Jump to content

All Activity

This stream auto-updates     

  1. Past hour
  2. koolholio
    Ahhh yes the one billion dollar question... the dll files are seemingly injected... appleversions.dll is loaded by the RB executable (YSLoaderW.exe when it was compiled by Apple)... still awaiting on the data.dll res108, because we know the res105 is supposedly a gif89a with a string of 'since when is pink a shade of gray'
  3. itman
    With a silent installation option, I can see why this is the case.
  4. itman
    The question remains is just how the heck did IEInspector get installed on the posters PC's affected by this? I assume no one manually installed it.
  5. MichalJ
    As a note, we will change this behavior in the upcoming service release, where the "pending reboot check" will be removed from the software installation task procedure.
  6. brandobot
    Has anyone else been noticing hanging or unresponsiveness Macs on Mojave running ESET Endpoint Security 6.6.866.1? About once a week, half of my test Mojave machines get the spinning beach ball and the mouse becomes unresponsive. Some recover if you wait a few minutes, others you have to force shut down. After I uninstall ESET, it's been 9 days since I've experienced freezing/hanging.
  7. Sereno Sereno changed their profile photo
  8. hntkn91 hntkn91 changed their profile photo
  9. koolholio
    This is what their download page says, because it is being picked up as a virus, because a virus appears to be using it for HTTP data exfiltration... they also mention on their site about it being picked up as riskware by some "Attention, please!!! ZIP file's password is ieinspector"
  10. itman
    Well, I tried to download IEInspector. The download is zipped. You can't extract it since the only .exe in archive, HttpAnalyzerStd_V7.6.4.exe, is password protected. I assume this is the installer.
  11. koolholio
    Indeed, but how it updates is through 2 inbuilt UPX files, the software was written in delphi 3.0 and HttpAnalyzerStdV7 appears to be licensed... " - Licence is valid - Delphi Client/Server Suite (Enterprise)" says DVCLAL... see here for the addresses it connects to: https://www.hybrid-analysis.com/sample/9126c3851393f86973fc4e7b9a9156e20edc489606b94b8847f90e5b0b3809b2/5bce13b87ca3e120f04acb8f#signature-ee8357e421efee19e1610c7bc6b56378 Heuristic match: "&2OTbY( .cH" Heuristic match: "Font.Name" Pattern match: "hxxp://www.ieinspector.com" Heuristic match: "support@ieinspector.com" Pattern match: "hxxp://synedit.sourceforge.net" Pattern match: "hxxp://www.jrsoftware.org/tb97info.php" Pattern match: "hxxp://www.jrsoftware.org/isinfo.php" Pattern match: "hxxp://www.mirkes.de/en/delphi/vcls/hexedit.php" Pattern match: "hxxp://www.bsalsa.com/product.html" Pattern match: "hxxp://www.getfirebug.com/" Pattern match: "hxxp://fastcode.sourceforge.net/" Pattern match: "hxxp://andy.jgknet.de/dspeedup/index.php" Heuristic match: "NonPrinted.Font.Name" Heuristic match: "LineNumbers.Font.Name" Heuristic match: "HintProps.Font.Name" Heuristic match: "$DefaultStyles.SelectioMark.Font.Name" Heuristic match: "DefaultStyles.SearchMark.Font.Name" Heuristic match: "#DefaultStyles.CurrentLine.Font.Name" Heuristic match: "$DefaultStyles.CollapseMark.Font.Name" Heuristic match: "$SyncEditing.SyncRangeStyle.Font.Name" Heuristic match: "&SyncEditing.ActiveWordsStyle.Font.Name" Heuristic match: "(SyncEditing.InactiveWordsStyle.Font.Name" Heuristic match: "HorzRuler.Font.Name" Pattern match: "www.ieinspector.com/httpanalyzer/download/HttpAnalyzerFullV2.exe" Heuristic match: "TabFont.Name" Heuristic match: "PrintFont.Name" Pattern match: "hxxp://www.bsalsa.com/" Heuristic match: "PrintOptions.Margins.Top" Heuristic match: "iu verziu tohto programu.IS" Heuristic match: "jP.Ga" Pattern match: "hxxp://\0"
  12. koolholio
    Avast would detect anything as a virus in my opinion, even authentic files As for Microsoft, here's an update on one of the dll files: https://www.microsoft.com/en-us/wdsi/submission/94b87cd5-95a9-415b-b923-80f55bd8150d
