All Activity

OK. I looked at the Eset EFS documentation and its network protection contains all Endpoint features minus the Eset firewall. Relying on the Win firewall is a real bummer. I assume EFS must interface with the Win firewall in some way? The blocked inbound traffic from Win firewall is what shows in Eset Network Troubleshooting detail? And selecting "Unblock" there will create a Win firewall inbound rule for connection? I only see one block rule for UDP and IP. Should there not be three rules for each; one for each profile; domain, public, and private?

It contains Network attack protection which is a kind of fifirewall.

This is File Security , Server Security , it doesn't offer a Firewall at all

Refer to what I posted above: https://forum.eset.com/topic/29183-ids-use-over-70-of-cpu-too-many-attacks-detected/?do=findComment&comment=136864 . Again, by default Eset will only refer to Windows inbound firewall rules if the network activity being handled by existing Eset firewall rules has not been processed by one of these Eset rules. In this situation, the Eset firewall will pass control to the Windows firewall processing to determine if an existing allow inbound rule exists for the network activity. If such a rule exists, the Eset firewall will allow the inbound network traffic; otherwise the Eset firewall will block the inbound traffic. Bottom line - Only Windows inbound firewall rules are referenced but at no time does the Windows firewall itself block or allow any network activity. In the situation where the Windows firewall contains inbound block rules, the question is if the Eset firewall will process those rules or ignore them? My best guess is it ignores those rules since it is only looking for an allow rule for the network activity. The end result however is that the inbound network traffic is blocked; but always by the Eset firewall. Finally and important, note the following. Win firewall rules are stored in clear text in the Win registry. This makes them not only easy to read but also to be modified by malware. As such, the Eset option to use Win inbound allow firewall rules does pose a potential risk.

Obviously, something ran on the device that created the WS directory in C:\Users\xxxx\AppData\Roaming\ and dropped ws.exe there. This something also created the .lnk entry in C:\Users\xxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ for persistence to run ws.exe at system startup time. Forensic analysis would have to be performed to trace back system events that took place just prior to the above creation activities to determine the source of these activities. -EDIT- Also a review of the original stackoverflow posting: Notice what I underlined. There is other malware on this device that is causing the initial attack malware to be recreated at system startup time. I suspect this other malware is related to the remote connection you discovered which recreates the initial attack malware. This other malware could also be a rootkit, or other malicious driver, or a Windows service. -EDIT- Reviewing this: https://analyze.intezer.com/analyses/6a7b919d-7f40-4019-9e6b-7f6bc7c5be89 , I believe the source of the malware is WMI based; a consumer event or command script. This is why it keeps reappearing after manual deletion of WS directory in C:\Users\xxxx\AppData\Roaming\ and the .lnk file in C:\Users\xxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ . You might want to use SysInternals Autoruns and see if anything shows after selecting the WMI tab. I will also again note that if .lnk file creation was being monitored in the Win auto run startup locations, this would also assist in determining the source of the file creation activity.

Attacks shouldn't reach ESET as they were stopped by the Firewall in first place , how could they reach if the Firewall blocked them in first place? Something is weird or I just don't understand it. If ESET is still showing things in Network Troubleshooting area and Blocked IP Addresses List area , then the Windows Firewall is not blocking properly. When Windows Firewall is blocking properly , then ESET shouldn't see anything because it's already stopped before it can even see them by the Firewall.

Here is another analysis https://www.hybrid-analysis.com/sample/e0f8a75737f932454aa9a325d35a7abc837fd05c23b5a5d1360d6ba1a6fb6479/60fbc6767746783ee4496bf6

Ok got it working by simply pointing the batch to windows 7's internal wscript.exe instead, here are the results: https://analyze.intezer.com/analyses/6a7b919d-7f40-4019-9e6b-7f6bc7c5be89 It connects to a command and control center at hxxp://api.backend-chat.com/connect likely to grab a prepared payload of sorts, likely mimikatz or meterpeter, to further exploit the machine, perhaps based on the machines characteristics. It may query the machine possibly for anti-virtualization. The target url has no malicious data associated with it suggesting this could be a very targeted and or fresh attack, the C&C is probably quite new. Here are a few things it does: Command and Scripting Interpreter :: Unix Shell Hide Artifacts :: NTFS File Attributes Query Registry System Information Discovery here are the results, click TTPs, IOC's, and Behavior: (References to certutil or"Ingress Tool Transfer" are just my addition in order to create a script that worked on these machines) https://analyze.intezer.com/analyses/6a7b919d-7f40-4019-9e6b-7f6bc7c5be89

Yes this particular drop was designed only to run on windows 10...

