Jump to content

All Activity

This stream auto-updates     

  1. Past hour
  2. Ahhh yes the one billion dollar question... the dll files are seemingly injected... appleversions.dll is loaded by the RB executable (YSLoaderW.exe when it was compiled by Apple)... still awaiting on the data.dll res108, because we know the res105 is supposedly a gif89a with a string of 'since when is pink a shade of gray'
  3. With a silent installation option, I can see why this is the case.
  4. The question remains is just how the heck did IEInspector get installed on the posters PC's affected by this? I assume no one manually installed it.
  5. As a note, we will change this behavior in the upcoming service release, where the "pending reboot check" will be removed from the software installation task procedure.
  6. Has anyone else been noticing hanging or unresponsiveness Macs on Mojave running ESET Endpoint Security 6.6.866.1? About once a week, half of my test Mojave machines get the spinning beach ball and the mouse becomes unresponsive. Some recover if you wait a few minutes, others you have to force shut down. After I uninstall ESET, it's been 9 days since I've experienced freezing/hanging.
  7. This is what their download page says, because it is being picked up as a virus, because a virus appears to be using it for HTTP data exfiltration... they also mention on their site about it being picked up as riskware by some "Attention, please!!! ZIP file's password is ieinspector"
  8. Well, I tried to download IEInspector. The download is zipped. You can't extract it since the only .exe in archive, HttpAnalyzerStd_V7.6.4.exe, is password protected. I assume this is the installer.
  9. Indeed, but how it updates is through 2 inbuilt UPX files, the software was written in delphi 3.0 and HttpAnalyzerStdV7 appears to be licensed... " - Licence is valid - Delphi Client/Server Suite (Enterprise)" says DVCLAL... see here for the addresses it connects to: https://www.hybrid-analysis.com/sample/9126c3851393f86973fc4e7b9a9156e20edc489606b94b8847f90e5b0b3809b2/5bce13b87ca3e120f04acb8f#signature-ee8357e421efee19e1610c7bc6b56378 Heuristic match: "&2OTbY( .cH" Heuristic match: "Font.Name" Pattern match: "hxxp://www.ieinspector.com" Heuristic match: "support@ieinspector.com" Pattern match: "hxxp://synedit.sourceforge.net" Pattern match: "hxxp://www.jrsoftware.org/tb97info.php" Pattern match: "hxxp://www.jrsoftware.org/isinfo.php" Pattern match: "hxxp://www.mirkes.de/en/delphi/vcls/hexedit.php" Pattern match: "hxxp://www.bsalsa.com/product.html" Pattern match: "hxxp://www.getfirebug.com/" Pattern match: "hxxp://fastcode.sourceforge.net/" Pattern match: "hxxp://andy.jgknet.de/dspeedup/index.php" Heuristic match: "NonPrinted.Font.Name" Heuristic match: "LineNumbers.Font.Name" Heuristic match: "HintProps.Font.Name" Heuristic match: "$DefaultStyles.SelectioMark.Font.Name" Heuristic match: "DefaultStyles.SearchMark.Font.Name" Heuristic match: "#DefaultStyles.CurrentLine.Font.Name" Heuristic match: "$DefaultStyles.CollapseMark.Font.Name" Heuristic match: "$SyncEditing.SyncRangeStyle.Font.Name" Heuristic match: "&SyncEditing.ActiveWordsStyle.Font.Name" Heuristic match: "(SyncEditing.InactiveWordsStyle.Font.Name" Heuristic match: "HorzRuler.Font.Name" Pattern match: "www.ieinspector.com/httpanalyzer/download/HttpAnalyzerFullV2.exe" Heuristic match: "TabFont.Name" Heuristic match: "PrintFont.Name" Pattern match: "hxxp://www.bsalsa.com/" Heuristic match: "PrintOptions.Margins.Top" Heuristic match: "iu verziu tohto programu.IS" Heuristic match: "jP.Ga" Pattern match: "hxxp://\0"
  10. Avast would detect anything as a virus in my opinion, even authentic files As for Microsoft, here's an update on one of the dll files: https://www.microsoft.com/en-us/wdsi/submission/94b87cd5-95a9-415b-b923-80f55bd8150d
  11. Today
  12. Appears Avast was detecting it last month. Microsoft site is in Chinese. Below is a link to the English translation: Suspicious file botupdate.exe in Windows\SysWOW64\Microsoft\Protect https://translate.google.com/translate?hl=en&sl=zh-TW&u=https://answers.microsoft.com/zh-hant/windows/forum/windows_10-security/windowssyswow64microsoftprotect%E4%B8%AD%E6%9C%89/cb9d2357-3689-447c-9877-d0d933935f59&prev=search Also appears Microsoft wasn't interested in it in the least. To bad for folks infected by this. Also as far as I am aware of IEInspector is legit software: https://www.ieinspector.com/httpanalyzer/index.html Also it does not integrate with Chrome so that aspect is still a mystery. Suspect this bugger is a hacked ver. of IEInspector since the legit version is paid software. BTW - IEInspector does have a silent install option: https://www.ieinspector.com/httpanalyzer/manual/index.html
  13. Hello One of my kids is allowed to 1h30 per day. But every day it displays zero time left on his screen while in reality when I log into parent mode all the time (1h30) is still available. I can fix the problem every day by adding manually 1h30 to his existing 1h30, which is a pain. When I desinstall/reinstall it works again for 1 or 2 sometimes 3 days but then the same happens again. I contacted customer care already twice over the past month, but never got a response, not even an acknowledment. Has anyone any idea 1/ how to fix this ? 2/ Is there a way to contact customer care and obtain a response ? 3/ Is it possible to get a refund ? Thanks
  14. CRACKED IT! (i think) woo hoo! Further note to admin: The data.dll contains resources that are pure ascii, that, when translated to hex you can disassemble the ASM! but res105 has a gif98a header, which is got from translating ascii to string
  15. I was able to get this working with Universal USB Installer, It would be best if ESET removed Rufus from the documentation since it does not work.
  16. Please write with programm Rufus, this is not problem.
  17. perhaps they were targeting enterprise domain controllers in my case, but they failed to program the SID properly in visual studio? it's likely the work of a script kiddie, that didn't quite know what they were doing with shellcode and UPX packing Can we check that DEP is turned on in the BIOS? and the OS? also another thing to remember is it's in the syswow64 directory so it's a 32 bit program and it was built for OS version 6 (VIsta) I'm sure when they decompile these files it'll all become clear by some of the ASM that it appears to do... here is a site explaining a couple of things: https://www.exploit-db.com/exploits/41827/ now, just to find out how to do that in Borland delphi 3.0 (released in 1997) and visual studio 2015 but making it compatible with 2010! The updater mechanism for botupdate.exe (ieinspector) pushes at memory address 0C77242Bh using UPX1 packing here's an analysis of botupdate.exe https://www.hybrid-analysis.com/sample/9126c3851393f86973fc4e7b9a9156e20edc489606b94b8847f90e5b0b3809b2 Seemingly it targets VBOX virtualization... and connects to these addresses: https://www.hybrid-analysis.com/sample/9126c3851393f86973fc4e7b9a9156e20edc489606b94b8847f90e5b0b3809b2/5bce13b87ca3e120f04acb8f#signature-ee8357e421efee19e1610c7bc6b56378
  18. Aim2018

