ESET Insiders NewbyUser 74 Posted April 28, 2020 ESET Insiders Share Posted April 28, 2020 Yea, I saw the certificate issue problems, and searched for eset certs on this laptop. Only had the current one. I still deleted it and then activated web protection to put back the current one. Didn't have any effect. Additionally people with clean installs wouldn't have any prior Eset certs, such as my case, I'm new to Eset on this laptop, so I don't see that as being the source of the problem. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 28, 2020 Share Posted April 28, 2020 @SeriousHoax already posted a work around that worked for him here: https://forum.eset.com/topic/23125-certificate-issues-for-firefox-740-64bit/?do=findComment&comment=111976 Note that he deleted the existing and only Eset certificate from the Windows root CA certificate store, not the from FireFox's Authorities certificate store, He then rebooted, and Eset's root certificate auto repopulated in the Windows root CA certificate store. Why this works, I really have no clue. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 29, 2020 ESET Insiders Share Posted April 29, 2020 Just tried both ways, through FF settings, then restarted EIS and from the cert msc and restarted the whole laptop, no effect, FF still downloads the 2x zip in ssl. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 29, 2020 ESET Insiders Share Posted April 29, 2020 What's the "danger" to this issue/"vulnerability? is it still safe using FF until this is fixed? Link to comment Share on other sites More sharing options...
SeriousHoax 87 Posted April 29, 2020 Share Posted April 29, 2020 11 hours ago, itman said: @SeriousHoax already posted a work around that worked for him here: https://forum.eset.com/topic/23125-certificate-issues-for-firefox-740-64bit/?do=findComment&comment=111976 Note that he deleted the existing and only Eset certificate from the Windows root CA certificate store, not the from FireFox's Authorities certificate store, He then rebooted, and Eset's root certificate auto repopulated in the Windows root CA certificate store. Why this works, I really have no clue. I just remembered actually it worked for me before the current Internet protection module. I updated to pre-release version which is the current stable version but this method didn't work. Then I reverted to stable build and then the method worked. So, it's definitely the issue of the current module. The one prior to this version didn't have the problem. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 29, 2020 Share Posted April 29, 2020 (edited) Again, on Win 10 x(64) 1909 with FireFox ver. 75 and EIS ver. 13.1.21, the Eicar web site download of the 2x zip is detected: Are you downloading the this file from the above shown web site? Also check your Eset Detection log for a like entry. It is possible an issue might exist with your Eset installation with displaying of the associated desktop Eset alert. Edited April 29, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 29, 2020 Share Posted April 29, 2020 For additional testing, I had an e-mail with the eicarcom2.zip attachment sent to me using this web site: https://www.aleph-tec.com/eicar/ I receive e-mail via IMAPS, so the e-mail would have been received encrypted. The minute I open the e-mail in Thunderbird, the eicar attachment was deleted. Unfortunately and an ongoing problem I have had with Eset scanning of IMAPS e-mail, I received no alert and no log entry for this deletion activity. But nonetheless, the attachment was deleted which is the important point. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 29, 2020 ESET Insiders Share Posted April 29, 2020 7 hours ago, itman said: Again, on Win 10 x(64) 1909 with FireFox ver. 75 and EIS ver. 13.1.21, the Eicar web site download of the 2x zip is detected: Are you downloading the this file from the above shown web site? Also check your Eset Detection log for a like entry. It is possible an issue might exist with your Eset installation with displaying of the associated desktop Eset alert. Yes I downloaded from that site. All 4 http versions are detected, and 3 of the https are, the eicar2 zip is not and can be downloaded. Additionally the tests at wicar all fail when clicking on the ssl tab for each test in FF. When using Edge and Opera all tests at both sites are detected so I doubt it's an issue with my overall Eset installation. Even after downloading the eicar2 zip ssl version from FF, it gets detected when I access the folder. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 29, 2020 ESET Insiders Share Posted April 29, 2020 6 hours ago, itman said: For additional testing, I had an e-mail with the eicarcom2.zip attachment sent to me using this web site: https://www.aleph-tec.com/eicar/ I receive e-mail via IMAPS, so the e-mail would have been received encrypted. The minute I open the e-mail in Thunderbird, the eicar attachment was deleted. Unfortunately and an ongoing problem I have had with Eset scanning of IMAPS e-mail, I received no alert and no log entry for this deletion activity. But nonetheless, the attachment was deleted which is the important point. I never receive emails when using this test. Since i use gmail I've always assumed Google scanned them and didn't allow the email through. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 29, 2020 ESET Insiders Share Posted April 29, 2020 9 hours ago, SeriousHoax said: I just remembered actually it worked for me before the current Internet protection module. I updated to pre-release version which is the current stable version but this method didn't work. Then I reverted to stable build and then the method worked. So, it's definitely the issue of the current module. The one prior to this version didn't have the problem. Thanks I tried both methods after itman pointed out your workaround. Neither method works here. I'm currently using pre release updates and seeing this issue. hopefully they update the module, I don't see a way to rollback individual modules. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 29, 2020 ESET Insiders Share Posted April 29, 2020 8 hours ago, itman said: Again, on Win 10 x(64) 1909 with FireFox ver. 75 and EIS ver. 13.1.21, the Eicar web site download of the 2x zip is detected: Are you downloading the this file from the above shown web site? Also check your Eset Detection log for a like entry. It is possible an issue might exist with your Eset installation with displaying of the associated desktop Eset alert. Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 4/29/2020 7:18:29 AM;Real-time file system protection;file;C:\Users\ZZZ\AppData\Local\Temp\dPKU32kV.com.part;Eicar test file;cleaned by deleting;;Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe (124D3C2BA93644AC6C2D7253DE242B46BE836692).;CF8BD9DFDDFF007F75ADF4C2BE48005CEA317C62;4/29/2020 7:18:27 AM As you see, here it;s detected by real time protections not by http Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 29, 2020 Share Posted April 29, 2020 21 minutes ago, NewbyUser said: As you see, here it;s detected by real time protections not by http All I can say is something is screwed up with the way you have FireFox configured. What your log entry shows is a "stub" of the Eicar download file. Last time I saw one of those was when I was using IE11 sometime ago. These stubs don't actually contain any data. Also suspicious is "dPKU32kV.com" as if you were being redirected somewhere else. Your FireFox profile file might be screwed up. You previously stated you have reinstalled FireFox, but I suspect you didn't delete your existing FireFox profile when doing so. By default, FireFox retains the existing profile file when it is uninstalled. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 29, 2020 ESET Insiders Share Posted April 29, 2020 (edited) 5 minutes ago, itman said: All I can say is something is screwed up with the way you have FireFox configured. What your log entry shows is a "stub" of the Eicar download file. Last time I saw one of those was when I was using IE11 sometime ago. These stubs don't actually contain any data. Also suspicious is "dPKU32kV.com" as if you were being redirected somewhere else. Your FireFox profile file might be screwed up. You previously stated you have reinstalled FireFox, but I suspect you didn't delete your existing FireFox profile when doing so. By default, FireFox retains the existing profile file when it is uninstalled. I do have the DNS through https feature enabled on FF, could that be whats causing this redirect? And I didn't reinstall FF, I was referring to the certificates, I removed and reapplied them. Edited April 29, 2020 by NewbyUser Additional info Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 29, 2020 Share Posted April 29, 2020 (edited) 1 hour ago, NewbyUser said: Additionally the tests at wicar all fail when clicking on the ssl tab for each test in FF. Further proof something is screwed up with your FireFox installation. If I try to execute any of the Wicar tests in FireFox, they are immediately blocked by it's built-in Google Safe Browsing blacklist: Edited April 29, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 29, 2020 Share Posted April 29, 2020 8 minutes ago, NewbyUser said: I do have the DNS through https feature enabled on FF, could that be whats causing this redirect? I have it enabled using its ClouldFare DNS servers w/o any issues. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 29, 2020 ESET Insiders Share Posted April 29, 2020 8 minutes ago, itman said: Further proof something is screwed up with your FireFox installation. If I try to execute any of the Wicar tests in FireFox, they are immediately blocked by it's built-in Google Safe Browsing blacklist: I get these too. You have to click details and then visit the site anyway, or turn off FF from checking sites to be able to let EIS see the traffic. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 29, 2020 ESET Insiders Share Posted April 29, 2020 51 minutes ago, itman said: Further proof something is screwed up with your FireFox installation. If I try to execute any of the Wicar tests in FireFox, they are immediately blocked by it's built-in Google Safe Browsing blacklist: I'll also say, why assume something is wrong with my FF? If you scroll through this thread you see that two Eset employees have said they're aware of the issue and working on a fix. Which while not stated, would imply that I'm far from the only person experiencing the issue. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 29, 2020 Share Posted April 29, 2020 Eset detection of Eicar download from wicar.org. Note I was on the HTTPS site when tested: Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 29, 2020 ESET Insiders Share Posted April 29, 2020 15 minutes ago, itman said: Eset detection of Eicar download from wicar.org. Note I was on the HTTPS site when tested: If you look at the Object scanned , it's scanning HTTP, not HTTPS. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 29, 2020 Share Posted April 29, 2020 19 minutes ago, NewbyUser said: If you look at the Object scanned , it's scanning HTTP, not HTTPS. Refer to my posting. I stated I downloaded from the wicar.org HTTPS web site. Appears it redirects to its HTTP web site to do the EICAR download. BTW - I am done with you. Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 30, 2020 ESET Insiders Share Posted April 30, 2020 18 minutes ago, itman said: Refer to my posting. I stated I downloaded from the wicar.org HTTPS web site. Appears it redirects to its HTTP web site to do the EICAR download. BTW - I am done with you. I read what you said, and pointed out the object being actually scanned was http. Not sure where your animosity comes from, but it works for me. Thanks for the assistance. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted April 30, 2020 Administrators Share Posted April 30, 2020 There is no reason to argue about the issue here. The cause is known and I too was able to reproduce it. Probably next week we will release a new Internet protection module for those updating from pre-release update channel that will address the issue. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 30, 2020 Share Posted April 30, 2020 (edited) 18 hours ago, NewbyUser said: If you look at the Object scanned , it's scanning HTTP, not HTTPS. Edited April 30, 2020 by itman Link to comment Share on other sites More sharing options...
ESET Insiders NewbyUser 74 Posted April 30, 2020 ESET Insiders Share Posted April 30, 2020 6 hours ago, itman said: Not sure what the point of this post is. I'm glad you're not experiencing the issue. Thanks again for your assistance. Link to comment Share on other sites More sharing options...
itman 1,746 Posted May 1, 2020 Share Posted May 1, 2020 (edited) Here's a web site: https://ipinfo.info/html/testvirus.php , that will perform eicar 2x, 3x, and 4x .zip plus .tar, .gz, and .cab HTTPS downloads. Eset using FireFox detected them all. Edited May 1, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts