32. You only need to add exclusions when another security product that performs realtime scanning is employed. Which BTW is not recommended. Are you referring to Comodo perhaps?

Appears MSIL/Bladabindi starts up at boot time via registry run key or one of startup directories.

I reset the security report. Will check my e-mail tomorrow and see if this corrected the issue.

So is everything now straightened out password wise?

I would think so although I connect to AOL e-mail servers.

Ah, yes. I didn't expand the screen shot enough; Adobe Flash Player.exe? I believe the legit version is Flash Player.exe. Does not an AMS based log entyry show the executable path information?

After opening my e-mail client, Thunderbird, I decided to check recently scanned e-mail counts in the security report. It only showed a count of 10 which appear to be the e-mails I physically opened and read versus the dozens of unread e-mails that were actually downloaded. I hope that this is just a bug in the security report and not that Eset is no longer scanning all e-mails upon download as was the case in prior versions?

Since the infection is related to Flashplayer, make sure your OS is fully patched in regards to Win 10 if you are running that version. If you are using Win 7, make sure the stand alone ver. of Flashplayer has had all its outstanding updates applied.

Did you run it in safe mode?

As @Marcos previously requested, you need to access Eset's Detection log and find the recent entry associated with this malware detection. You then need to post what is shown there in English. To accomplish this, right click on the log entry and select "Copy." Open your browser and enter this URL: https://translate.google.com/ . Make sure English is selected in the "Translation" section. Paste what you previous copied into the "Detect Language" section. After the translation section is complete, copy what is shown there in English to your forum posting.

In my 1809 upgrade failures, it wasn't Eset that was the culprit but having 1803 Virtualization enabled. Disabling that feature in the BIOS allowed the 1809 upgrade to proceed w/o issue. There have been numerous issues related to the 1809 upgrade. I have had Eset installed in every Win 10 Feature upgrade to date w/o issue.

Open the Eset GUI. Using Advanced Setup, click on "Web and Email." Click on "Email client protection." Refer to the below screen shot . Uncheck "Enable email protection by client plug-ins." Save your changes. This should eliminate the Eset add-on for Outlook. Note doing this will reduce Eset's e-mail protection and e-mail will only be scanned upon arrival.

Again, most of us don't know Hebrew. So you will need to post; i.e. type in your reply, what the alert states in English.

You need to post in English what is shown in the Eset alert. This forum is for English language speakers.

Per the Process Explorer screen shot you posted. Click on the Explore tab next to the PowerShell AutoStart Location. Does it point to the WMI consumer event? If not, delete it from wherever it is located at. If that doesn't stop the activity, then do the following. For the time being and assuming you don't use Powershell for anything, just create a HIPS user rule to block startup of C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. -EDIT- Also create an Eset firewall rule to block any outbound communication from C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.

Run Autoruns.exe as Admin. Right click on the SCM Win Event. Select - "Delete." This should remove the entry. BTW - you sure this is not a legit WMI consumer event? Appears to me it has something to do with possibly harvesting Event Log data. Using PowerShell to do this in Enterprise environments is quite common.

Eset staff, @JamesR , wrote the code. He only infrequently visits the forum. You should PM him about your issue for a faster response.

This is usually indicative of a coin miner. You can also try SysInternals Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns. Download and unzip the folder; no installation required. Click on the WMI tab and see if anything is shown.

Unfortunately, no decrypter currently exists for the 5.2 version as far as I am aware of.