ESET Customer Advisory 2019-0008
Severity: High

Summary

In a short timespan both ESET’s SHA1 and SHA256 code signing certificates are expiring. In order to continue receiving updates, users of older ESET products need to upgrade to a version that supports seamless certificate switch.

Details

Because both ESET’s SHA1 and SHA256 code signing certificates are expiring in a short timespan, ESET has obtained replacement certificates to sign binaries of its Windows products. However, some versions of ESET products released before October 2017 were not ready for a certificate switch. Therefore, users of those products will need to perform an upgrade to a later product version that supports such certificate replacement. For specific list of affected product versions, see below.

The latter of the expiration dates of these two certificates is on July 20, 2019 and after that date, users of the affected products would not be able to update modules of their ESET products, such as the detection engine. ESET understands that many customers need to plan their upgrades ahead of time and it would not be possible for all to upgrade before the mentioned date. Therefore, in order to provide users with more time to perform the upgrade, ESET has prepared an updated version of the Loader module. This version of the module is signed by both old and new certificates and thus its presence will allow the installed ESET product to continue receiving updates signed by the new certificate after July 20, 2019, even before the product upgrade. The module will be distributed to all ESET users before July 20, 2019. However, we still urge users of the affected products to perform an upgrade soon, because this is not a permanent solution and the Loader module will lose support for the older certificates eventually. Even though we plan to keep the module in this state for a long enough time to allow for a smooth planned upgrade, any unforeseen need to update the module after July 20, 2019 will cause it to lose the support immediately and thus it is not recommended to postpone the upgrade.

Affected products will soon notify users of the necessary upgrade by means of a warning in the product protection status. This status will also be reported to ESET Remote Administrator / ESET Security Management Center, so that administrators of affected endpoints can notice the warning and schedule the upgrade procedure.

Note: Even though an upgrade to the latest available version is always recommended, in order to resolve this issue, it is enough to upgrade to the latest build of the product version the user has currently installed, such as to version 6.6.2089.2 for users of any affected 6.6.x.x build.

Affected ESET consumer products will be upgraded automatically by means of a product component upgrade.

Affected products

Business:

• ESET Endpoint Security, ESET Endpoint Antivirus
  • 6.6.0.0 – 6.6.2063.x

Home:

• ESET NOD32 Antivirus, Internet Security, Smart Security, Smart Security Premium
  • 10.0.0.x – 10.0.398.x
  • 10.1.0.x – 10.1.234.x
  • 11.0.0.x – 11.0.143.x

Resources

Home:

• I have ESET NOD32 Antivirus
• I have ESET Internet Security or ESET Smart Security
• I have ESET Smart Security Premium

Business:

• I remotely manage my ESET endpoint products via ESET Remote Administrator or ESET Security Management Center
   
• I have ESET Endpoint Security version 6.6 or below
• I have ESET Endpoint Antivirus version 6.6 or below
   
• I have ESET Endpoint Security version 7.x
• I have ESET Endpoint Antivirus version 7.x

Feedback & Support

If you have feedback or questions about this issue, please contact us using the ESET Security Forum, or via local ESET Support.