ESET Endpoint Security 9 & ESET Endpoint Antivirus 9 BETA

[Peter Randziak 1,130]

Hello ESET Endpoint Security / Antivirus users,

 

We are pleased to announce the availability of ESET Endpoint Security / Antivirus 9 BETA for public testing.

 

The new generation of ESET Endpoint products for Windows brings new features and improvements, let us briefly describe the most visible ones.

• Auto-update – This feature improves the upgrade experience for administrators and makes keeping ESET products on latest version easier. It is enabled by default and works  out of the box. Technology was present in Windows Endpoint version already 8.0, EULA approval was replaced with EULA notifications.
• Brute-force attack protection - Evolution of reputation and blacklist-based password-guessing defense technology, providing further protection for RDP and SMB protocols in business networks.
• Official ARM64 support for both EES and EEA for Windows on ARM ( Secure Browser, Machine learning protection and Deep behavioral inspection features are not available for ARM64 platform in this version)

The new features mentioned are not manageable by ESET PROTECT management console as of now.

 

Please check also the list of Known issues for the first public BETA build, we believe the severity of those is very low so they should not affect your user experience much

• Device Control: Printing task stays in printing queue when printer is blocked
• Audit logs contain strings "FeatureId", "OldState", "NewState"
• Web control: Warn action does not work properly for some websites
• Secure Browser: Ask me option available for websites in list
• Secure Browser: Some websites are not loaded correctly in secured browser instance
• Device Control: Some bluetooth devices are not listed in Populate of Device control

 

The ESET Endpoint Security 9 BETA and ESET Endpoint Antivirus 9 BETA builds are available for download at https://forum.eset.com/files/category/4-ees-eea-9-beta/

Both .msi and .exe installers are available and the ARM64 version for Windows on ARM too.

 

We are looking forward to hearing your feedback and experience with the 9th generation of ESET Endpoint products.

For your questions and issue reports, please use this forum directly.

 

As usually the build is in BETA quality so by downloading and using it, you agree with our BETA program agreement, which is available at https://forum.eset.com/files/file/31-eset-beta-program-agreement/

After a week or so of BETA testing, please fill out this short survey for us https://survey.eset.com/index.php?r=survey/index&sid=798153&lang=en so we can evaluate the BETA program and make our offering even better for you. Thank you in advance.

 

Peter Randziak on behalf of teams involved

[Mitchell 13]

When editing the brute-force attack protection rules the thresholds are grayed out, disabling/enabling the rule makes these fields editable. see screen capture below:

[Peter Randziak 1,130]

Hello @Mitchell,

thank you for reporting it, it was confirmed by QA as a bug on our side so it was reported to the dev team to be fixed.

Peter

(I_BFAP-51)

[Robc 2]

Hi, after installing the v9 beta I noticed the following error in the event log of the software

Time;Component;Event;User
2021-10-19 11:38:23;Firewall;An error occurred during installation of the epfwwfp driver.;SYSTEM
 

[Peter Randziak 1,130]

Hello @Robc,

Can you please provide us with the full installation log and ESET Log Collector output to check it?

Thank you, Peter

[Robc 2]

Hi @Peter Randziak

here is the ESET Log Collector log and the installation log

ees_logs.zip MSId45dc.LOG

[Peter Randziak 1,130]

30 minutes ago, Robc said:

Hi @Peter Randziak

here is the ESET Log Collector log and the installation log

ees_logs.zip 5.08 MB · 0 downloads MSId45dc.LOG 2.01 MB · 0 downloads

Thank you Rob, I'm checking it with the dev team (P_EESW-7831).

I will keep you posted.

Peter

[Peter Randziak 1,130]

Hello @Robc,

can you please check the endpoint now, it seems that the driver was installed successfully later.

"inf: Driver Store Path: C:\WINDOWS\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_7f5b5fa2211d9c06\epfwwfp.inf
inf: Published Inf Path: C:\WINDOWS\INF\oem31.inf
<<< Section end 2021/10/19 11:38:23.532
<<< [Exit status: SUCCESS]"

Thank you, Peter

[Robc 2]

Hi @Peter Randziak, 

All modules are working/active in the endpoint, but i'm not seeing this in the log files (Tools --> log files --> events). This second driver installation, just the error I posted.

[cyh 0]

Hello, after installing and updating EES, the icon in the lower right corner of the ESET desktop prompts that the scan is starting, but it did not actually happen

[Peter Randziak 1,130]

Hello @cyh,

I guess it is a Automatic startup file check, scheduled after successful modules update.

The scan should be very quick and is not visible in the Computer scan tab.

Peter

[johnson.yuan 0]

Hello, we are very interested in Brute-force attack protection. as we see too much ransom ware attack delivered by RDP brute force. so we tried the EES V9 on Win 7 and 2008r2, here is the result:

1. On win 7 64 bits, the EES V9 detects SMB brute force but failed to detect RDP brute force, the test is made via hydra 8.1.

2. On 2008 R2,  both the RDP and SMB brute force attacked is unabled to be detected.the test is made via hydra 8.1.

we are very value this function, so please look into this problems, as the hydra is one of the most common used hack tool.

Regards.

Johnson

 

 

 

[Peter Randziak 1,130]

Hello @johnson.yuan,

We will try to check it, can you please provide us with pcaps containing the relevant traffic?

