itman 1,809 Posted December 18, 2016 Posted December 18, 2016 Ref.: hxxp://www.amtso.org/feature-settings-check-potentially-unwanted-applications/ Win 10 1607 x64, IE11 w/advanced EPM enabled. As noted in the below screen shot, Eset SS ver. 10 PUA protection failed to block the PUA download. It did alert but appears cleaning failed at which time the PUA was available for downloading. Perhaps an issue w/ThreatSense realtime scanner running in AppContainer?
TomFace 540 Posted December 18, 2016 Posted December 18, 2016 (edited) You Do get a window prior to the screen you posted asking if you want to Disconnect or Ignore. I believe that is what supposed to happen. (Win 7...ESS 10.0.369.0....IE 11 w/EPM enabled) Edited December 18, 2016 by TomFace
itman 1,809 Posted December 18, 2016 Author Posted December 18, 2016 (edited) No, I did not receive the Disconnect screen, that is why I posted the issue. I did create a new local admin profile and am running under that profile although that should not effect Eset operation. Also just noticed the cloudcar.exe test file can also be downloaded although I did receive an Eset alert that the connection was terminated. Note that in both these cases, SmartScreen detects the test malicious download but I believe Eset should be blocking the download from happening per AMTSO guidelines. Also note that advanced EPM w/Enable 64 bit processes on X64 Win 8/10 forces IE11 to run in an AppContainer instance. Regular EPM setting for the Security Zone settings does not. -EDIT- Just verified that Eset plug-in .dll is inserted into AppContainer instance of IE11. But, that .dll might only be used for the anti-keylogger driver? Also one other very disturbing occurrence. When I allowed the AMTSO test PUA to download via SmartScreen, I attempted to run the file. Win 10 SmartScreen detected the PUA, Eset did not. It could be that SmartScreen intercepted the file before Eset had a chance to examine it. However, this needs to be checked out further. Noteworthy is that Eset's realtime scanner did not detect the PUA when it was written to disk i.e. file creation. This leads to the assumption that it will not detect it upon file execution. This might be by design since the test file is only to be detected and blocked during download attempt per AMTSO guidelines. Edited December 18, 2016 by itman
itman 1,809 Posted December 19, 2016 Author Posted December 19, 2016 I just tried the AMTSO PUA test in Edge and received the same alert. Since Edge runs by default in AppContainer, this confirms to me there is an AppContainer issue with Eset.
Administrators Marcos 5,468 Posted December 19, 2016 Administrators Posted December 19, 2016 Just to make sure, do you have standard cleaning (ie. not the strict) set in the Web access protection ThreatSense setup?
itman 1,809 Posted December 19, 2016 Author Posted December 19, 2016 (edited) Setting to normal cleaning did the trick. Proper Disconnect alert was displayed. There was no "Standard" cleaning option. Also as far as the cloudcar.exe download goes, download was allowed regardless of Eset alert stating connection was terminated. SmartScreen detected and blocked it. No change in that behavior with changing setting to normal cleaning. Edited December 19, 2016 by itman
Recommended Posts