Search the Community

I'm trying to create a policy to exclude by threat name, regardless of file location. Let's say that the threat I want to exclude from detection is Win32/uTorrent.C 1) In the ESMC policy for Endpoint security, I understand that one should modify Settings -> Detection Engine -> Basic -> Exclusions, is that correct? 2) Assuming that it is, I presume that I should select "Exclude threat" here. Exactly how do I specify the threat? I would expect that one should enter the exact threat name, ie Win32/uTorrent.C, however if one presses the question mark on this dialog box he/she is directed to https://help.eset.com/ees/7/en-US/idh_exclude.html whereas it is stated as an example that the threat should be specified as (example) @NAME=Win32/Adware.Optmedia@TYPE=ApplicUnwnt Are the @NAME= and @TYPE declarations mandatory and, if not, what is their purpose? For Win32/uTorrent.C how can I know the TYPE beforehand? BTW, there is some inconsistency in the documentation. That is, if one elects to create a policy for File Security for Windows Servers (v6+) instead, then the help file in this dialog box https://help.eset.com/efsw/7.0/en-US/idh_exclude.html does not specify the @TYPE specifier at all. Which of the specifiers above can be used? Win32/uTorrent.C , @NAME=Win32/uTorrent.C@TYPE=Something or @NAME=Win32/uTorrent.C ? 3) Finally, how can I specify that I want this to apply for all disks. Should I leave the path mask empty? Remember that this is a policy to be enforced on systems with an unknown number of drives, so how can I whitelist on global filesystem?

Hi all, I want to exclude a file (over ERA) from the Windows user profile. ESET shows this file as an unwanted application, but my chinese colleague told me, that the file is safe, so I want to tell ESET (in ERA), that the file is safe, and exclude it. The problem is, that the folder name is (for every user) different. I.e. C:\users\username1\AppData\Local\......\filename. C:\users\username2\AppData\Local\......\filename. C:\users\username3\AppData\Local\......\filename. How can do this? Thanks for the help! Best regards Rainer

Hi All, I was wondering if anyone here has been having issues with protocol filtering interfering with browsing, specifically corrupting images and causing page rendering issues? (source text, blank pages, multiple refreshes to correctly render). I have raised the issues to ESET and currently they have me ignoring my browser (chrome) in the list of SSL filtered application. This seems to solve this issues with SSL based pages, but does nothing for non- SSL pages. Originally they had me disable protocol filtering all together but I did not like having a gap in my protection (temporarily was ok) so I re-enabled it. This issue does not generate any events in the logs. I never had these issues until recently (probably the last 2 weeks or so). Regards, Matt

Hi Guys, I am having some issues at the moment with some of my clients with ports and applications being blocked even though their subnets are within the trusted zones. Trusted zones are as follows: 10.0.0.0/255.0.0.0 172.16.0.0/255.255.0.0 192.168.0.0/255.255.0.0 ::1 FE80::/64 Even though these are trusted I still seem to need to put exceptions in the firewalls when I shouldn't need to. Any help will be appreciated.