    firewall policy and remote access

    Hi, Thanks for the reply I am planning to use the HIPS rules (and also the firewall rules mentioned in the discussion ) from the below link to protect from ransomeware . https://techcenter.eset.nl/kb/articles/configure-hips-rules-for-eset-business-products-to-protect-against-ransomware For software deployment I am using pdq ,manageengine and sccm also which basically uses custom vb and powershell scripts I want to exclude those deployment from the hips and the firewall rules Please advise Thanks
  19. After a fresh installation a restart should not be required. Try using the msi parameter SKIP_PENDING_REBOOT_CHECK=1.
  20. Also of note is this use of this SID "S-1-96-82." Here's a reference to well know system SID's: https://docs.microsoft.com/en-us/windows/desktop/secauthz/well-known-sids When I refer to legit SID based directories listed under C:\Windows\System32\Microsoft\Protect\, they all begin with S-1-5. Also, the only thing that exits in those directories are registry key references. -EDIT- Kaspersky recent published an article in regards to a RID vulnerability that exists on all Win versions here: https://threatpost.com/trivial-post-intrusion-attack-exploits-windows-rid/138448/ with specific attack details here: http://csl.com.co/rid-hijacking/ . This attack would allow for system changes to be made such as what is currently being evidenced in this thread.
  21. itman

    firewall policy and remote access

    To begin with, Eset's firewall evaluates rule from top to bottom order. Unless the user rules you added were placed at the top of the existing rule set, it can be assumed that existing Eset default firewall rules are overriding your custom rules. Appears you are trying to use RPC for your remote connection activity? Eset already has default rules for that. However, the default rules only allow inbound RPC activity for IP addresses listed in the "Trusted" zone. You should review the existing Eset default rules in regards to "Trusted" zone activity. If those meet your security policy criteria, the simple solution is to add the local network IP address shown in your screen shot to the "Trusted" zone.
  22. Hi, I have a problem. After upgrade or fresh install of ESET agent I have an error in task executions tab: But if I copy EEA installer and then run it locally I can install antivirus without any restart. Is it a bug? I have an issue.. Because I am setup an installation task for EEA 7.x when computer is joining to a dynamic group. Dynamic group base on dynamic template and detects an agent version. If an agent is 7.x and host have not an agent 6.x then I want to install EEA 7.x But I have this error. And as I understand correctly if the task is failed, then I need to run installation task again manually in ESMC
  23. Thanks, I'm working and only back at home tomorrow, If Marcos does not answer, I will contact the support team tomorrow.
  24. To be honest no I don't know but @Marcos should reply as soon as he is available or when he sees this topic You can also send a support request to your local support team , you can do that from the ESET GUI
  25. Hello @Rami Do you know how long is the delay to get an answer from @Marcos ?
  26. Aim2018

    firewall policy and remote access

    Hi, "Try deny first then allow second. " I tried the above but did not help Thanks
  27. Marcos

    Web site url blocked

    Since the website has been cleaned and we didn't find any malware there, we have unblocked it. The procedure for reporting blocked websites is described in the KB https://support.eset.com/kb141/.
  1. Load more activity