root 3 Posted October 3, 2024 Posted October 3, 2024 Today it was not possible to update Win 11. I had to switch off the option "real time protection" (see attached screen) with force option-> update windows -> switch on again. If not, real time protection during the update recognised some Win files as "trojans" and deleted them.... Thus update was rolled back. I waste much time to perform it 4 times, before finally switched off this eset option
itman 1,924 Posted October 3, 2024 Posted October 3, 2024 (edited) The first thing to verify is if it was a legitimate Win Update. Something might have hijacked your network connection to serve up a malicious update. Example; Quote Big Head is a ransomware that disguises itself as a Windows update to infect devices and encrypt their files: How it works Big Head is spread through malvertising campaigns, which are online ads that trick users into clicking on malicious links or downloading infected files. The fake update alert may appear as a pop-up window or notification. It mimics the appearance of a legitimate Windows Update dialog box, including Windows branding, logos, and progress bars. The alert may also use scare tactics to create a sense of urgency. What it does Once the user downloads and executes the ransomware, it encrypts their files, making them inaccessible until a ransom is paid. The ransomware can also steal sensitive information or facilitate further attacks. There haven't been similar recent forum postings to this effect. Edited October 3, 2024 by itman
root 3 Posted October 3, 2024 Author Posted October 3, 2024 @itmanthanks but it is Cannary channel, next pre_release version of win11, taking place 1-2 times a month
itman 1,924 Posted October 3, 2024 Posted October 3, 2024 (edited) 54 minutes ago, root said: but it is Cannary channel, next pre_release version of win11, Eset policy in regards to Windows feature updates: https://support-eol.eset.com/en/policy_business/os_support_policy_win.html . Edited October 3, 2024 by itman
Administrators Marcos 5,741 Posted October 4, 2024 Administrators Posted October 4, 2024 Please provide the appropriate record(s) from the Detections log. It can happen with unpopular unsigned files.
root 3 Posted October 9, 2024 Author Posted October 9, 2024 Time;Scanner;Object Type;Object;Detection;Action;User;Information;Shortcut;First Occurrence 09-10-2024 21:05:08;Real-time file system protection;file;C:\Windows\WinSxS\arm64.x86_microsoft-windows-d..-warp-jitexecutable_31bf3856ad364e35_10.0.27718.1000_none_14852e99caf5 a0db\Windows.WARP.JITService .exe;ESET LiveGuard trojan horse;cured by removal;NT MANAGEMENT\SYSTEM;The event occurred while the application tried to access the file: C:\Windows\System32\svchost.exe (D7403DA2286D48FF5ABC863300C01B1612E23D97).;6CDA2B6EC0B44F7298 A9C01608AE164216A77B75;28-09-2024 09:23:02
root 3 Posted October 9, 2024 Author Posted October 9, 2024 NEW NOTIFICATION Detection type: Trojan Detection name: ESET LiveGuard Computer name: ASCS-VM-01 Logged in user: NT MANAGEMENT\SYSTEM Time of speech: 9/10/2024, 21:05:08 CEST Scanner: Real-time file system protection Action taken: Cured by deletion Detection type: Trojan Detection name: ESET LiveGuard Computer name: ASCS VM 01 Logged in user: NT MANAGEMENT\SYSTEM Time of speech: 9/10/2024, 21:05:08 CEST Scanner: Real-time file system protection Action taken: Cured by deletion
Administrators Marcos 5,741 Posted October 9, 2024 Administrators Posted October 9, 2024 I assume that you have lowered the detection threshold to "suspicious" as the file didn't receive a high score in ESET LiveGuard.
root 3 Posted October 9, 2024 Author Posted October 9, 2024 there is virtual machine with regular Win, and 2nd (Dev) with Canary channel. And some other PCs also with regular Win. All politics and settings (ERA) are the same for ALL computers, including VMs. On comps with regular Win, there is no problem with Win updates. The problem is only on VM with Canary. Nothing (incl mentioned threshold) was changed. Moreover, for the last 2 years there was no problem with VM with Canary, there is a problem for the last couple of weeks, maybe 2 weeks, I do not know exactly, cause I do not update Canary Win every day, even every week. Now the only solution is to switch off firewall (with force option), update on Canary, and switch on firewall. So I would suggest to review the last modification by eset.
Administrators Marcos 5,741 Posted October 10, 2024 Administrators Posted October 10, 2024 The firewall has nothing to do with LiveGuard detection. The file was detected by real-time protection. Regular Windows files are not expected to be ever detected not only because of LiveGrid reputation checks but also because each update is tested also against Windows files before it's released. If disabling the ESET firewall actually makes Windows updates to install, then it's a different issue than what you have reported in this thread. However, I don't think that AV vendors ever declared compatibility with canary versions of OS. AVs may not necessarily 100% work with Insider preview versions of Windows as it may take some time to accomodate to changes made by MS.
Recommended Posts