Jump to content

itman

Most Valued Members
  • Posts

    8,827
  • Joined

  • Last visited

  • Days Won

    213

Kudos

  1. Upvote
    itman received kudos from cutting_edgetech in No option to disabled License Auto-Renew !   
    First, verify your credit card data has been deleted from both your Eset eStore account and your myEset.com account.
    When I likewise did my Eset license renewal via EIS GUI option, it set up a myEset.com account w/o my permission and set it to auto renewal! Also stored in that myEset account is the credit card number used for the purchase. Given all the security issues with myEset.com accounts being hacked, I also deleted the myEset.com account.
    I for one have had it with Eset's overly aggressive license renewal/management crap. It's just "one more nail added to the Eset coffin" in regards to terminating the future use of this product.
  2. Upvote
    itman received kudos from NewbyUser in Borked HIPS   
    Let's talk about Eset's Network Inspection processing since there is zip technical details on it.
    To begin, it is not new and has existed on every EIS version I used dating to 2014. Past versions were relatively benign and non-troublesome. Once I configured Eset's network connection to accommodate my router, the settings remained stable. All this changed when Eset decided to get "cute" and expand Network Inspection to examine router settings for the purpose of detecting suspected hacking activities. Great idea for off-the-self routers and the like that perform standard network initializing activities. A very bad idea for ISP provided routers with customized firmware settings.
    The only positive thing in recent Eset versions is that now Network Inspection can be disabled via GUI setting which was not possible in the past.
    For those who like technical details, let's get into those. Using a networking connection monitor such as TCPView, open it immediately after system startup time. Look for an ekrn.exe connection monitoring UDP port 138. Eset is examining network connections via proxy using this port. This is also where the problems start. My router is using NetBIOS which also uses that port to initialize it's router connectivity to my device. It then goes downhill network-wise from here.
  3. Upvote
    itman received kudos from SlashRose in Borked HIPS   
    Well, it didn't take AT&T long to detect my Cloudflare IPv6 DNS server usage and start interfering with that. So I am now back to using their auto assigned DNS servers and Eset's networking resultant borking of those connections.
    But I have finally confirmed the Eset culprit. It is the Network Inspection feature. Disabling that not only solved the auto IPv6 configuration by my router problems but most importantly, the totally spastic Eset firewall behavior upon resume from sleep mode.
    I also question the use of Network Inspection processing when the Public profile is deployed. Its applicable Eset firewall rules only allow Trusted network device communication. When using the Public profile, no local network devices are trusted.
  4. Upvote
    itman received kudos from NewbyUser in No option to disabled License Auto-Renew !   
    First, verify your credit card data has been deleted from both your Eset eStore account and your myEset.com account.
    When I likewise did my Eset license renewal via EIS GUI option, it set up a myEset.com account w/o my permission and set it to auto renewal! Also stored in that myEset account is the credit card number used for the purchase. Given all the security issues with myEset.com accounts being hacked, I also deleted the myEset.com account.
    I for one have had it with Eset's overly aggressive license renewal/management crap. It's just "one more nail added to the Eset coffin" in regards to terminating the future use of this product.
  5. Upvote
    itman received kudos from 0x55 in Borked HIPS   
    Well, there was one last thing I had to perform to get the router, Win 10, and Eset networking to play together nicely.
    I have long suspected that Win 10 Smart multiple-homed DNS name resolution was the source of most of my network issues. This was further amplified by Eset networking initialization. But since this feature was using my ISP DNS servers combined with the way the router establishes Win 10 network connectivity, I could never definitively nail it down.
    You can read about what Win 10 Smart multiple-homed DNS name resolution does here: https://www.ghacks.net/2017/08/14/turn-off-smart-multi-homed-name-resolution-in-windows/ . The gist of the what is does is:
    What I have been observing after my Win 10 networking "from hell" reconfiguration activities described previously is at Win 10 fast startup and/or startup from sleep mode predominately is multiple connections to IPv4 address 1.1.1 to port domain. Err what? Port domain turns out to be port 53 and of course, 1.1.1.1 is Cloudflare's IPv4 DNS address. First, I have never ever seen these domain connections before. Next is I shouldn't be using Cloudflare's IPv4 DNS server on an IPv6 network. Bottom line is here is a graphic example of my Win 10 network connection being borked by Smart multiple-homed DNS name resolution processing. As far as what this did to Eset's network connectivity processing can best described as a double-whammy bork from the deepest depths of networking hell.
    Anyway, I have disabled Win 10 Smart multiple-homed DNS name resolution and finally, all is well networking-wise.
  6. Upvote
    itman received kudos from peteyt in Borked HIPS   
    Well, there was one last thing I had to perform to get the router, Win 10, and Eset networking to play together nicely.
    I have long suspected that Win 10 Smart multiple-homed DNS name resolution was the source of most of my network issues. This was further amplified by Eset networking initialization. But since this feature was using my ISP DNS servers combined with the way the router establishes Win 10 network connectivity, I could never definitively nail it down.
    You can read about what Win 10 Smart multiple-homed DNS name resolution does here: https://www.ghacks.net/2017/08/14/turn-off-smart-multi-homed-name-resolution-in-windows/ . The gist of the what is does is:
    What I have been observing after my Win 10 networking "from hell" reconfiguration activities described previously is at Win 10 fast startup and/or startup from sleep mode predominately is multiple connections to IPv4 address 1.1.1 to port domain. Err what? Port domain turns out to be port 53 and of course, 1.1.1.1 is Cloudflare's IPv4 DNS address. First, I have never ever seen these domain connections before. Next is I shouldn't be using Cloudflare's IPv4 DNS server on an IPv6 network. Bottom line is here is a graphic example of my Win 10 network connection being borked by Smart multiple-homed DNS name resolution processing. As far as what this did to Eset's network connectivity processing can best described as a double-whammy bork from the deepest depths of networking hell.
    Anyway, I have disabled Win 10 Smart multiple-homed DNS name resolution and finally, all is well networking-wise.
  7. Upvote
    itman received kudos from Rose in Eset Update Hang on ver. 14.2.24   
