str8arrow 0 Posted November 5, 2014 Share Posted November 5, 2014 ESET Smart Security blocks ALL file downloads of particular files when it detects a threat (falsely). When ESET detects a downloaded file (legitimate) as a threat, it blocks the download and there is NO WAY to turn the protection off and allow the file to download. I have tried NUMEROUS different things from the ESET knowledgebase including: 1. Turn protection off temporarily by right clicking on the tray icon and disabling real-time protection AND firewall protection until next reboot. (IT DOES NOT TURN OFF - it still blocks the download) 2. Open ESET control panel and change Web protection AND ALL OTHER protection modes to THREATSENSE --->NO CLEANING (which should prompt the user to decide whether to accept/reject the file). (IT DOES NOT - it still blocks the download automatically) 3. Turn OFF detection of potentially unwanted or suspicious applications (uncheck the boxes in the control panel). (IT STILL DETECTS THE FILE AND BLOCKS THE DOWNLOAD) 4. Open ESET control panel -->open Web Protection-->Policies/Exclusions--->check Firefox (browser in which I am downloading the file), so as to exclude Firefox from protection/scanning (IT DOES NOT - it still detects the file as a threat and blocks it from downloading.) and so on... The ONLY way I can retrieve the file is to go to Tools-->quarantine and restore it. THIS IS NOT ACCEPTABLE. HOW DO I TURN OFF PROTECTION TO ALLOW FILES TO DOWNLOAD WHEN THEY ARE FALSELY TAGGED AS MALWARE???!!! In this case, I was downloading FIleMenuTools by LopeSoft - freeware that uses an InstallMonetizer. I'm aware of this and simply uncheck the unwanted applications during install. I do NOT want to have ESET blocking all such files. I am aggravated enough to stop buying ESET though I've been a loyal ESET customer for more than 8 years now. I'm ready to change to Kaspersky JUST BECAUSE OF THIS. Please notify me of a solution - if there is one. Thanks. str8arrow Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted November 5, 2014 Administrators Share Posted November 5, 2014 You mentioned that you were downloading freeware that uses InstallMonetizer and you wrote that it was tagged as malware. However, InstallMonetizer is not classified by ESET as malware but as a potentially unwanted application (PUA) which is an optional detection. When a PUA is detected and the user thinks that benefits of using such application outweigh possible risks, he or she can exclude it from detected directly from the yellow alert window by unfolding Advanced options and ticking the "Exclude from detection" box. Also when a PUA website is blocked, the user is presented with a button "Proceed to website". Link to comment Share on other sites More sharing options...
rugk 397 Posted November 5, 2014 Share Posted November 5, 2014 (edited) More about s you can read here: What is a potentially unwanted application? There you will also see some screenshots of the messages @Marcos explained. Keep in mind that you can freely enable or disable the detection of PUA at all. If you disable the detection ESET will not block any PUA at any time. Also the ESET products have (especially when downloading) multiple protection layers. That could be a reason why some of the things you tried may not worked. If you want disable the detection of PUAs (again) respectively check your settings. Then download the file again. If this still doesn't work please reply in this topic and send the exact link to the file you tried to download. Also a screenshot or the text of the message you're seeing would be very helpful. Edited November 5, 2014 by rugk Link to comment Share on other sites More sharing options...
SweX 871 Posted November 5, 2014 Share Posted November 5, 2014 (edited) As noted on the Majorgeeks download page for this particular software (Wich is why it is detected as a PUA.)..... hxxp://www.majorgeeks.com/files/details/filemenu_tools.html Limitations:This program is advertising supported and may offer to install third party programs that are not required for the program to run. These may include a toolbar, changing your homepage, default search engine or other third party programs. Please watch the installation carefully to opt out. The Potentially Unsafe, Potentially Unwanted, and Suspicious Applications detection categories are user optional so every user can enable or disable them. 3. Turn OFF detection of potentially unwanted or suspicious applications (uncheck the boxes in the control panel). (IT STILL DETECTS THE FILE AND BLOCKS THE DOWNLOAD) That's weird....Are you sure it's not detected as Adware then? Please tell us what it is detected like? (detection name by ESET) I just cleaned a notebook belonging to a friend that basically is like any other user that simply does not "opt-out" and it had 31 PUAs installed. The computer was fast.......when I was done with it. Edited November 5, 2014 by SweX Link to comment Share on other sites More sharing options...
rugk 397 Posted November 5, 2014 Share Posted November 5, 2014 (edited) Unfortunately it also contains PUA when downloading from the official site. (however it's a nice piece of software) This is detected by ESET as PUA. However we don't know exactly from what source he downloaded it so maybe in his case it is detected as something else. Edited November 5, 2014 by rugk Link to comment Share on other sites More sharing options...
