Community

Bretislav Duda wrote:

It may be faster and easier to revoke the certificate and create new ones

And why should we do that? According to the message that you quoted, it is Eset that claims that the certificate was compromised (i.e. used by someone else to sign files that contain malware). Quite naturally we asked for evidence, i.e. a trojan/malware file signed with our certificate.

But there is no answer still.

Bretislav Duda wrote:

Hello,
any news?

There is a chance for a solution and further use?

v7.0.0.3 identical problem

Hello,

Eset finally provided the file. It was a legit one-click installer file of the previous version which was blocked because someone extensively used (dropped, planted) that file onto victims computers. Antivirus engines block that file by hash (which is expected). Unfortunately, for some reason Eset decided to block it by signature which is incorrect. We have already explained that to Eset .

Besides, the file was not even signed with our current signature, but with a previous one. Still, what Eset is doing is blocking our current signature. That is weird. There will always be someone who builds an RU installer and uses it for malicious purposes but that doesn't mean a signature is compromised and should be blocked.  

We are currently talking with them to resolve this situation. Blocking signatures and/or entire software manufacturers based on assumptions is no way to go.

Hello Bretislav,

We sent our last message to Eset a week ago, and then a reminder. There is still no answer.

But you can send a message to them yourself using this email samples@eset.sk .

Hello Ondrej,

Thank you for letting us know!

We also recommend that you submit a false positive report to ESET as described here and ask them to remove the detects - we believe that they might listen to the requests if they would come from their own customers.

Please let us know if you have more questions or need our assistance.

Hello Bretislav,

It's not about hash. Eset blocks any file that comes out of our MSI configurator despite the files are signed. As you understand, each file with different settings will have a unique hash. Yet, Eset blocks them all just because someone somewhere used one of those file to 'social engineer' into someone's computer.

When we asked them what was the logic behind this they asked that we (!) should "convince malware actors to not use our software". :) Yes, this is what they say today in an email reply.

Even more so - the file that they claimed was "malicious' was actually a legit customized Host file (signed with our signature) only used for malicious purpose. I.e. someone was distributing this file within a malware package. And Eset decided that if our legit file is used by a malware actor then the file was malicious. And by extension they decided that all other configured installers should also be malicuous.

We can only feel sorry for Eset customers.