Aryeh Goretsky

Its likely that the external URL for OAB has a WebShell one-liner in its URL.  To check for and to remediate this, please do the following.
JS/Exploit.CVE-2021-26855.Webshell.H is an IOC detection which simply means your Exchange server was exploited in the past by this CVE.  Ensure you your Exchange server is fully patched, and then perform the following to remove the remnants of attack.
 
 
Check the following on the Exchange Server:
1.      Use a web browser to access: https://127.0.0.1/ecp
a.       Login with an admin that has enough rights (might require exchange admin)
2.      Click on "Servers" on the left
3.      Click on "Virtual Directories" tab thing in top middle area
4.      double click on "OAB Default Website" (OAB = Offline Address Book)
5.      Check what is in the 2 URL fields
a.       Internal URL
b.      External URL
6.      Copy and paste any suspicious URL fields into Notepad (with word wrap enabled) and then save a screenshot and discard the Notepad
a.       Saving the raw text will cause a detection by ESET.
7.      Save your changes and then move on to either rebooting the exchange server or restarting IIS.
a.       Without restarting IIS, then the IIS server will continue to host the AutoDiscovery settings which cause detections on endpoints with outlook.
Here is what this looks like on my non-compromised test environment:

Restarting IIS (or just reboot the server)
Open "Internet Information Services (IIS) Manager" (Windows + R > inetmgr.exe) Click on your server name in the list (mine test environment showed: SVRSANDEXCH (DEMO\Administrator)) On the far right under actions, click "Restart" (or you can right click on the server name and choose "stop" then "start") This made outlook on my test workstation go offline for about 30 seconds (likely longer in a production environment) and I no longer got any of the cached OAB URLs which caused detections. After this, all endpoints may get one, or more, final detection as they clean up any remaining copies of AutoD/AutoDisovery XML files, but the total count of detections of webshells per day, should go decrease until you no longer have any of these detections.

Here's a list of Win LOL binaries that Microsoft itself recommends be blocked from execution: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules .

The GUI of antivirus program is not as important as the detection and protection capabilities under the hood. Normally one should not notice antivirus running unless a threat is detected or an action must be selected by the user. Nevertheless, it's possible that dark mode will be supported in future versions of ESET desktop products.

Thanks for the detailed reply Kieran, this helps complete my understanding of the feature set.

Hi @rjanz,
I am going to have to target specific sections of your posts to answer as best as I can for you here.
Question: “While testing the ESET Full Disk Encryption product we found that we can successfully move the drives to a new desktop (different TPM, CPU, mobo etc) and we’re able to successfully boot into Windows. This completely defeats the purpose of encrypting the drives with a TPM. In our configuration we don’t have the login password set as the computers live in facility” Answer: Using the TPM with EFDE, the encryption key is protected using the TPM. This means when the user enters their password, this is used along with the TPM and other information to provide access to the Disk Encryption Key. In this situation if a disk is moved to another machine the system will not be able to boot because the original TPM is required to access the Key. Using the authentication bypass, either the “Pause Authentication” task or the “Disable FDE Authentication” policy, creates a special temporary “user” that is capable of booting the system without a password or TPM. The presence of this “user” causes the system to boot automatically. However, this does as you mentioned mean that the TPM is not used when in this mode. So it is possible to boot when the disk is put in a different computer.
We do understand your observation and we are planning an update to EFDE to use the TPM when the authentication is disabled. At this stage I do not have any information as to when this might be available.
Question: ” I read in this forum post that the ESET Encryption Boot files are stored in EFI System Partition (ESP). Why?” “Please correct me if I’m wrong. What exactly are the ESET Encryption Boot files? Does this include the encryption keys? Are those keys really stored in the TPM? I’m trying to understand why we can boot into the OS on new hardware” Answer: The EFDE boot files reside on the ESP as this is where the UEFI BIOS looks for the primary boot application to begin the boot process. This is quite standard, the same as the Microsoft boot files are on the ESP. The UEFI BIOS loads the EFDE bootloader, which provides the user interface for the user to enter their credentials and to perform the process necessary to decrypt the operating system as it loads. The Disk Encryption Key is not stored on the ESP. The Key is obtained cryptographically using the users credentials, the TPM if used and other information from the system. EFDE uses meta data that is stored in the main system partition.
Question: “One more, I just discovered the EFI is not encrypted so you can boot into another OS and read these files. Why!?” Answer: As mentioned in the previous answer, the UEFI BIOS loads the boot file from the ESP, so it cannot be encrypted otherwise the UEFI would not be able to load and run the primary boot file. The ESP is a small FAT32 partition and should not contain any sensitive data. The main Operating System partition is always encrypted along with other data partitions depending on which policies were set from the ESET Protect console.
Thank you,
Kieran