Peter

(I_BFAP-52)

[johnson.yuan 0]

Hi Peter,

thanks for your reply, attached is the wireshark log, is captured on win 10 64bit.

Regards

Johnson

rdptest.rar

[Robc 2]

I was checking the event log for some changes and saw the following audit failure (windows 10 21h1 security eventlog)

Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:    \Device\HarddiskVolume4\Program Files\ESET\ESET Security\eamsi.dll

This is with the v9.0 beta installed.

Chkdsk came back clean

Edited October 29, 2021 by Robc

[Peter Randziak 1,130]

Hello @johnson.yuan,

3 hours ago, johnson.yuan said:

thanks for your reply, attached is the wireshark log, is captured on win 10 64bit.

the original report was for Win 7 and 2008R2 by Hydra 8.1, can you please provide with the captures for the original report as well?

 

Anyway the research team had a look and found out following:

RDP - hydra 8.1 does not speak TLS or NLA for that matter. For this attack to work the server must be configured with NLA off. Turning NLA on makes the problem to go away.

SMB - probably SMB1 has been disabled on that server. Now, Hydra 8.1 speaks SMB1 only, but it fails to notice the reply from the server or the lack of it, effectively no brute forcing taking place. If we turn SMB1 on, detection seems to work as expected.

 

Peter

[Peter Randziak 1,130]

Hello @Robc,

3 hours ago, Robc said:

I was checking the event log for some changes and saw the following audit failure (windows 10 21h1 security eventlog)

Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:    \Device\HarddiskVolume4\Program Files\ESET\ESET Security\eamsi.dll

This is with the v9.0 beta installed.

Chkdsk came back clean

thank you for your report, this is an ongoing topic see https://forum.eset.com/topic/25035-program-fileseseteset-nod32-antiviruseamsidll/ for example.

It is something we need to address with MS...

Peter

(P_ESSW-13471)

 

[cyh 0]

Hello, I installed the simplified Chinese version of the test. In the advanced settings, the detection engine--malware scan--after the removable disk is opened, there is no content

[Mitchell 13]

5 hours ago, cyh said:

Hello, I installed the simplified Chinese version of the test. In the advanced settings, the detection engine--malware scan--after the removable disk is opened, there is no content

seems to be the same for the english version:

[johnson.yuan 0]

On 10/29/2021 at 7:24 PM, Peter Randziak said:

Hello @johnson.yuan,

the original report was for Win 7 and 2008R2 by Hydra 8.1, can you please provide with the captures for the original report as well?

 

Anyway the research team had a look and found out following:

RDP - hydra 8.1 does not speak TLS or NLA for that matter. For this attack to work the server must be configured with NLA off. Turning NLA on makes the problem to go away.

SMB - probably SMB1 has been disabled on that server. Now, Hydra 8.1 speaks SMB1 only, but it fails to notice the reply from the server or the lack of it, effectively no brute forcing taking place. If we turn SMB1 on, detection seems to work as expected.

 

Peter

Hi Peter

thanks for your reply, I forget to mention, when test on this win 10, I'm using Hydra V9.0, and it succfully find out my password, and EES V9 detectd nothing.  I have checked the Retmote Desktop settings of the  win 10. the NLA is off.

 

Regards

Johnson

 

[Peter Randziak 1,130]

Hello @johnson.yuan,

We tested the above systems with hydra 8.1 (2014)

RDP - hydra 8.1 does not speak TLS or NLA for that matter. For this attack to work the server must be configured with NLA off. Turning NLA on makes the problem to go away.

 

The provided pcap was not from a platform in question, but there we seem to detect the individual failed logins correctly.

 

We tested the behavior with Hydra 9.0 - it uses TLS with NLA, so turning off NLA on the server has no effect this time. Checked the initial Windows version 10 build 10240 and it shipped with NLA on by default and by Win10 20H2 the NLA setting has been moved to advanced options.

So why turn it off (unless you want to connect from win XP or some old Linux or old 3rd party client)?
We do detect the individual failed logins correctly. We also tested the above mentioned with two win10 versions with the product. Everything seems to work fine. The only exception found was when EES was not activated - then it would give the detection a pass.
So are you using the correct and activated version of the product?

Peter

[Peter Randziak 1,130]

Hello @cyh and @Mitchell,

thank you for your report and issue confirmation, I opened a ticket (P_EESW-7912) to have it checked.

Peter

[Peter Randziak 1,130]

We’ve prepared an auto-update for BETA testers with new EULA version, so you can see in action the notification about changed version, even there is no real change in text.

You can experiment with several states of the Auto-updates setting to see how we inform about availability of new version.

Peter on behalf of the teams involved.

[Trooper 65]

On 11/4/2021 at 4:55 AM, Peter Randziak said:

We’ve prepared an auto-update for BETA testers with new EULA version, so you can see in action the notification about changed version, even there is no real change in text.

You can experiment with several states of the Auto-updates setting to see how we inform about availability of new version.

Peter on behalf of the teams involved.

Hi Peter,

Had this been rolled out yet?  If so, I have not noticed anything on my end.

[ivc52 0]

Is prompted not to access the eset push server when it sleeps, The No More Reminder button is invalid.