  13. Today
  14. itman
    Appears Avast was detecting it last month. Microsoft site is in Chinese. Below is a link to the English translation: Suspicious file botupdate.exe in Windows\SysWOW64\Microsoft\Protect https://translate.google.com/translate?hl=en&sl=zh-TW&u=https://answers.microsoft.com/zh-hant/windows/forum/windows_10-security/windowssyswow64microsoftprotect%E4%B8%AD%E6%9C%89/cb9d2357-3689-447c-9877-d0d933935f59&prev=search Also appears Microsoft wasn't interested in it in the least. To bad for folks infected by this. Also as far as I am aware of IEInspector is legit software: https://www.ieinspector.com/httpanalyzer/index.html Also it does not integrate with Chrome so that aspect is still a mystery. Suspect this bugger is a hacked ver. of IEInspector since the legit version is paid software. BTW - IEInspector does have a silent install option: https://www.ieinspector.com/httpanalyzer/manual/index.html
  15. hamdi hamdi changed their profile photo
  16. sebastian londonsky sebastian londonsky changed their profile photo
  17. DanielN DanielN joined the community
  18. Ericccccccccccc
    Hello One of my kids is allowed to 1h30 per day. But every day it displays zero time left on his screen while in reality when I log into parent mode all the time (1h30) is still available. I can fix the problem every day by adding manually 1h30 to his existing 1h30, which is a pain. When I desinstall/reinstall it works again for 1 or 2 sometimes 3 days but then the same happens again. I contacted customer care already twice over the past month, but never got a response, not even an acknowledment. Has anyone any idea 1/ how to fix this ? 2/ Is there a way to contact customer care and obtain a response ? 3/ Is it possible to get a refund ? Thanks
  19. Mark_H Mark_H joined the community
  20. koolholio
    CRACKED IT! (i think) woo hoo! Further note to admin: The data.dll contains resources that are pure ascii, that, when translated to hex you can disassemble the ASM! but res105 has a gif98a header, which is got from translating ascii to string
  21. mertgda mertgda joined the community
  22. vs2018sv
    I was able to get this working with Universal USB Installer, It would be best if ESET removed Rufus from the documentation since it does not work.
  23. hawaii hawaii changed their profile photo
  24. alexander14
    Please write with programm Rufus, this is not problem.
  25. Dimitris Aggelopoulos Dimitris Aggelopoulos changed their profile photo
  26. Kyrillos Kyrillos changed their profile photo
  27. koolholio
    perhaps they were targeting enterprise domain controllers in my case, but they failed to program the SID properly in visual studio? it's likely the work of a script kiddie, that didn't quite know what they were doing with shellcode and UPX packing Can we check that DEP is turned on in the BIOS? and the OS? also another thing to remember is it's in the syswow64 directory so it's a 32 bit program and it was built for OS version 6 (VIsta) I'm sure when they decompile these files it'll all become clear by some of the ASM that it appears to do... here is a site explaining a couple of things: https://www.exploit-db.com/exploits/41827/ now, just to find out how to do that in Borland delphi 3.0 (released in 1997) and visual studio 2015 but making it compatible with 2010! The updater mechanism for botupdate.exe (ieinspector) pushes at memory address 0C77242Bh using UPX1 packing here's an analysis of botupdate.exe https://www.hybrid-analysis.com/sample/9126c3851393f86973fc4e7b9a9156e20edc489606b94b8847f90e5b0b3809b2 Seemingly it targets VBOX virtualization... and connects to these addresses: https://www.hybrid-analysis.com/sample/9126c3851393f86973fc4e7b9a9156e20edc489606b94b8847f90e5b0b3809b2/5bce13b87ca3e120f04acb8f#signature-ee8357e421efee19e1610c7bc6b56378
  28. Aim2018