Could you clarify if you are using MS SQL or MySQL?
 
Also, is your SQL DB using a second drive?  It could be the SQL server is using a temp folder on the primary drive where the OS is installed.  The nightly purges will create a lot of temporary files, so its important to ensure that the your SQL server is using a Temp directory, on a drive with enough space.

You will have to exclude HTML/ScrInject.B detection globally in every file or website at your own risk.

Brilliant. Thanks alot!
User Interface --> Elements of User Interface --> Statuses --> Application Statuses

Hello,

Guest accounts are meant to be used to answer quick questions about the software that do not require detailed information and analysis.

In order to investigate your issue, please do the following:
Create an account on the forum and then report the issue in the appropriate forum. Give relevant information in your post about ESET's software, such as which of ESET's programs you are using and its version. Give relevant information in your post about the device you are running ESET's software, such as the operating system it is running and its version.  If you are using a smartphone or a tablet with a WWAN connection, included the brand and model of the device and the carrier you are using. Include a screenshot of the error or warning displayed by ESET's software on the device, plus relevant log file entries from ESET's software showing what was logged when visiting the site. An examination of the the oann[.]com site on VirusTotal (at https://www.virustotal.com/gui/url/6824f68ad245d999b2463e483d8c4893dd57af4553a598eca05e4038fe84c76d?nocache=1) reveals that none of the 90+ security vendors are currently reporting any detections on the site, so it is not particularly clear what sort of issue you are experiencing.

Regards,

Aryeh Goretsky
 

We are pleased to announce availability of completely reworked Outlook plugin for ESET Endpoint Security and ESET Endpoint Antivirus for Windows platform.
The new plugin was designed to:
Resolve synchronization issues Conflicts with other Outlook plugins  Significantly improve the performance  The plugin utilizes a standalone database for scan result recording to reduce mail-body modifications to absolute minimum, which should fix most of the synchronization problems and conflicts reported by Outlook. On top of this, we have optimized the scanning, where the email is inspected without unnecessary fragmentation, as it is now sent to be processed in one piece, including all session handling actions. We have also deprecated all three dynamic libraries with a single one, that was almost completely rewritten and has a better logging capability. Furthermore we have converged all anti-spam lists, added detection for 3rd-party plugins, introduced scanning optimizations so that Outlook remains responsive for the user, and many more improvements.
The build is highly stable in our testing environment so we recommend to deploy it to selected workstations, from which the issues were reported in the past to see how it behaves in real environment and usage.
Since this is not a regular BETA, we would only suggest to plan the deployment for users, who can either give constructive feedback based on either technical or day-to-day observation, or make sure, that assistance to these users can be provided by informed administrator(s). No additional technical skills are needed and we only want to point this out, that the willingness to give feedback, even if everything works hassle-free, to cooperate if potential problems will show up, is our primary intention.
 
In case you need additional license for this BETA, let us know.
 
The installation binaries (both .msi and .exe for x64, ARM64 and x32 Widows editions) are available at https://forum.eset.com/files/category/8-outlook-plugin-beta/ 
Note: The BETA build is based on feature release 9.1, but it does not contain new features which will be available in it, except the new Outlook plugin.
if any issues will arise, we will need the user to enable diagnostic logging of this component whenever needed (see screen below), run Outlook (or other email client), wait for the issue to demonstrate, quit Outlook and disable diagnostic logging to avoid extensive log-recording for a longer time. The resulting log will be stored under C:\ProgramData\ESET\ESET Security\Diagnostics\MailPlugins.etl
We may assure you, that our support and technology teams will do their best to assist you with any possible issue with it.
You may share your experience with it, questions and report issues as replies to this topic.
 