SweX 871 Posted November 5, 2014 Share Posted November 5, 2014 (edited) Unfortunately it's also contains PUA when downloading from the official site. (however it's a nice piece of software) This is detected by ESET as PUA. However we don't know exactly from what source he downloaded it so maybe in his case it is detected as something else. No exactly, the download source does absolutely play a role in many cases. Edited November 5, 2014 by SweX Link to comment Share on other sites More sharing options...
Former ESET Employees marty_c 30 Posted November 5, 2014 Former ESET Employees Share Posted November 5, 2014 The blocked downloads immediately made me think of Poweliks. Maybe give part II in the following KB article a try to make sure that Poweliks is not the cause of your issue? How do I remove a Poweliks infection? Link to comment Share on other sites More sharing options...
Former ESET Employees marty_c 30 Posted November 5, 2014 Former ESET Employees Share Posted November 5, 2014 The blocked downloads immediately made me think of Poweliks. Maybe give part II in the following KB article a try to make sure that Poweliks is not the cause of your issue? How do I remove a Poweliks infection? Ah, perhaps not as I discuss it more with folks over here. Are you running the latest version of ESET Smart Security? Upgrading to the latest version and proceeding as Marcos prescribed above should allow you to download the file. Link to comment Share on other sites More sharing options...
str8arrow 0 Posted March 2, 2015 Author Share Posted March 2, 2015 Sorry for the protracted delay. I have been ill. I downloaded FileMenuTools by LopeSoft from the ORIGINAL SITE and from Softpedia, and as I recall, numerous other sources. I am NOW HAVING THE SAME PROBLEM AND I CANNOT RESTORE THE DOWNLOAD FROM QUARANTINE as the download was blocked partway through. In this case, I was downloading an epub file which was NOT a threat from a good friend at uploaded.net. I am frustrated and am prepared to uninstall ESET forever. In this case, the file did not even show up in ESET quarantine - it was detected and download was blocked after approx 90% of the download was completed. Please advise. re FileMenuTools - it detected it as a PUA. I have no other software with real-time protection, so ESET is the only thing that is blocking my downloads. NOW, I cannot even restore the file from quarantine. After 8 years of using ESET, I am about to leave, a very dissatisfied customer. -thanks, str8arrow Link to comment Share on other sites More sharing options...
rugk 397 Posted March 2, 2015 Share Posted March 2, 2015 (edited) How do I configure my Windows ESET product to detect or ignore unwanted, unsafe and suspicious applications? Try it out and begin to smile again. After you apply the settings you should be able to successfully download the file. Edited March 2, 2015 by rugk Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 2, 2015 Administrators Share Posted March 2, 2015 The installation package of the mentioned software contains OCSetupHlp.dll which belongs to OpenCandy potentially unsafe application. Detection of potentially unsafe applications is disabled by default. ESET merely does its job when it reports such applications once you have opted for detection. If you don't want to have PUAs detected, disable detection of potentially unsafe applications. Link to comment Share on other sites More sharing options...
yongsua 16 Posted March 3, 2015 Share Posted March 3, 2015 (edited) I have tried to download it myself from LopeSoft website and I have no problem with downloading it and even executing it. ESET doesn't block me at all because I have disabled PUA detection and maybe because you didn't disable PUA scanning and that's why you were blocked from downloading it. I have discovered one thing about this program is once you execute it, the OCSetupHlp.dll will be executed at the very beginning of the installation without user's knowledge. Fortunately, Comodo did give me alert and I chose to block and terminate the connection. (shown in pic). However, it seems that I need to get my temp folder cleaned. Edited March 3, 2015 by yongsua Link to comment Share on other sites More sharing options...
rugk 397 Posted March 3, 2015 Share Posted March 3, 2015 (edited) @yongsua Yes that's the same which Marcos also said. And as you see ESS blocks it too. @str4arrow @Marcos Attention: It is detected as a potentially unsafe application. Usually we say PUA only for a potentially unwanted application. This are two different categories (and settings in ESS). More information about OpenCandy and some tips how to block it, while still installung the (wanted) software you can get here: https://forum.eset.com/topic/3701-block-pua-inside-installers-from-nero-burning-rom-orbit-downloader-imgburn-dvdvideosoft-install-them-without-opencandy/ Edited March 3, 2015 by rugk Link to comment Share on other sites More sharing options...
