[Installed poweriso and eset is blocking websites]

13 hours ago, mmatthe8667 said:

Would we know why its trying to contact those sites..since the exe is from poweriso site? 

One benign reason is the software is trying to update itself. It should have an option to change/disable auto updating. Disable auto update and if the outbound connections cease, you have resolved the issue.

If the outbound connections persist, it could be indicative of malicious or other undesirable activity.  

[Minor ver. 12.1 bug - Scheduled Scan]

@Marcos, "playing" with the scheduled scan time setting did the trick. Log maintenance scan ran at its scheduled time:

 

[EFI/ COMPUTRACE]

1 hour ago, Tatiana said:

The Lenovo machines with which I am testing have the module turned on and some are detected by ESET and others are not

Appears it boils down to what is Eset detecting when it pertains to LoJax: https://www.eset.com/us/about/newsroom/corporate-blog/what-you-need-to-know-about-lojax-the-new-stealthy-malware-from-fancy-bear/.

In the Lenovo forum link I previously posted, Absolute, the software vendor, discusses how Computrace functions. Without its monitoring service:

Quote

The Computrace service is purchased as a separate option and the monitoring Server will enable its agent security module through an interface provided by the BIOS. The Computrace tracking agent can only be used in the US, UK, Canada, and Australia. Computrace(R) and Absolute(R) are registered trademarks of Absolute Software Corporation.  

it appears the code implemented in the UEFI firmware does nothing. Assumed is the code in the firmware will only connect to Absolute's monitoring servers.

Note that the legit version of Computrace's firmware code is named LoJack. The malicious version is named LoJax. Here's an Eset technical write up on LoJax: https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf . Bottom line - just because there are settings in a device's UEFI indicating Computrace is installed does not mean that you are infected with the LoJax malware.

[Installed poweriso and eset is blocking websites]

31 minutes ago, mmatthe8667 said:

www.tivatuddpnoheni.com goes to 95.211.184.67

Appear the IPs are associated with a domain server - per Robtex: 

Quote

The IP number is in Netherlands. It is hosted by LEASEWEB.

That server appears to have one or more malicious domains associated with the domains it is hosting:

Quote

We investigated 100 host names that point to 95.211.184.67 . Example: cdneu.dadafarada.com, img.conicono.com, img.yepabonocemm.com and cdneu.appchucklegift.com. We estimate that it is used as ip number by 161 host names.

 

Quote

THREATMINER

Threat information such as virus etc

URI

Last Seen	URL
2016-05-20 02:06:45	http://cdneu.dolphinmemory.com/products/PDF-Reader-v2.cis
2016-05-07 06:04:22	http://cdneu.tokoholapisa.com/ofr/Solululadul/asgnd.cis
2016-02-07 10:47:46	http://img.mydivcdn.com/img/CH_logo_new.png
2016-01-22 07:47:47	http://img.sourceforgecdn.com/img/Rerarapepe/Rerarapepe_b.png

 

[Installed poweriso and eset is blocking websites]

15 minutes ago, mmatthe8667 said:

hxxp://www.tivatuddpnoheni.com/ofr/Solululadul/osutils.cis;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY

hxxp://www.tivatuddpnoheni.com;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY

hxxp://www.tivatuddpnoheni.com/ofr/Solululadul/icc_v5_8.cis;Blocked by internal IP blacklist;E:\PowerISO\PowerISO7-x64.exe;THE-BREWERY

You also need to post the IP addresses associated with these alerts. It's possible a redirect is going on.

[Installed poweriso and eset is blocking websites]

8 minutes ago, mmatthe8667 said:

the site it shows is different ones of this: hxxp://www.tivatuddpnoheni.com

Checked this on URLVoid and site is 100% clean.

[Installed poweriso and eset is blocking websites]

My question is why is this type of software attempting to connect to the Internet with the activity you posted? It is basically just software to create a .iso file for the most part. At most, the only outbound connection it would need is to the vendor's server for software updates.

[Installed poweriso and eset is blocking websites]

Are your Eset firewall settings set to default values?

[Missing Scan Logs]

You might want to export your existing settings. Then download the offline installer for 12.1.31. Uninstall Eset. Reinstall 12.1.31 and see if that resolves your existing scan missing log issue.

[Missing Scan Logs]

1 minute ago, TomFace said:

I've had no issue with the icon animation,

It only occurred with the "unscheduled" scan as a result of time change. The legit scheduled scan showed the animation.