    Next time this updating issue occurs, use a network connections monitor to ensure ekrn.exe has a solid connection to port 8883. You can use Eset's Network Connections tool or TCPView. I prefer TCPView since it will show if there are sync issues with the connection to port 8883, ekrn.exe is trying to establish. Eset uses port 8883 with fallback to port 443 for Push Notifications. If there are issues with getting that connection, it will cause this bork Eset updating behavior some are experiencing.
  8. Upvote
    itman received kudos from NewbyUser in Eset Update Hang on ver. 14.2.24   
    Next time this updating issue occurs, use a network connections monitor to ensure ekrn.exe has a solid connection to port 8883. You can use Eset's Network Connections tool or TCPView. I prefer TCPView since it will show if there are sync issues with the connection to port 8883, ekrn.exe is trying to establish. Eset uses port 8883 with fallback to port 443 for Push Notifications. If there are issues with getting that connection, it will cause this bork Eset updating behavior some are experiencing.
  9. Upvote
    itman gave kudos to NewbyUser in Eset Update Hang on ver. 14.2.24   
    Kind of ridiculous putting all the work on the end user. 
  10. Upvote
    itman received kudos from SlashRose in Borked HIPS   
    By default, Eset network Profile selection is "use Windows settings." As I previously posted, Win 10 firewall default network Profile setting is Public. Therefore if using default settings on both, Eset's Network profile would always be set to Public.
    -EDIT- Some additional detail here.
    Win 10 firewall defaults to the Public profile for a reason. It auto disables Network Discovery. The way you're supposed to securely do file sharing on a Win 10 device is to right mouse click on the file to be shared on the network and select the "Give Access" option.
    This also brings up why Eset has the "Home or Office networking" profile option in the first place since it in effect, overrides Win 10 built-in network security. The most damning aspect of the Home or Office networking Eset profile is it enables NetBIOS access by default.
  11. Upvote
    itman received kudos from SlashRose in Borked HIPS   
    What I am observing is there is a bigger issue. Appears Eset is not properly initializing coming out of Win 10 fast startup mode. I am having issues with Eset Network Protection; namely Network Inspection not working properly.
  12. Upvote
    itman received kudos from SlashRose in Borked HIPS   
    It's a new day. I have discovered a new networking feature, And of course, Eset networking support borked it!
    The new and important find is if you are using an IPv6 only network which is the case for my ISP, AT&T Unverse, and using third party IPv6 DNS servers, you should be using DNS servers that fully support DNS64. Again, DNS64 is used to convert IPv4 addresses to IPv6 addresses in a 4-6-4 tunnel on the ISP network. The new find is Cloudflare has such dedicated servers. You can read about this here: https://developers.cloudflare.com/1.1.1.1/ipv6-networks . Great! Set my network connection to those IPv6 addresses and modified Eset's connected network setting likewise.
    Now for the Eset bork of this capability. The first thing I noticed was it appeared Eset was having trouble establishing a connection on port 8888 likewise on port 443 which is what Push Notifications falls back to. Sure enough, after a half hour Eset displayed the dreaded could not establish a connection to its Push Notifications server. So what is the friggin problem?
    Eset Push Notifications uses the MQTT protocol designed to create machine-to-machine; i.e. tunnel, connections to IoT devices. It appears this protocol is not compatible with DNS64 which makes sense if you think about it. So once again Eset implements something without thoroughly testing its compatibility with established networking features.  @MarcosEset needs to be sending Push Notification traffic via IPv6 to resolve this issue. Assume Eset will have to provide a GUI setting option to receive Push Notifications via IPv6 or IPv4 connection. Or better, if Eset sees an IPv6 connection is established, prefer that over IPv4 for Push Notifications communication.
  13. Upvote
    itman received kudos from NewbyUser in How do i turn off auto renewal?!   
    Tip - if you delete your credit card info in your US eStore account, there is no way for Eset to perform an auto-renewal.
  14. Upvote
    itman received kudos from PuterCare in High severity HIPS event detected - how to work out cause?   
    To begin, dismhost.exe running from the user temp folder is OK.
    I monitor dism.exe execution via Eset HIPS and the only thing that starts it on my Win 10 20H2 installation is cleanmgr.exe running from a Microsoft set up scheduled task.
    The above said, PowerShell usage is "baked into" Windows and is used internally for many OS functions. As such, it is entirely possible Windows internally is initiating the above activity you posted. As I posted previously, I monitor all Powershell.exe startup via Eset HIPS. I also monitor my Windows Powershell event logs and I have multiple daily event log entries showing PowerShell running to perform required system maintenance activities. Also, I have never once received an alert from my Eset HIPS Powershell start up rule in regards to this activity. So however Windows is running Powershell in the background, the Eset HIPS doesn't detect this activity.
    Bottom line is I have seen enough to state that the recommended Eset HIPS rule to monitor child process startup from Powershell wasn't thoroughly tested and should not be used.
  15. Upvote
    itman received kudos from PuterCare in High severity HIPS event detected - how to work out cause?   
    I erred in my original posting in this thread.
    I didn't implement Eset's recommended anti-ransomware HIPS rules per se. Rather, I made them more secure which suits me personally. One of the revisions for example is I monitor all Windows script executable's startup via a HIPS ask rule. This includes PowerShell.exe startup. As such, there was no need to use the recommended rule of monitoring all child process startup from PowerShell.exe.
    To use PowerShell legitimately, it must be allowed to start conhost.exe since it is the graphical interface element for PowerShell.
  16. Upvote
    itman received kudos from PuterCare in High severity HIPS event detected - how to work out cause?   
    First, what is conhost.exe:
    https://softwarekeep.com/what-is-conhost-exe
    I have had this Eset Powershell HIPS rule in place for ages and never received "a peep" from it.
    One example of conhost.exe starting from PowerShell.exe is when it is deployed by PowerShell Empire used maliciously:
    https://www.trustedsec.com/blog/who-left-the-backdoor-open-using-startupinfo-for-the-win/
  17. Upvote
    itman received kudos from PuterCare in CVE-2021-40444 are ESET user protected?   
    Based on this .docx sample: https://www.joesandbox.com/analysis/476188/1/html , Eset and most other AVs are detecting the dropper file now.
  18. Upvote
    itman gave kudos to Marcos in ESET Protect: POTENTIALLY UNSAFE APPLICATIONS finds EFI/CompuTrace.A   
    On the computer from which you provided ELC logs all on-demand scan logs have zero number of detections so it looks like the detection exclusion for "EFI/CompuTrace.A" works there.
    When running an on-demand scan, you have an option to ignore exclusions. Make sure it's disabled:

