Georgi Stoychev

Thank you for the explanation Marcos!

Hello, We have several employees who travel often and from time to time, they connect to client networks. Recently, one of them connected to such network and in our ESET protect on-prem console, we received multiple alerts from the Firewall module that Security vulnerability exploitation attempt was detected on the endpoint. There is a high chance that this really was such an attempt, but our employee was not aware of this, and he said that he hasn't seen such notification. Is there something we can do to show these notifications on the endpoints as well, since we couldn't find such option in our console?

We have already submitted the file on Friday, but we still haven't received a response.

We observe that this file is being blocked as well - https://github.com/chocolatey-archive/chocolatey/blob/master/src/helpers/functions/Get-ChocolateyWebFile.ps1

The signature of the file, which is being detected in our environment has signature 500E26623522A4EF037924832366675616E4D39F.

Here is some additional info on this case: We've copied the code in a .txt file + running a manual scan - the file is "clean" When the file is renamed to .ps1 + running a manual scan - the file is "bad" When half of the code is in the .ps1 file (tried with both halves) + running manual scan - the file is "clean" I am attaching the problematic file in .txt format. get-chocolateywebfile 1.txt

Hello, We are using Chocolatey in our corporate environment, and started to receive thousands of alerts about this file being malicious - "file:///C:/ProgramData/chocolatey/helpers/functions/Get-ChocolateyWebFile.ps1". For the moment, we have added an exclusion in our ESET Management Console, since we received about 1000+ alarms. Can you tell us how can we investigate further what could be the cause of it? It seems pretty serious.

Hi Marcos, The old certificate was about to expire next month. We just restarted the server and we can see that the clients are connecting again.

Hello, Couple of days ago, we changed our ESET Protect On-Prem server certificate, as it was about to expire, and the old certificate was revoked. Today we see that several computers, which were offline when we replaced the certificate, are not connecting to the server. We saw in the logs in "C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs" an error message "Error: Remote server peer certificate is not trusted by this agent. Details: NodVerifyCertificateChain failed: NodVerifyTrustResult: 42, NVT_NotTrusted, X509ChainStatus: 0x4, X509CSF_Revoked, certificate" We have a backup of the old server certificate, but would like to use the new one. Is there some step that we may have missed when we changed the old certificate? We haven't restarted the server after the change. Could that be the issue?

Okay, thank you. This is the first occurrence of such issue, since we are using ESET Protect (about 3 years), and we are not sure how we could reproduce it

Hi Marcos and thanks for the reply! Is there anything we should do on our side?

Hello, One of our colleagues received an alert that the update information is not consistent and that he should restart his computer. After the restart, the following notification appeared: After a few minutes, we checked the ESET Protect console and there wasn't anything disturbing about that particular computer and the status was OK. What could be the cause of this issue and should we be worried about it?

Hi Marcos, Thank you for the suggestion. This occurs with all of our machines. There are users logged in, each time such notification is received. This is the current configuration of the notification:

Hello, I am not sure if this question has been asked already or not, but we would like to know if there is a way to populate the "User" and "Detection name" fields in the notifications that we receive via email? See the attached screenshot.

Hi Marcos, Thanks for the quick response. It appears that there is also a free version of the aforementioned VPN - https://www.opera.com/features/free-vpn. We will raise a support ticket for that matter.