As usually our ESET BETA program agreement applies and by downloading and the BETA you express your agreement with it https://forum.eset.com/files/file/58-eset-beta-program-agreement/
 
 
We are looking forward to your feedback.
Peter on behalf of the teams responsible

Try uninstalling it in safe mode with the ESET uninstaller. Instructions are here: https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool.

Hello,

Perhaps the USB flash drive has begun to fail?

You may wish to copy all of the contents off the USB flash drive to your computer's internal drive, then run the USB flash drive manufacturer's diagnostics against it to check it for errors.

Regards,

Aryeh Goretsky
 

Welcome to the ESET Security Forum!
 
ESET is pleased to provide you with this resource in order to make it easy for you to ask questions and receive answers about ESET's products and services.  Understand that the ESET Security Forum is a private community for existing customers of ESET, prospective customers who are interested in ESET's software, ESET employees and business partners.  Because of this focus, it is not like a general public forum, where conversations take place on a variety of non-ESET and non-security related topics.
 
With that in mind, we have the following rules in place:
 
When registering for an account on the forum, please fill out the information accurately and correctly.
Do not enter the Username and Password for your licensed ESET software, but instead choose a username (in Latin) unique to this forum.  You should also choose a suitably complex password unique to this forum as well. Do not create multiple accounts.  If a person is found creating multiple accounts, ESET reserves the right to take whatever actions it deems necessary, including banning, blocking, deleting and/or merging them.  The exception to this rule is ESET staff, who may create multiple accounts for testing purposes. No impersonating other forum users, ESET employees or other people. Use appropriate language in the forum.  No vulgar, obscene or rude language will be tolerated. No vulgar, obscene or otherwise offensive images or video will be tolerated. ESET staff have the right to move, edit or modify messages that you post.  This may be done for clarity, to move a message to more appropriate forum where it will receive more attention, or for other reasons outlined in these rules. All decisions by ESET staff are final, and not open to discussion. This list may be updated at any time.  Please periodically visit this page to review any updates. Do not post direct links to any executable files, malicious/suspicious software or web sites in public messages, even if you think the software or site is clean and incorrectly detected by ESET.  Break up the URL by inserting spaces into it, or replacing the protocol handler with an obfuscated one, like . Do not attach malicious or suspicious files to messages, even if you think they are clean.  Write a public message, and then use the "report this message" option to send a private message to ESET staff with a link. Do not post any personally identifiable information (PII) about yourself, such as an email or mailing address or phone number, in a public message. Do not post the username and password or license key for your ESET software in a public message. Do not post links to software cracking tools, license key generators, pirated copies of software or other illicit software in the forum.  If you wish to report a site, write a public message, and then use the "report this message" option to send a private message to ESET staff with a link. Do not post private correspondence (private messages, email, etc.) publicly within the forum. Do not post "A vs. B" or "Which product is best?" type messages in the forum. Do not post overtly commercial messages in the forum (this includes in your signature). Do not pre-announce releases.  Due to differences in scheduling, it may sometimes take several hours after a release has appeared on ESET's web site for the release announcement to appear here in the forum. Do not abuse the forum's rich text controls.  Messages and signatures with inappropriate font selection, including size, color and, for signatures, length, may be edited by forum staff to conform to standards of decency. Do not ask other users for logs, especially if they may contain sensitive or other personally identifiable information. Posts made on behalf of a 3rd party company may only be made from accounts registered with an email address from the company's domain (verifiable by ESET staff). Do not use the "Report post" function for other purposes than reporting inappropriate content requiring moderators' attention. Do not report possibly incorrect detections or blocks (false positives) in the forum unless they may affect a lot of users. If you think that your application or website is detected or blocked incorrectly, please report it to ESET as per the instructions at https://support.eset.com/kb141. Please keep in mind that this forum is not a channel for disputing detections or url blocks. Be civil, do not post sarcastic, offensive or mocking comments towards any person or entity. Do not post messages that are off-topic, keep the discussion to the point and do not lead it astray or in a loop. To discuss a different, unrelated issue or question, always create a new topic. Do not excessively tag users in your posts. If you have any questions or comments, please contact one of ESET's moderators.
 
