Daren 0 Posted March 25, 2019 Share Posted March 25, 2019 Today it happened that I was afraid the most. Despite the privacy settings, your products are now connected to the servers ts.eset.com. This servers is used for "To submit suspicious files and anonymous statistical information to ESET's Threat Lab". In simple words, from today your company "steals" files from users computers despite the fact that they have disabled it in the settings. How could you do that? We trust your products to protect ours computers and you turn ESET Security into legal malware. YOU HAVE NO RIGHT to take anything from my computer without my consent. Especially considering that I disable such actions in the settings. I'll wait a week. If you do not remove this outrage from your products, I will no longer use them. You can be sure that I'm not the only one. People are not as blind and stupid as you think. And you are not so smart and cunning. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 25, 2019 Administrators Share Posted March 25, 2019 As long as the LiveGrid feedback system and submission of statistical information is disabled, the product should not connect to ts.eset.com. Please gather logs with ESET Log Collector and supply me with the generated archive for perusal. Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 25, 2019 Share Posted March 25, 2019 2 hours ago, Daren said: I'll wait a week. If you do not remove this outrage from your products, I will no longer use them. You can be sure that I'm not the only one. People are not as blind and stupid as you think. And you are not so smart and cunning. If you're concerned about this, you can control what Eset collects as shown in the below screen shot: Link to comment Share on other sites More sharing options...
Isaak87 0 Posted March 25, 2019 Share Posted March 25, 2019 Can confirm. After signature update 19083 latest version EIS every 10 minutes try connect to ts.eset.com. With IP 91.228.166.XXX and 91.228.167.XXX. LiveGrid feedback system and submission of statistical information is disabled. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 25, 2019 Administrators Share Posted March 25, 2019 There are also update servers in the above mentioned ranges (pico.eset.com). Haven't seen any communication with ts.eset.com yet while trying to reproduce the issue with the LiveGrid feedback system disabled. Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 25, 2019 Share Posted March 25, 2019 (edited) One possibility here is the OP is stuck in the dreaded "LiveGrid never ending submission loop." I posted a long thread about this a couple of years ago. Can't find it for reference; probably archived. Shortly after I installed ver. 12.1.31, I did some penetration testing against it. I hit it with a dozen or so test malware in rapid succession. This was enough to start the never ending multiple port opening submissions to LiveGrid servers in rapid succession. It appears like behavior is what triggers the problem. Let this go on for a while to see if it would stop on its own. It didn't. So I employed the resolution that worked previously; boot into safe mode and delete every FNDx.NFI file present in C:\ProgramData\ESET\ESET Security\Charon directory. Note: I am not recommending this; only stating what worked for me. Was going to create a forum posting about it, but decided it wasn't worth the effort since the issue was never resolved two years ago. -EDIT- Forgot this. I also disabled the Customer Experience option which as I recollect, was also a factor in the behavior two years ago. Edited March 25, 2019 by itman Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 393 Posted March 26, 2019 Most Valued Members Share Posted March 26, 2019 15 hours ago, itman said: One possibility here is the OP is stuck in the dreaded "LiveGrid never ending submission loop." I posted a long thread about this a couple of years ago. Can't find it for reference; probably archived. Shortly after I installed ver. 12.1.31, I did some penetration testing against it. I hit it with a dozen or so test malware in rapid succession. This was enough to start the never ending multiple port opening submissions to LiveGrid servers in rapid succession. It appears like behavior is what triggers the problem. Let this go on for a while to see if it would stop on its own. It didn't. So I employed the resolution that worked previously; boot into safe mode and delete every FNDx.NFI file present in C:\ProgramData\ESET\ESET Security\Charon directory. Note: I am not recommending this; only stating what worked for me. Was going to create a forum posting about it, but decided it wasn't worth the effort since the issue was never resolved two years ago. -EDIT- Forgot this. I also disabled the Customer Experience option which as I recollect, was also a factor in the behavior two years ago. I remember coming across the post. Is it this one? Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 26, 2019 Share Posted March 26, 2019 1 hour ago, peteyt said: I remember coming across the post. Is it this one? Yeah, that's the thread. To begin with, LiveGrid uploads detections and suspicious processes via the FNDx.NFI mechanism. Once these have been analyzed, LiveGrid then instructs the origin local Eset installation to delete those files. For the majority of the time, this works without issue. It appears to me Eset has an "attack mode" sensor which is triggered when it encounters a multitude of malware attacks within a short duration. This triggers LiveGrid to be put in a constant connect mode to the Eset servers. Hence, the observable upload transmission loop. All this is fine except that the upload loop never ceases based on my prior observation. In other words, it will continue even after the next day's cold boot. It appears there is a lost status condition occurring between the local Eset installation and Eset servers. Finally, the Customer Experience option is somehow a factor in the above. Note that it was enabled by default in the 12.1.31 upgrade. When I disable that, the transmission looping activity never reappears. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 27, 2019 Administrators Share Posted March 27, 2019 First, we would like to thank the user Daren for spotting and reporting this unusual communication to LiveGrid, as well as for reporting it to this forum. We can confirm that anonymized domain statistics (statistics about domain and their IP addresses performed by the client) were indeed sent to us despite the fact that this functionality had been switched off. This was due to a flaw in an update on 2019.3.25 at 10:25 CET. The user report triggered an immediate investigation by ESET, and on the afternoon of March 26th at 15:03 CET, LiveGrid servers were adjusted to no longer receive the statistics. Two hours later, with the release of update 1549.3 of the Antivirus and Anti-Spyware scanner module, the issue was fixed. We would like to apologize for the behavior of the scanner and respect the wishes and options our users make in the settings of our products. Although the statistics sent were anonymized at all times, we immediately removed any and all data that may have been collected in error. The users’ privacy was not affected. SCR and ebill 2 Link to comment Share on other sites More sharing options...
Recommended Posts