  19. Upvote
    itman received kudos from NewbyUser in MyEset account taken over   
    Costs me $5 a month, that's why.
  20. Upvote
    itman received kudos from NewbyUser in MyEset account taken over   
    The type of 2FA I want is the same as my bank provides and it does not require a smart phone to use.
    When I log onto my bank web site, it requires me to select which phone number I have registered with them to receive a text message from them that contains a 6 digit security code. I can also receive a voice call containing the code instead. They then send me the code to my "vintage" non-smart phone. I then enter the code on the web page and the logon to the full bank web site proceeds. 
    Note the 2FA elements deployed. The first is valid user id and password. The second is a one-time use served up security code.
  21. Upvote
    itman received kudos from Page42 in ESET continuous "product update"   
    Appears there are multiple causes involved here. The ones mentioned are:
    1. Windows update cache issues.
    2. Eset update cache issues.
    3. You name it ...........
    Eset needs to provide built-in diagnostic capability for problems like this and other issues. Think along the line of Windows 10 "Fix-It" wizards. I for one am tired of the constant requests for Eset logs to diagnose product issues.
  22. Upvote
    itman received kudos from peteyt in ESET continuous "product update"   
    Appears there are multiple causes involved here. The ones mentioned are:
    1. Windows update cache issues.
    2. Eset update cache issues.
    3. You name it ...........
    Eset needs to provide built-in diagnostic capability for problems like this and other issues. Think along the line of Windows 10 "Fix-It" wizards. I for one am tired of the constant requests for Eset logs to diagnose product issues.
  23. Upvote
    itman received kudos from Page42 in ESET continuous "product update"   
    As I posted in another thread on this issue after I deleted the Win 10 update cache, I have had no further issues with Eset detection updates. I had one delay of 5 mins. at boot time and that's it.
  24. Upvote
    itman received kudos from Peter Randziak in ESET continuous "product update"   
    As I posted in another thread on this issue after I deleted the Win 10 update cache, I have had no further issues with Eset detection updates. I had one delay of 5 mins. at boot time and that's it.
  25. Upvote
    itman received kudos from Peter Randziak in ESET continuous "product update"   
    When I open Eset GUI and check update status, it is stuck at 1/3 update status. I am on a 1GB Ethernet connection using a 1GB DSL fiber network connection to my ISP. As such, my Eset detection update downloads are almost instantaneous. 
×
×
  • Create New...