Last Revised: 5 March 2019.

Hello,

It sounds like you are getting unwanted notifications (popups) from your web browser.  This is not a virus or malware, but rather annoying websites abusing the popup notification feature in your web browser.  Here's how to disable them in  various web browsers:

Google Chrome (Version 96+)
Go to chrome://settings/content/notifications into the address bar to open the Notifications settings page in Google Chrome. Remove all non-google.com domains from the Allow section. Toggle the Don't allow sites to send notifications option to on.

Instructions for Version 88 and older: Select Settings → Advanced → Site Settings → Notifications from the main menu, and change Ask before sending (recommended) to Blocked.

Mozilla Firefox
Select Tools → Settings → Privacy & Security from the main menu, scroll down to Permissions → Notifications, select Settings, click on Remove all websites and then check (select) Block new requests asking to allow notifications and click on the Save Changes button.

Microsoft Internet Explorer
does not support notifications

Microsoft Edge (legacy version)
Open the Windows Settings app (not Edge's) and go to System → Notifications & Actions, scroll down to Notifications, and set Get notifications from apps and other senders to Off.

Microsoft Edge (Chrome-based, Version 91+)
Go to edge://settings/content/notifications in the address bar and disable Ask before sending (recommended). If there are any entries in the Allow section, click on the ⋯ menu and select Remove for each one.

Web browsers may move these options around over time as new versions come out.  So, if these do not work, let us know with which web browser and its version, and we can try to find out more for you.

Regards,

Aryeh Goretsky
 

Hi Aryeh
I am using a Asus XG-C100C
Driver is Marvell - 3.0.20.0
Windows 10 Pro - Ver 21H2 
OS Build - 19044.1503
 
Regards

Hello,

ESET is currently looking to speak with existing customers of its ESET PROTECT Cloud, ESET PROTECT on-prem, and ESET Enterprise Inspector solutions in order to conduct some qualitative research interviews.  These interviews will allow ESET to better define the future of these flagship products.

Your use should fall into one of the following usage categories for any of the above-mentioned products:
10-25 seats 25-100 seats 100-500 seats 500-999 seats 1,000-4,999 seats 5,000+ seats Geographic location:
anywhere For more information, including time commitment and compensation, please fill out this form:  https://surveys.hotjar.com/a7ed6b76-6848-45aa-bdd2-73bf7343872e.
ESET is currently looking to speak only to direct customers using one (or more) of the above products.  If you are a managed service provider (MSP) or managed security service provider (MSSP), please stay tuned for a separate announcement.

If you have any questions, I will try to answer them, but it would probably be best to fill out the survey form and hear back from one of my colleagues in product development.

Regards,

Aryeh Goretsky

The detection has been already re-enabled today and now should detected only actually malicious files.

You could create a process exclusion for the process that copies the files. If you won't need it excluded, remove the exclusion when finished with copying. What files do you copy? Is it mainly executables, archives, media files or some other type?

There are currently no such plans since LiveGuard is a feature generating extra costs, hence it's included only in the premium product ESET Smart Security Premium.

More information here:
https://support.eset.com/en/alert8188

Appears Eset is detecting an infected BGP server performing WPAD "man-in-the-middle" interception activities.
It so happens that the IP address shown references a server in Prague. This might explain why your Internet traffic is being blocked since I assume being located in the Czech Republic, regional Internet network traffic is being routed through this server.
You can try to set your browser network settings to use "no proxy" which is a recommended mitigation for this type of WPAD attack. You also need to inform your ISP of this activity so that they can investigate on their end what is the status of this server.

That actually does work... thank you very much!

The detection is correct, it was released 2 days ago.
For more information about malware misusing this particular certificate, please read https://www.fortinet.com/blog/threat-research/deep-analysis-of-driver-based-mitm-malware-itranslator
Not all files signed with this certificate are necessarily malicious. However, since the certificate is no longer trusted no file signed with the certificate can be trusted either.
We'll make files from the said archive undetected.

Refer to the below Process Explorer screen shot. You will observe that Eset's eamsi.dll is injected into every process where Windows amsi.dll is injected into.

The problem is now solved. After I switched to the pre-release update, it is back to normal. Thank you everyone.