SweX 871 Posted March 3, 2015 Share Posted March 3, 2015 (edited) In this case, I was downloading an epub file which was NOT a threat from a good friend at uploaded.net. I am frustrated and am prepared to uninstall ESET forever. In this case, the file did not even show up in ESET quarantine - it was detected and download was blocked after approx 90% of the download was completed. What did the notifications say at the moment the download was terminated, what was it detected like ? No, it can't show up in the quarantine as the download of the file was terminated before the download was finished. Is ESET the only vendor detecting the file ? Have you or your friend uploaded the file to Virustotal.com to see if any other engine detects something ? But if you know it is clean then just send in the file to ESET and say that you believe it is a FP, if it really is clean then they will take care of it, if it is not, then the Lab may respond and explain why it is detected and that the detection will stay in place. How do I submit a virus, website or potential false positive sample to the ESET lab? hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN141&actp=search&viewlocale=en_US&searchid=1425374957237 Edited March 3, 2015 by SweX Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 3, 2015 Administrators Share Posted March 3, 2015 OCSetupHlp.dll: https://www.virustotal.com/en/file/93217ffd41fc870b6c4dda72cd4688f46abe0e0681b96da7ebcde4ef8eead333/analysis/ Link to comment Share on other sites More sharing options...
rugk 397 Posted March 3, 2015 Share Posted March 3, 2015 (edited) @SweX It's not "clean" and it's no FP. It's just a PUA... So all explanation why it is detected are already in this thread. What did the notifications say at the moment the download was terminated, what was it detected like ? You can simply reproduce it. Download FileMenuTools from the creator site (Lopesoft). Then you will see this message: But note that... there is a "No action" button. the detection can simply be deactivated. (I feel like I already linked hundred times in this topic to this article...) and there are other nice ways to get around OpenCandy. Edited March 3, 2015 by rugk Link to comment Share on other sites More sharing options...
SweX 871 Posted March 3, 2015 Share Posted March 3, 2015 (edited) @SweX It's not "clean" and it's no FP. It's just a PUA... So all explanation why it is detected are already in this thread. Yeah but I was talking about the file he tried to download from uploaded.net "I was downloading an epub file which was NOT a threat from a good friend at uploaded.net." Is there a PUA in that one as well ? I have no idea what file that is. Edited March 3, 2015 by SweX Link to comment Share on other sites More sharing options...
rugk 397 Posted March 3, 2015 Share Posted March 3, 2015 (edited) Is there a PUA in that one as well ? I have no idea what file that is. Well... this may also be a PUA. As uploaded.net is free to use they can make it similar like file-upload.net, which I used for some files recently... They added a download manager for these files which ESET blocked. This was the reason why I changed my links and use another file hoster now for the "alternative download links" I used somewhere. So, @str8arrow, does this happen with every file from uploaded.net? And can you provide us with an example link to a download please? (Or at least a screenshot of the message you get from ESS...) Edited March 3, 2015 by rugk Link to comment Share on other sites More sharing options...
ESET Insiders TJP 143 Posted March 3, 2015 ESET Insiders Share Posted March 3, 2015 (edited) OCSetupHlp.dll: https://www.virustotal.com/en/file/93217ffd41fc870b6c4dda72cd4688f46abe0e0681b96da7ebcde4ef8eead333/analysis/ Look at all those test winning AV's picking up this unwanted PUA file..(sorry, I couldn't help myself). FWIW, I've experienced the same issue as the OP with other files; simple solution as explained is to uncheck ESS from scanning for PUA's. Edited March 3, 2015 by TJP Link to comment Share on other sites More sharing options...