[Missing Scan Logs]

No problem with my Eset installation with scheduled scan logging as the below screen shot shows. Also I was wrong about my prior statement about scan starting immediately after a time change. It did start running and worse, it does not now show the scan is running via Eset desktop toolbar icon animation!

[Missing Scan Logs]

3 minutes ago, TomFace said:

Nevermind it's OK. Please disregard.

Are you stating your log file issue has been resolved?

[Missing Scan Logs]

16 minutes ago, TomFace said:

No log entry for my scheduled scan. The only log entry is from a manually requested scan via...

OK. I just modified my scheduled scan to run today at 11:25 AM. Will report back after scan runs if it created a log entry with details provided.

A short time ago, I received a modules update. What I now observe when modifying an existing scan run time is it doesn't start running the scan immediately when saving my changes. So it appears Eset fixed that issue.

[Missing Scan Logs]

15 minutes ago, TomFace said:

Here's the latest: I deleted the existing scheduled task and built a new one. Still got the same result-no log entry under scans.

I am trying "to get a grip" on what you are describing. Are you stating that you are not receiving any detail log information in ver. 12.1.31 as my below screen shot shows for my EIS installation?

[I am trying to find out if an investment in ESET will help]

13 hours ago, marintaxpro said:

Every machine purchased in past 10 years has had issue & I've spent fortune on live, remote and program attempts to fix.

What your narrative describes is akin to something out of a malware sci-fi horror movie. Are you stating that every device you have connented to your network in the last 10 years has been affected by what you posted?

[Minor ver. 12.1 bug - Scheduled Scan]

15 hours ago, Marcos said:

A task was run when it was due:

Again, not on my Eset installation. Perhaps Eset not in sync with U.S. DST?

-EDIT- Just occurred to me the problem might only manifest with scans that existed prior to the 12.1.31 upgrade. You created a new scan to test. I will edit the Log maintenance scan and see it that eliminates the problem.

[Minor ver. 12.1 bug - Scheduled Scan]

Well, daylight savings time is now in effect. Wanted to see if this resolved the default log maintenance scan running an hour ahead of schedule as noted in the above linked posting. It did not. That scan ran an hour ahead of schedule today. Definitely appears their is some type of time issue between Eset scheduler and system clock.

[Seems to be a bug: Tray icon showing Update when Scan going on]

Below is a screen shot of what is shown from Eset desktop toolbar icon when my scheduled scan is running in ver. 12.1.31:

 

[Seems to be a bug: Tray icon showing Update when Scan going on]

Appears to me is what you are observing is Eset's default scheduled scan after every module update:

[Scheduler suggestions]

6 hours ago, Rohit said:

but for this particular task that I am creating, I don't want to scan all files. Only executables to be scanned.

Not possible as far as I am aware of. Lowest scan level in GUI select field is folder/directory level. However, see the below screen shot. There is an area where you can enter a specific path. You can "play" with that to determine if any wildcard capability exists; e.g. C:\SomeDirectory\*.exe.

6 hours ago, Rohit said:

Also, for the scheduler scan, I want to specify the folders which I want to scan. I did not find an option to do this.

[Missing Scan Logs]

I received a log entry for my scheduled weekly scan that ran a few hours after I upgraded to 12.1.31.

I suspect the scan didn't run as scheduled. Hence no log entry. Did you see the scan running by visual confirmation of Eset desktop toolbar icon spinning?

There have been issues with the scheduler in 12.1.31. You might try deleting your existing scan and recreating it. Then see if it runs as scheduled and a log entry is created.

[EIS blocks toolslib.net]

Appears the issue has been resolved. I can download AdwCleaner from the Malwarebytes site w/o issue.

[EIS blocks toolslib.net]

1 hour ago, Hijin25 said:

Excuse the insistence. Is that I'm a little paranoid with the security of my PC, and when something strange happens I get restless.

You will have to be patient and let @Marcos get back to you with whatever issue Eset is detecting with the web site. If you immediately have to download AdwCleaner for some reason, you can do so via the bleepingcomputer.com link I posted previously.

[EIS blocks toolslib.net]

I just scanned toolslib.net using QUALS SSL Server check and they gave the site an A+ rating: https://www.ssllabs.com/ssltest/analyze.html?d=toolslib.net&s=51.15.229.92&latest . All certs. look OK except they are using a self-signed Let's Encrypt cert.. Only thing QUALS noted was:

OCSP STAPLING ERROR: OCSP response expired on Tue Mar 05 18:00:00 UTC 2019   

[Is Behavioral Inspection activated?]

1 hour ago, StevenCheong said:

Because it didn't work when I'm running some of the malware.

What malware was not being detected I guess is the major question.