The short version: 1. It seems that managed Mac clients are only partially honoring exclusions. a. Eicar test files placed in excluded directories are being ignored, as expected. b. Files in excluded directories are still being scanned on access, which is not as expected. 2. Unmanaged Mac clients appear to be honoring exclusions correctly. The long version: My MacBook Pro is affectionately referred to by my colleagues as the "Wind Tunnel" because its fans are constantly going at high speed. And its fans are constantly going at high speed because my managed ESET client is constantly scanning files in directories that have supposedly been explicitly excluded from scanning. A good example is Backblaze's working directory. Since Backblaze is constantly updating its indexes, logs, etc, there's always a lot of churn going on, so I've explicitly excluded Backblaze's working directory… /Library/Backblaze.bzpkg/*.* …via policy (as specified in numerous Knowledgebase articles). And I can tell the exclusion is working (at least in part) because when I place a copy of the Eicar test file in the /Library/Backblaze.bzpkg/ folder (or one of its sub-folders), the ESET client ignores it. But the moment a Backblaze backup kicks off, my managed ESET client starts scanning every file that is accessed in Backblaze's supposedly-excluded working directory, pegging the CPU, and causing the fans on my MacBook Pro to start screaming. Here's a screenshot that shows both the exclusion in the client, as well as the client completely ignoring that exclusion: The same is true of Time Machine backups, as well. Even though I've gone to great lengths to exclude every possible permutation of Time Machine path and volume name, ESET starts churning through every accessed file in those supposedly excluded directories/volumes the moment a Time Machine backup starts. I've only seen this behavior with managed clients. If I install a standalone version of the exact same client with the exact same exclusions, the exclusions work as expected. Even with Backblaze and Time Machine backups happening simultaneously, files in those excluded directories never show up in the scanned objects stream and my fans hum along quietly. But the moment I connect the ESET client to a Remote Administrator server, the scanned objects stream becomes a raging torrent of files in directories that it should be ignoring, and my fans kick into overdrive. I've tried adding/removing policies, creating new policies from scratch, and applying those policies at different levels in the group hierarchy. I've tried uninstalling and reinstalling the client multiple times, as well as going from managed to unmanaged and back again. I've also tried different syntax permutations for the exclusions (including two wildcard symbols (*.*), one wildcard symbol (*), and no wildcard symbol at the end of the path), but the problem remains. Any ideas? I'm out of them…

Hello. I read topic about StartCom and Wo-Sign Root CA https://www.scribd.com/document/325417135/Wo-Sign-and-Start-Com After this i checked site with startcom certificate. Eset SSL inspection rewrite original certificate. After disabling inspection on target url eset sill rewriting original certificate. A there any ways to block root CA in Eset Smart security? How to exclude some host from ssl inspection and certificate rewriting

This has come up before but I am bringing it up again because it is an important topic. Is there a way to exclude detected hashes in endpoint products either directly in the endpoint or via remote administrator? We have some code and programs being popped as malware that does not live in one specific directory. ERA detects all of the hits as the same hash. We would like to exclude the hash as a false positive.

I am excluding and restoring from quarantine via ERA and the local ESET client (6.4.2014.0) tftpd32.exe but as soon as it is restored and excluded either via ERA or the local client, ESET pops it again and sends it back to quarantine. This is also happening on ESET File Security for Windows Servers.

I am increasingly getting privacy errors when using public networks which mean that quite a lot of sites are blocked, even when I click to "continue". Is this down to Smart Security and if so, what can I do to avoid it? Or any other things I need to look at?

I'm using ESS 9.0.381 on win 8.1 64bit with firefox browser. I'm having trouble accessing secure sites (https) that gives a firefox error page "Secure Connection Failed" when using vpn/proxy applications. At first I thought this was caused by firefox's vpn addon, so i tried using another vpn addon from firefox's official addon site (e.g. hoxx, zenmate) and another that is non-addon (e.g. betternet, zenmate windows version) but still unsuccessful. However, fortunately non-secure (http) sites can be accessed whether using the vpn application or not. After days of web searching, I came upon this eset forum post that addresses about firefox addon update problem which does not occur to me. However, thanks to the post, i got the hint that my problem is due to ESET's certificate handling when ssl protocol filtering is enabled. I solve this issue by turning the ssl protocol filtering mode to interactive and then to wait for eset to pop out prompts when i enable/run the vpn application to manually ignore and remember action for the certificates used by the proxy application. For non-tech savvy or advanced user such as I, the solution is somewhat a hassle and troublesome thing to do. Therefore, there's another easier solution which is to entirely disable the ssl protocol filtering under "web and email" or https checking under "web access protection" which is also not a favourable method to those who care a lot about extra security which I also am because by doing so will "remove a layer of security and could expose your system to security risks", which was mentioned in here. I noticed that when you disable ssl protocol filtering, the https checking slide bar is grayed out (not toggleable). Therefore, what happens when I enable ssl protocol filtering but disable https checking? What difference does it make compared to disabling ssl protocol filtering? May I remind once more that this only occur when i'm using a vpn application/program to access sites that happen to be secure and trusted such as google, yahoo mail, youtube etc. Is this a problem/matter that has not yet been addressed by ESET? If so, please fix this issue in the upcoming versions of the software. Thank you.

