ESET Moderators Peter Randziak 1,173 Posted October 15, 2021 ESET Moderators Share Posted October 15, 2021 Hello ESET Endpoint Security / Antivirus users, We are pleased to announce the availability of ESET Endpoint Security / Antivirus 9 BETA for public testing. The new generation of ESET Endpoint products for Windows brings new features and improvements, let us briefly describe the most visible ones. Auto-update – This feature improves the upgrade experience for administrators and makes keeping ESET products on latest version easier. It is enabled by default and works out of the box. Technology was present in Windows Endpoint version already 8.0, EULA approval was replaced with EULA notifications. Brute-force attack protection - Evolution of reputation and blacklist-based password-guessing defense technology, providing further protection for RDP and SMB protocols in business networks. Official ARM64 support for both EES and EEA for Windows on ARM ( Secure Browser, Machine learning protection and Deep behavioral inspection features are not available for ARM64 platform in this version) The new features mentioned are not manageable by ESET PROTECT management console as of now. Please check also the list of Known issues for the first public BETA build, we believe the severity of those is very low so they should not affect your user experience much Device Control: Printing task stays in printing queue when printer is blocked Audit logs contain strings "FeatureId", "OldState", "NewState" Web control: Warn action does not work properly for some websites Secure Browser: Ask me option available for websites in list Secure Browser: Some websites are not loaded correctly in secured browser instance Device Control: Some bluetooth devices are not listed in Populate of Device control The ESET Endpoint Security 9 BETA and ESET Endpoint Antivirus 9 BETA builds are available for download at https://forum.eset.com/files/category/4-ees-eea-9-beta/ Both .msi and .exe installers are available and the ARM64 version for Windows on ARM too. We are looking forward to hearing your feedback and experience with the 9th generation of ESET Endpoint products. For your questions and issue reports, please use this forum directly. As usually the build is in BETA quality so by downloading and using it, you agree with our BETA program agreement, which is available at https://forum.eset.com/files/file/31-eset-beta-program-agreement/ After a week or so of BETA testing, please fill out this short survey for us https://survey.eset.com/index.php?r=survey/index&sid=798153&lang=en so we can evaluate the BETA program and make our offering even better for you. Thank you in advance. Peter Randziak on behalf of teams involved Hacknhotq, Aryeh Goretsky and redhot4400 3 Link to comment Share on other sites More sharing options...
Mitchell 13 Posted October 18, 2021 Share Posted October 18, 2021 When editing the brute-force attack protection rules the thresholds are grayed out, disabling/enabling the rule makes these fields editable. see screen capture below: Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted October 19, 2021 Author ESET Moderators Share Posted October 19, 2021 Hello @Mitchell, thank you for reporting it, it was confirmed by QA as a bug on our side so it was reported to the dev team to be fixed. Peter (I_BFAP-51) Link to comment Share on other sites More sharing options...
Robc 2 Posted October 19, 2021 Share Posted October 19, 2021 Hi, after installing the v9 beta I noticed the following error in the event log of the software Time;Component;Event;User 2021-10-19 11:38:23;Firewall;An error occurred during installation of the epfwwfp driver.;SYSTEM Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted October 20, 2021 Author ESET Moderators Share Posted October 20, 2021 Hello @Robc, Can you please provide us with the full installation log and ESET Log Collector output to check it? Thank you, Peter Link to comment Share on other sites More sharing options...
Robc 2 Posted October 20, 2021 Share Posted October 20, 2021 Hi @Peter Randziak here is the ESET Log Collector log and the installation log ees_logs.zip MSId45dc.LOG Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted October 20, 2021 Author ESET Moderators Share Posted October 20, 2021 30 minutes ago, Robc said: Hi @Peter Randziak here is the ESET Log Collector log and the installation log ees_logs.zip 5.08 MB · 0 downloads MSId45dc.LOG 2.01 MB · 0 downloads Thank you Rob, I'm checking it with the dev team (P_EESW-7831). I will keep you posted. Peter Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted October 20, 2021 Author ESET Moderators Share Posted October 20, 2021 Hello @Robc, can you please check the endpoint now, it seems that the driver was installed successfully later. "inf: Driver Store Path: C:\WINDOWS\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_7f5b5fa2211d9c06\epfwwfp.inf inf: Published Inf Path: C:\WINDOWS\INF\oem31.inf <<< Section end 2021/10/19 11:38:23.532 <<< [Exit status: SUCCESS]" Thank you, Peter Link to comment Share on other sites More sharing options...
