itman

I am "dying of anticipation." Has "block at first sight" LiveGrid cloud scanning been added?

As far as this goes: All I could find is questionable references to it being something RDP related used in DoS attacks.

File exists on my Win 10 1809 build and just performed an Eset Context scan on it and it came up clean. Eset detection appears to relate to ransomware origins. Definitely a strange location for malware to be located in that I would think that Win directory can only be accessed via some type of Win Update installation. Submit file to Virus Total for a scan and see what is detected.

Try setting the Scan action to "Ignore" in the Eset Edit certificate screen.

Another example of your predisposition of making a "mountain out of a molehill." Marcos's prior posting: I assume he was referring to the AV labs who test for this: https://www.eset.com/int/about/newsroom/press-releases/announcements/eset-validated-in-third-party-performance-tests-takes-gold/

A few solutions per the below linked article: https://www.lifewire.com/43-errors-explained-2619238

Yes.

It should also be noted that ransomware developers in an apparent attempt to maximize their monetary returns are indeed sending e-mail's as noted in this recent article: https://www.bleepingcomputer.com/news/security/ransomware-pretends-to-be-proton-security-team-securing-data-from-hackers/ . It appears the attacker has gained enough information to known the target's e-mail/VPN provider in these cases. These e-mail's are just an attempt to extort more money from the victim. Assumed after a response with the payment forwarded, the attacker will demand additional money to provided a decryption key. Or as has been previously documented, no decryption key. Bottom line - if your files have not been encrypted, any e-mail received in this regard is a scam one. If your files have been encrypted, do not forward any money in response to one of these e-mails.

This site doesn't use an EV certificate which I believe is the issue. It will have to be added manually to BP&P to open automatically to BP&P from a normal browser session.

References to Eset's malware detection performance keep popping up in the forum in the form of u-Tube video tests. I came across an article on the A-V Comparatives web site that pretty much "nails it" in that these videos should be taken "with a grain of salt." A-V Comparatives was also generous in this article by not referring to what I have seen done in some of them; editing the video to delete segments where the poster purposely modified the malware sample to avoid initial detection by whatever product they were testing. Anyway, the article is "worth a read." https://www.av-comparatives.org/spotlight-on-security-why-do-av-products-score-so-highly-in-professional-tests/#more-26676

You need to purchase an Eset license and install Eset to protect you from being attacked by ransomware and having your files encrypted. Installing Eset after your files are encrypted is of little use in this regard since it can't in itself, decrypt your files.

Are you saying that with anz.com set to secure browser mode, the site will not open in BPP mode? Now that is strange. What I would try is deleting anz.com from Protected websites. Now see if will open automatically in BPP mode from any browser. It did so for me in IE11 as shown previously. Also pay attention to the options shown in the BPP browser screen. The default setting is to remember your selection to always open the site in BPP mode. I just tested this and using the default value of remember. Eset did subsequently open anz.com in BPP mode from IE11. Also make sure you don't have multiple entries for anz.com listed under Protected websites with conflicting browser modes set. BTW - it appears what caused all this is Eset does not have anz.com added to is built-in whitelist of banking web sites. What I am surprised about is that Eset even prompted for BPP mode option on first access to the web site. In the past it would just open a bank site in normal browser mode in this situation.

There is another remote possibility why this is occuring since you stated the following: Open the Eset GUI. Select -> Setup -> Internet Protection. Click on gear symbol for Web Access Protection. Refer to the below screen shot for navigation and verify that anz.com in any form is not listed in the website column with normal browser selected.

Have you tried opening up Eset BP&P manually using its desktop icon and entering https://www.anz.com ?

I am located in the U.S. - Midwest and having no problems with updates on EIS v12.0.31.0. Last update was at 11:26 AM to sig. ver. 18951.

https://documents.trendmicro.com/assets/rpt/rpt-unraveling-the-tangle-of-old-and-new-threats.pdf Noted in the 2018 malware incident report is 80% of detected malware arrives via e-mail. As such, that is where one's security protection concerns need to be directed. Also patch, patch, and patch some more.

Like @Marcos demonstrated, I am posting a screen shot below taken from IE11 using BP&P. Did you reboot your PC after installing Eset IS? -EDIT- Also if you have Win 10 installed and "Fast startup" enabled, manually restart your PC.

Here's an article on the three primary types: IP, ARP, and DNS: https://www.veracode.com/security/spoofing-attack . Eset's IDS packet inspection feature will detect a number of these attacks; primarily IP(DoS) and ARP. Some additional spoofing attacks are noted here: https://en.wikipedia.org/wiki/Spoofing_attack; e.g. e-mail spoofing.

Here's another web site that can ID ransomware: https://id-ransomware.malwarehunterteam.com/

I just went through some extensive ransomware file extension lists and have yet to find a reference to .bak.

Go here to identify the ransomware strain: https://www.nomoreransom.org/en/index.html . The site will also direct you to a decrypter if one is available. If nothing available or decryption is unsuccessful and you have a paid Eset license, you can open a support ticket with Eset U.K. for assistance. -EDIT- If the ransomware is GlobeImposter 2.0, unfortunately there is no decrypter available for the latest versions: https://www.bleepingcomputer.com/forums/t/644166/globeimposter-ransomware-support-crypt-pscrypt-ext-back-fileshtml/?p=4670689 . Also you can request assistance from bleepingcomputer.com in that forum subsection on ransomware.

I have no clue as to what that shown popup is about. It doesn't look legit to me since it's referring to a file but the data shown indicates a web site. Since it appears you reside in the UK, I would go here: https://www.eset.com/uk/#content-existing-customer to renew your license. Before you do that, verify that your license is indeed close to its expiration date.

Unfortunately, I would estimate that there are thousands of web sites that fall into this category; temporarily hacked. Many have site intrusion mechanisms in place that can alert to site modification activities. Corrective action is usually taken promptly; a few hours at most. Assume many site support personnel are not available 7/24. So weekend corrections might take a bit longer.

I really don't understand the concern here: Are you stating that the phone numbers that are posted on the site are bogus off-shore high connection cost ones or something along this line? The only scan engine on URLVoid that detects something malicious for the IP address, 104.28.29.27, associated with elliott.org is scumware.org. It's detection dates back to 2016 when it was a http web site: 2016-10-21 19:24:26 http://elliott.org/blog/the-issue-has-been-resolve d/ FDEF2FD0C203BC524DFB575D6EBA28E9 104.28.29.27 US JS/TrojanDownloader.FakejQuery.D trojan

As far as the SMB log entries shown, that is controlled by Eset Network Protection -> IDS -> Advanced options -> Packet Inspection -> Deny SMB sessions without extended security setting. Per Eset online help: The setting controlling ICMP Hidden Channel detection is also located under Packet Inspection settings and is named "Covert data in ICMP protocol detection." The thing that is odd is the majority of the source IP address are coming from 10.8.x.x addresses. That IP address range is associated with NAC RADB TESTING; ref.: http://www.irr.net/docs/faq.html and appears to be associated with the testing of peer-to-peer Internet routing connections. If you are using a VPN, I would ask them why these connections are showing up on your router. Additional ref. here: https://www.apnic.net/about-apnic/whois_search/about/what-is-in-whois/irr/