Hello, I'm just wondering if someone can help me get the correct settings and exclusions in place so that SAS 9.4 can function correctly for our end users. We have about a dozen users who use it. We're using version 6.3.2016.0 of the ESET Endpoint Antivirus client on Windows 7 Enterprise x64 with a current set of Windows Updates applied. Here's a link to what SAS recommends and here are the exclusions I've got entered in.... ​ hxxp://support.sas.com/kb/44/390.html Exclusions in place... *.scr *.sd7 *.sc7 *.sas7b??? *.lck *.sd2 *.sc2 *.SPDS *.sas* *.utl %userprofile%\AppData\Local\Temp\SAS Temporary Files\* %userprofile%\AppData\Roaming\SAS\* %programfiles%\SASHome\* C:\SAS_64\* C:\SASV9\* In addition to all of this, I've got Enable detection of potentially unwanted applications OFF Enable detection of potentially unsafe applications OFF Enable detection of suspicious applications OFF Enable Anti-Stealth technology OFF & Under the "Real-time file system protection" area under ANTIVIRUS I have Advanced heuristics/DNA/Smart signatures OFF as well as High sensitivity heuristics OFF. I'm just trying to find a happy medium at this point. I don't really know what to try anymore. Attached is a capture of the errors our end users get.

Related to this thread: https://forum.eset.com/topic/7611-eset-endpoint-security-web-control-category-lookups/?hl=web+control For security purposes, we are restricting (or have begun restricting) outbound DNS queries that exit our infrastructure to only go to OpenDNS' global DNS server fleet. The thread I referenced above stated that queries for Web Control hit off of ESET's DNS servers for name resolution. Can somebody provide the IPs or CIDR blocks for this functionality?

I have recently installed Eset Smart Security and now a program (Cycling '74 Max/MSP) intermittently fails to load reference documentation. I have added the folders containing the the program and associated documents to the exclusions. Is this a common problem? It seems like if I open Eset and then switch a setting (e.g. change from automatic to interactive mode, or vice versa), sometimes the program can then access the help files. Seems like a bug to me. Anyone?

Eset FileSecurity V6.2.1.2007.1 detects a suspicious file. When asked for action on this file, i select to ignore this file and select no action. But the file is shown as potentially unsafe again and the checkbox to ignore the file is unchecked again. How to exclude a potential unsafe file when it is a false alarm?

My company recently bought ScreenConnect to remotely assist our clients. Problem is, ESET products see it as a threat. Because we are an ESET Reseller, we, and many of our clients are running ESET products ... which makes this this a bigger problem. And because there are several forms of ScreenConnect (Java host, EXE host, EXE client), there is more than one thing to create an exception for. Can you please either give me some instructions around fixing this, or work with ScreenConnect to allow their programs/services to run?

I have live grid enabled with submit statistics and files disabled. Does this lower detection via reputation significantly or at all? If I enable submission of files, is there any way to exclude my development project executables from being submitted. I would prefer that they not be submitted. Every time I compile a project with some modifications, would there the possibility of many variants of the same file being submitted?

Hello, I would like to know which windows processes and their ports are secure. Today I opened the Zone & Rule Editor and there were way too many entries, some programs that are no longer installed, duplicates, etc. So I cleaned up the list and set up Zones and Rules for my browsers, mail client and various programs. My firewall is in interactive mode, thus ESS reports any new/unknown communication. So far the only process I have been asked for while browsing is SVCHOST Since this is a very generic service that includes many processes and protocols I don't exactly know to deal with it. Many users in other forums wrote that this process should be given full permission on anything. I am not sure about that, so this is how I set it up: Application: C:\Windows\System32\svchost.exe (Host Process for Windows Services) Allow: Out TCP&UDP Local Ports: 80 (HTTP), 443 (HTTPs) Now my questions: 1. how should I set up the rule for svchost.exe 2. what other processes are safe to allow and how should they be set up (direction, ports, etc.) Thank you in advance kind regards Pete