    firewall policy and remote access

    Aim2018 replied to Aim2018's topic in ESET Endpoint Products

    Hi, Thanks for the reply I am planning to use the HIPS rules (and also the firewall rules mentioned in the discussion ) from the below link to protect from ransomeware . https://techcenter.eset.nl/kb/articles/configure-hips-rules-for-eset-business-products-to-protect-against-ransomware For software deployment I am using pdq ,manageengine and sccm also which basically uses custom vb and powershell scripts I want to exclude those deployment from the hips and the firewall rules Please advise Thanks
  29. Marcos
    After a fresh installation a restart should not be required. Try using the msi parameter SKIP_PENDING_REBOOT_CHECK=1.
  30.    Aim2018 reacted to a post in a topic: firewall policy and remote access
  31. itman
    Also of note is this use of this SID "S-1-96-82." Here's a reference to well know system SID's: https://docs.microsoft.com/en-us/windows/desktop/secauthz/well-known-sids When I refer to legit SID based directories listed under C:\Windows\System32\Microsoft\Protect\, they all begin with S-1-5. Also, the only thing that exits in those directories are registry key references. -EDIT- Kaspersky recent published an article in regards to a RID vulnerability that exists on all Win versions here: https://threatpost.com/trivial-post-intrusion-attack-exploits-windows-rid/138448/ with specific attack details here: http://csl.com.co/rid-hijacking/ . This attack would allow for system changes to be made such as what is currently being evidenced in this thread.
  32. Pichaipusit Pichaipusit changed their profile photo
  33. DoNotAskMeWhy DoNotAskMeWhy joined the community
  34. WiperSoft WiperSoft joined the community
  35. itman

    firewall policy and remote access

    itman replied to Aim2018's topic in ESET Endpoint Products

    To begin with, Eset's firewall evaluates rule from top to bottom order. Unless the user rules you added were placed at the top of the existing rule set, it can be assumed that existing Eset default firewall rules are overriding your custom rules. Appears you are trying to use RPC for your remote connection activity? Eset already has default rules for that. However, the default rules only allow inbound RPC activity for IP addresses listed in the "Trusted" zone. You should review the existing Eset default rules in regards to "Trusted" zone activity. If those meet your security policy criteria, the simple solution is to add the local network IP address shown in your screen shot to the "Trusted" zone.
  36. philippe philippe changed their profile photo
  37. RedLine
    Hi, I have a problem. After upgrade or fresh install of ESET agent I have an error in task executions tab: But if I copy EEA installer and then run it locally I can install antivirus without any restart. Is it a bug? I have an issue.. Because I am setup an installation task for EEA 7.x when computer is joining to a dynamic group. Dynamic group base on dynamic template and detects an agent version. If an agent is 7.x and host have not an agent 6.x then I want to install EEA 7.x But I have this error. And as I understand correctly if the task is failed, then I need to run installation task again manually in ESMC
  38. Leonardo
    Thanks, I'm working and only back at home tomorrow, If Marcos does not answer, I will contact the support team tomorrow.
  39.    Leonardo reacted to a post in a topic: Problem with ESET anti-theft
  40. encor encor changed their profile photo
  41. شیروان پورجوزی ناو شیروان پورجوزی ناو joined the community
  42. Rami
    To be honest no I don't know but @Marcos should reply as soon as he is available or when he sees this topic You can also send a support request to your local support team , you can do that from the ESET GUI
  43. Leonardo
    Hello @Rami Do you know how long is the delay to get an answer from @Marcos ?
  44.    Leonardo reacted to a post in a topic: Problem with ESET anti-theft
  45.    Leonardo reacted to a post in a topic: Problem with ESET anti-theft
  46. Aim2018

    firewall policy and remote access

    Aim2018 replied to Aim2018's topic in ESET Endpoint Products

    Hi, "Try deny first then allow second. " I tried the above but did not help Thanks
  47. Marcos

    Web site url blocked

    Marcos replied to MF Software's topic in Malware Finding and Cleaning

    Since the website has been cleaned and we didn't find any malware there, we have unblocked it. The procedure for reporting blocked websites is described in the KB https://support.eset.com/kb141/.
  1. Load more activity
×