Perhaps it has something to do with the vms all being windows 7 machines, this ws.exe was created in 2019... from intezer analysis, . https://analyze.intezer.com/analyses/2b18e032-87bc-4ec2-9f5f-c6561b505220

As you can see, uploading the same payload file to YOMI sandbox for analysis it actually executed the code as it should have, https://yomi.yoroi.company/report/60fb8faf1cea016952883436/60fb903f5fc08ba98419ef33/behavior It does not report any internet connectivity however.

Hybrid Analysis is not accurately running the script I created, which is attached. I don't understand. It should also list underneath some variation of the following: START %TEMP%\ws.exe /E:jscript /b %TEMP%\ws EpmTG6iCDsBeVLWu8agXIy7=9PcM2ftkdFSj4KbhxQ1qrzAn+YoN/3UJR5wv0ZHOl This command seems to work on its own when I run it in windows. I see ws.exe loaded with the commandline above. CrowdStrike is ignoring this. I ran this script in sandboxie and it stated that it attempted to connect to the internet; hybrid analysis does not want to execute the final command which initiates the payload. I had a DOS immediately after uploading it to H.A, my internet went down shortly. VT analyzes the plain old original ws script, and is smart enough to automatically execute it with wscript.exe, however there seems to be a key or a signature in the .lnk shortcut that is required for the js to execute properly. I tried varying commands recommended on stackexchange but I did not see any output log or data. So I created my own batch script with the payload and ws.exe embedded within it, drops them to the temp folder and then executes the original string in the .lnk C:\Users\Ty\AppData\Roaming\WS\ws.exe /E:jscript /b C:\Users\Ty\AppData\Roaming\WS\ws EpmTG6iCDsBeVLWu8agXIy7=9PcM2ftkdFSj4KbhxQ1qrzAn+YoN/3UJR5wv0ZHOl My script uses: START %TEMP%\ws.exe /E:jscript /b %TEMP%\ws EpmTG6iCDsBeVLWu8agXIy7=9PcM2ftkdFSj4KbhxQ1qrzAn+YoN/3UJR5wv0ZHOl What works on my computer does not execute on Hybrid Analysis: Any idea how I can get Hybrid Analysis to actually execute this malware for analysis? payload.zip

As far as I am concerned, Eset should have been flagging creation of .lnk files in Win auto run startup locations eons ago; at least in the consumer product versions. Corps. might be manually creating such references, but I know of no commercial software that does so. See the problem here is Eset for the most part is a "one solution fits all" product. The only recent concession Eset made originally for the consumer versions was its ransomware protection. And recent postings have questioned its effectiveness against 0-day ransomware.

For us non IT types, how bad is Eset protection if you feel the need to have to do this?

Gotta love the Good Deeds Service touch lol.

Yeah not the advice I'd expect it genuine

The free version of ZoneAlarm definitely has been using the Kaspersky engine for a while: https://www.pcmag.com/reviews/check-point-zonealarm-free-antivirus-plus . The paid consumer and enterprise versions use more Kaspersky components: http://svendsen.me/worried-checkpoints-use-kaspersky-products-heres-disable-remove/

Below is the English translation of the above: Err ........, what the ..........

When making a new certificate cause the previous was essentially obsolete we pushed the new one out with many agents coming onboard. However some weren't onboard when we switched and cause of the current times when many might not be online for quite awhile it's not really working to wait forever. So in order to solve this i am trying to find a way to detect them, and currently the closest thing i have come to is checking the: "C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html" if it contains "NodVerifyTrustResult: 42" and if it does just reinstall the agent. Sadly this doesn't seem to work that well as it can be a delay of the status compared to when the agent is installed (when the script verifies it's working) and i just can't seem to make it work out. So out of current ideas i am hoping to get some answers here on how to approach this as there might be a much more clean way to tackle this issue that i am unaware of. Thanks!

Hello, ESET Mail Security for Linux is based on the v4 engine which is quite old, and has been in Limited Support for quite a while (continues to receive module updates, only fixes for critical bugs and vulnerabilities, support for existing customers, etc.). It has not been offered for download for quite some time now. There are no plans for a successor product at the current time, but that could change given market opportunity. It is best that you contact your local ESET office or distributor to discuss further, as this forum is primarily for user-to-user peer support. Regards, Aryeh Goretsky

URL shortener services distributing Android malware – Week in security with Tony Anscombe The post Week in security with Tony Anscombe appeared first on WeLiveSecurity View the full article

No problem We have separate subforums dedicated to particular products rather than subforums for IT professionals and novices. While all products are alike, there are differences also in internal behavior and therefore it's a good practice to post in the appropriate product subforum.

Sorry I did not realize I was in the wrong forum. I am new to the ESET forums and started by searching for the problem I was having. I found this thread and contributed. I do see now that this forum is for IT professionals who support business users.

Really? Is that a recent thing? Years ago I used zonealarm which is part of checkpoint but I always thought they had their own engine

Well thanks for your help I didn't go deep enough in the documentation I guess, sorry for bothering you !