Some clients with Eset Endpoint AV 6 are managed by ERA 6 an there is a policy with path exclusions for the realtime scanner. The exclusions are set via policy and working as expected. At last we installed new software on one of the clients and wanted to set another path exclusion manually on this single client. But in the endpoint Av Window the option to set path exclusions is greyed out. Is there a way to set path exclusions via policy and set some exclusions on the client manually? Thanks in advance Thomas

Hi, I'm playing League of Legends (LoL) and using Smart Security in interactive mode. I have had Nod32 for decades now. LoL has a really annoying application directory that changes along their updates i.e: C:\Riot\League of Legends\RADS\solutions\lol_game_client_sln\releases\0.0.1.95\deploy In the firewall exceptions I can only set the exception based on the application and not the root directory or a regular expression that would be really convenient here. Am I missing something? Right now I can only add the exception until next patch but it will trigger 3 popups. 2 at startup and 1 at game begining which if I fail to configure quick enough will drop my game or freeze it. Many thanks

Hello, This is a follow up on this thread: https://forum.eset.com/topic/753-eset-file-security-backup-processes/ Our backup is slowed down to a point where people start arriving in the office before the backup is finished. The only solution I have found to work is by setting: Real-time file system protection > Scan On > File Open to disabled I would rather have exclusions in place, but excluding the Symantec programs path: E:\Program Files\Symantec\Backup Exec\ didn't work Has anyone found a solution for this? Many thanks Jean-Philippe P.S.: Our system is running ERA Agent 6.1.444.0 and File Security 6.0.12035.0 on Windows Server SBS 2008 SP2

Hi, We use a windows based softphone called 3CX Phone for Windows at the office. I've recently changed malware protection on a Windows 8.1 laptop to Eset Smart Security V8. Since doing so the 3CX Phone program can no longer communicate with the 3CX phone system. To date I have tried the following: 1. Added the program's folder to the Realtime scanning exclusion list 2. Turned off/disabled every single Eset module in its Setup section. This had no effect, even after a reboot. 3. Uninstalled Eset. After doing so and performing a reboot the 3CX Phone program worked fine. I reinstalled Eset, and now the problem is back. Does anyone know what needs doing to the Eset security suite to resolve this issue? Thanks, Adriaan

Hi, When you define any exlusions in ESET Smart Security, you can add a complete drive, a compete folder, or just one particular file / program. If you for example create an exclusion for C:\Program files\Program.exe will then all files which this program is reading / writing, also be excluded from scanning by ESET, or does the exclusion settings only mean that the file Program.exe will not be scanned on ESET On-Demand scans?

With reference to this screenshot, I want your kind attention, that my ESS8 is constantly flagging Adguard and Hitman pro / hitman pro alert 3 as PUP but Adguard support team has confirmed me to made an exclusion and its a false positive warning. I've contacted Ess support but I got no reply. Any solution? suggestion/feedback ! Thanks and Best Regards, Sadashiva.

Hello, I'm trying to make a restoration of my system after a mistake I made a few days ago, but this isn't working with ESET because it blocks the process. How can I restore my system with ESET? How can I exclude the restoration system (if that's what I have to do?). Thanks a lot.

Solution for Error: There was a failure while compacting the virtual hard disk on the backup location. A device attached to the system is not functioning. Windows Server 2012R2 Backup fails. Solution: You must change real time scan from all extensions to only scan infectable extensions. This should resolve the issue. Note: Excluding the destination backup drive is not effective as a virtual drive is created during Backup. Since NOD32 does not allow exclusions without a specified drive letter, I had to change the following setting in NOD32: Real Time File System Protection, Setup, Extensions. Uncheck "Scan All Files". If Eset would allow blanket exclusions for certian file types, regardless of location, I could have excluded .vhd and .vhdx extensions. Unfortunately, this is not an option in NOD32. Somewhat related Issue that may be of interest: compacting the virtual hard disk(s) may take a long time hxxp://support.microsoft.com/kb/2524602