How to exclude Win32/NSSM.D for false positive ExpressVPN updates

[Guest Grampa Frank]

We spent way too much time trying to figure out how to exclude the false positives on the ExpressVPN updates and maybe it's time to ask the people of this forum for some help. We have not been able to update ExpressVPN for quite some time now, which kind of worries me.

In the following post a forum member Marcos posts the solution in the form of a picture, but we cannot find this setting (Endpoint security in the advanced setup), which is where we are supposed to exclude @NAME=Win32/NSSM.D.  Could someone please help and explain this solution with a bit more words so that old geezers like us can understand what to do and most of all, where to find this Endpoint security form?

Thank you very much in advance and have a great weekend.

 

[Marcos 5,273]

You can exclude a particular detection by name as per https://support.eset.com/en/kb2629

[Guest Grampa Frank]

Thank you for your reply, Marcos. Unfortunately we have already tried that, did not work. No matter the settings, and we tried a lot of them, the file will be deleted immediately upon download, see picture below.

What I would like to know is, where is the setting that you posted about that leads to the form that you posted a picture of, the Endpoint security form to exclude @NAME=Win32/NSSM.D? I asked about this in my first post and I would like to try that.

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
05/02/2022 3:38:09 AM;HTTP filter;file;https://www.expressvpn.works/clients/windows/expressvpn_windows_10.17.0.28_release.exe;ESET LiveGuard;deleted;DESKTOP-XXXXXX\frank;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (80ED756A35A9A476EB64B7F5C9028F1266FB1D52).;8FEE1A80F0E786B2802693BC6AC1B1FBA4D3DDD6;04/02/2022 6:40:11 PM

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
27/01/2022 8:10:10 PM;HTTP filter;file;https://www.expressvpn.works/clients/windows/expressvpn_windows_10.16.0.8_release.exe;ESET LiveGuard;deleted;DESKTOP-XXXXXX\frank;Event occurred during an attempt to access the web by the application: C:\Program Files\Mozilla Firefox\firefox.exe (7FC11558C992CC8110E0391F1BBE7171C82E2DC6).;513FD49F7CEC3628BFFA2DA6EAC9D8AF4CFBA63D;26/01/2022 9:00:13 PM

Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here
05/01/2022 7:39:15 PM;ESET LiveGuard;file;F:\BBup2022\Install stuff\expressvpn_windows_10.15.0.8_release.exe;ESET LiveGuard;deleted;;;434457D1FE6E707556C6309509F8EB93A1E21ADD;05/01/2022 7:35:43 PM

 

[Marcos 5,273]

The above record from the Detections log helped to understand what's going on. It's a LiveGuard detection so an exclusion by the detection name won't work. You must exclude the hashes that were logged. There are 3 hashes in your logs because you downloaded 3 different versions of the sw.

[itman 1,748]

As far as ExpressVPN use, you might want to read this article: https://www.zdnet.com/article/trust-but-verify-an-in-depth-analysis-of-expressvpns-terrible-horrible-no-good-very-bad-week/ .

Personally, I would trust LiveGuard's detections on this one.