rugk 397 Posted March 3, 2015 Share Posted March 3, 2015 OCSetupHlp.dll: https://www.virustotal.com/en/file/93217ffd41fc870b6c4dda72cd4688f46abe0e0681b96da7ebcde4ef8eead333/analysis/ Look at all those test winning AV's picking up this unwanted file.. Well... there are also many AVs which doesn't "pick it up". Also "test winning" is very much expansible and doesn't say many things... Additionally you don't know how virustotal tests the files. E.g. it's also interesting that OpenCandy is detected with ESET on virustotal, because the default settings for ESETs products is not to detect potentially unsafe applications. The same way it is of course also possible that a AV vendor listed there which isn't listed as detecting OpenCandy can - in a real usage - detect OpenCandy. That's one reason why VirusTotal shouldn't be used for things like AV comparison, like themselves say. Link to comment Share on other sites More sharing options...
yongsua 16 Posted March 4, 2015 Share Posted March 4, 2015 @SweX It's not "clean" and it's no FP. It's just a PUA... So all explanation why it is detected are already in this thread. Yeah but I was talking about the file he tried to download from uploaded.net"I was downloading an epub file which was NOT a threat from a good friend at uploaded.net." Is there a PUA in that one as well ? I have no idea what file that is. Well, when I tried to download myself, I did read that the Open Candy will be removed once a donation of at least 5€ is made to LopeSoft and LopeSoft will provide a standalone installer of this software without the Open Candy. His friend might have the standalone installer that might come from Lopsesoft or other sources. Link to comment Share on other sites More sharing options...
ESET Insiders TJP 143 Posted March 4, 2015 ESET Insiders Share Posted March 4, 2015 (edited) OCSetupHlp.dll: https://www.virustotal.com/en/file/93217ffd41fc870b6c4dda72cd4688f46abe0e0681b96da7ebcde4ef8eead333/analysis/ Look at all those test winning AV's picking up this unwanted file.. Well... there are also many AVs which doesn't "pick it up". Also "test winning" is very much expansible and doesn't say many things... It was meant in jest (given forums such as Wilders analyse AV test results and often cite Eset's performance as being an issue) - but let's not let a little fun get in the way. Edited March 4, 2015 by TJP Link to comment Share on other sites More sharing options...
SweX 871 Posted March 4, 2015 Share Posted March 4, 2015 @SweX It's not "clean" and it's no FP. It's just a PUA... So all explanation why it is detected are already in this thread. Yeah but I was talking about the file he tried to download from uploaded.net"I was downloading an epub file which was NOT a threat from a good friend at uploaded.net." Is there a PUA in that one as well ? I have no idea what file that is. Well, when I tried to download myself, I did read that the Open Candy will be removed once a donation of at least 5€ is made to LopeSoft and LopeSoft will provide a standalone installer of this software without the Open Candy. His friend might have the standalone installer that might come from Lopsesoft or other sources. Hehe I see, well if it as as rugk say, that uploaded.net use a download manager of some type then it could be that piece that is detected, or it can be the loopsoft PUA itself. Impossible for me to say. The bottom line is that the solution is very simple for people that has problems with "too many" PUA detections, they don't have to be detected unless you set up the product to detect PUPs and PUAs. They are optional detection categories after all. A tip for LoopSoft...skip Open Candy altogether, provide a 15 or 30 day free trial without PUAs, and if the user likes it they can still buy it for €5. And not pay €5 to get rid of Open Candy! Bundling stuff does nothing good for the reputation of a developer or company. And I don't think it is impossible to find the stand-alone installer without Open Candy elsewhere if one really wants to find it. I would have no problem donating to loop soft if I like and want to use their software, but I would never donate to anyone that does business through PUAs. Donations is something nice and good, PUPs & PUAs are the opposite to that. Link to comment Share on other sites More sharing options...
rugk 397 Posted March 4, 2015 Share Posted March 4, 2015 Well... there are also many AVs which doesn't "pick it up". Also "test winning" is very much expansible and doesn't say many things...It was meant in jest (given forums such as Wilders analyse AV test results and often cite Eset's performance as being an issue) - but let's not let a little fun get in the way. Ahh... it was a joke. Sorry for this confusion. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted March 5, 2015 Administrators Share Posted March 5, 2015 As for the performance issues, Zfactor found out that the issue occurs only with ESS and is caused by Epfw LightWeight filter (used on Win Vista+) which is strange. The issue will be investigated further but there's a good chance it will turn out to be a bug in OS which manifests only under certain circumstances as only very few people have reported to be affected by the issue while millions of others have been using it with no problems whatsoever. Link to comment Share on other sites More sharing options...
Recommended Posts