itman: Thank you for your answers, they are very helpful. But one thing I don't understand.
You will add Eset's certificate to the whitelist of allowed certs. Then the security solution will check if it is the same cert. At this point everything is fine. Then you will call WTHelperCertIsSelfSigned function. It will return "it is self-signed cert". And then what? You can't call WinVerifyTrust because it will return CERT_E_UNTRUSTEDROOT. But how you will check if certs are ok and nobody changed the file? Then anybody can use a self-signed cert for another file or change eamsi.dll and you will allow it?
This is what I don't understand. And I appreciate your opinion because your answers make sense.
Btw: I looking for answers for others, because we have our's cert handling, checking, etc. You give me the correct way how we will do it for problematic certs like this (we will see if we can really do it in the correct way).