Robc 2 Posted October 20, 2021 Share Posted October 20, 2021 Hi @Peter Randziak, All modules are working/active in the endpoint, but i'm not seeing this in the log files (Tools --> log files --> events). This second driver installation, just the error I posted. Peter Randziak 1 Link to comment Share on other sites More sharing options...
cyh 0 Posted October 21, 2021 Share Posted October 21, 2021 Hello, after installing and updating EES, the icon in the lower right corner of the ESET desktop prompts that the scan is starting, but it did not actually happen Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted October 22, 2021 Author ESET Moderators Share Posted October 22, 2021 Hello @cyh, I guess it is a Automatic startup file check, scheduled after successful modules update. The scan should be very quick and is not visible in the Computer scan tab. Peter Link to comment Share on other sites More sharing options...
johnson.yuan 0 Posted October 28, 2021 Share Posted October 28, 2021 Hello, we are very interested in Brute-force attack protection. as we see too much ransom ware attack delivered by RDP brute force. so we tried the EES V9 on Win 7 and 2008r2, here is the result: 1. On win 7 64 bits, the EES V9 detects SMB brute force but failed to detect RDP brute force, the test is made via hydra 8.1. 2. On 2008 R2, both the RDP and SMB brute force attacked is unabled to be detected.the test is made via hydra 8.1. we are very value this function, so please look into this problems, as the hydra is one of the most common used hack tool. Regards. Johnson Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted October 28, 2021 Author ESET Moderators Share Posted October 28, 2021 Hello @johnson.yuan, We will try to check it, can you please provide us with pcaps containing the relevant traffic? Peter (I_BFAP-52) Link to comment Share on other sites More sharing options...
johnson.yuan 0 Posted October 29, 2021 Share Posted October 29, 2021 Hi Peter, thanks for your reply, attached is the wireshark log, is captured on win 10 64bit. Regards Johnson rdptest.rar Link to comment Share on other sites More sharing options...
Robc 2 Posted October 29, 2021 Share Posted October 29, 2021 (edited) I was checking the event log for some changes and saw the following audit failure (windows 10 21h1 security eventlog) Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume4\Program Files\ESET\ESET Security\eamsi.dll This is with the v9.0 beta installed. Chkdsk came back clean Edited October 29, 2021 by Robc Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted October 29, 2021 Author ESET Moderators Share Posted October 29, 2021 Hello @johnson.yuan, 3 hours ago, johnson.yuan said: thanks for your reply, attached is the wireshark log, is captured on win 10 64bit. the original report was for Win 7 and 2008R2 by Hydra 8.1, can you please provide with the captures for the original report as well? Anyway the research team had a look and found out following: RDP - hydra 8.1 does not speak TLS or NLA for that matter. For this attack to work the server must be configured with NLA off. Turning NLA on makes the problem to go away. SMB - probably SMB1 has been disabled on that server. Now, Hydra 8.1 speaks SMB1 only, but it fails to notice the reply from the server or the lack of it, effectively no brute forcing taking place. If we turn SMB1 on, detection seems to work as expected. Peter Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted October 29, 2021 Author ESET Moderators Share Posted October 29, 2021 Hello @Robc, 3 hours ago, Robc said: I was checking the event log for some changes and saw the following audit failure (windows 10 21h1 security eventlog) Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume4\Program Files\ESET\ESET Security\eamsi.dll This is with the v9.0 beta installed. Chkdsk came back clean thank you for your report, this is an ongoing topic see https://forum.eset.com/topic/25035-program-fileseseteset-nod32-antiviruseamsidll/ for example. It is something we need to address with MS... Peter (P_ESSW-13471) Link to comment Share on other sites More sharing options...
cyh 0 Posted November 1, 2021 Share Posted November 1, 2021 Hello, I installed the simplified Chinese version of the test. In the advanced settings, the detection engine--malware scan--after the removable disk is opened, there is no content Link to comment Share on other sites More sharing options...
Mitchell 13 Posted November 1, 2021 Share Posted November 1, 2021 5 hours ago, cyh said: Hello, I installed the simplified Chinese version of the test. In the advanced settings, the detection engine--malware scan--after the removable disk is opened, there is no content seems to be the same for the english version: Link to comment Share on other sites More sharing options...
johnson.yuan 0 Posted November 1, 2021 Share Posted November 1, 2021 On 10/29/2021 at 7:24 PM, Peter Randziak said: Hello @johnson.yuan, the original report was for Win 7 and 2008R2 by Hydra 8.1, can you please provide with the captures for the original report as well? Anyway the research team had a look and found out following: RDP - hydra 8.1 does not speak TLS or NLA for that matter. For this attack to work the server must be configured with NLA off. Turning NLA on makes the problem to go away. SMB - probably SMB1 has been disabled on that server. Now, Hydra 8.1 speaks SMB1 only, but it fails to notice the reply from the server or the lack of it, effectively no brute forcing taking place. If we turn SMB1 on, detection seems to work as expected. Peter Hi Peter thanks for your reply, I forget to mention, when test on this win 10, I'm using Hydra V9.0, and it succfully find out my password, and EES V9 detectd nothing. I have checked the Retmote Desktop settings of the win 10. the NLA is off. Regards Johnson Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted November 3, 2021 Author ESET Moderators Share Posted November 3, 2021 Hello @johnson.yuan, We tested the above systems with hydra 8.1 (2014) RDP - hydra 8.1 does not speak TLS or NLA for that matter. For this attack to work the server must be configured with NLA off. Turning NLA on makes the problem to go away. The provided pcap was not from a platform in question, but there we seem to detect the individual failed logins correctly. We tested the behavior with Hydra 9.0 - it uses TLS with NLA, so turning off NLA on the server has no effect this time. Checked the initial Windows version 10 build 10240 and it shipped with NLA on by default and by Win10 20H2 the NLA setting has been moved to advanced options. So why turn it off (unless you want to connect from win XP or some old Linux or old 3rd party client)? We do detect the individual failed logins correctly. We also tested the above mentioned with two win10 versions with the product. Everything seems to work fine. The only exception found was when EES was not activated - then it would give the detection a pass. So are you using the correct and activated version of the product? Peter Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted November 3, 2021 Author ESET Moderators Share Posted November 3, 2021 Hello @cyh and @Mitchell, thank you for your report and issue confirmation, I opened a ticket (P_EESW-7912) to have it checked. Peter Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,173 Posted November 4, 2021 Author ESET Moderators Share Posted November 4, 2021 We’ve prepared an auto-update for BETA testers with new EULA version, so you can see in action the notification about changed version, even there is no real change in text. You can experiment with several states of the Auto-updates setting to see how we inform about availability of new version. Peter on behalf of the teams involved. Trooper and Matej 2 Link to comment Share on other sites More sharing options...
ESET Insiders Trooper 67 Posted November 8, 2021 ESET Insiders Share Posted November 8, 2021 On 11/4/2021 at 4:55 AM, Peter Randziak said: We’ve prepared an auto-update for BETA testers with new EULA version, so you can see in action the notification about changed version, even there is no real change in text. You can experiment with several states of the Auto-updates setting to see how we inform about availability of new version. Peter on behalf of the teams involved. Hi Peter, Had this been rolled out yet? If so, I have not noticed anything on my end. Link to comment Share on other sites More sharing options...
ivc52 0 Posted November 8, 2021 Share Posted November 8, 2021 Is prompted not to access the eset push server when it sleeps, The No More Reminder button is invalid. Link to comment Share on other sites More sharing options...
Recommended Posts