All Activity

This stream auto-updates     

  1. Past hour
  2. I will format my pc, following its recommendation, but I must support many work files. Do you think there is a risk of translating the infection to the external hard drive where will I store the information?
  3. Today
  4. I have just now started getting the same thing. Doesn't happen every time I visit reddit but enough times for me to notice it. Also it seems to happen more often if I refresh the page via CTRL+F5
  5. Yesterday
  6. Interesting Samples

    Actually the issue is running any installer from a trusted app.. Using a HIPS or any anti-exec for that matter, it would have to be switched from policy or interactive mode to normal mode in the case of a HIPS or the anti-exec disabled to allow the installation to proceed unimpeded. An infected installer from a trusted app that contains a backdoor will not be detected by an security solution I know of unless a previous signature has been developed for the backdoor. Of course for the signature to be created, the backdoor has to be discovered. The point to note is all a backdoor does is establish a remote connection. That type of activity would be normal for any app that does auto updating for example. Additionally, the backdoor remote connection might not be established for days, weeks, or in a few documented cases, years later.
  7. Their stance is installing the infected version will remove the primary backdoor since it was imbedded within the software. Their original stance was they could find no evidence that nothing was downloaded through the backdoor. That is until later a second backdoor was discovered. They explained this one away by stating that second backdoor only targeted corp. users. All the above of course is "baloney" since the Malr analysis I posted previously in this tread showed all the major browsers had their settings modified. That alone indicates a very high likelihood that additional malware downloads and system modification activities were indeed performed through the initial backdoor. They are not going to admit publically anything other that said to date due to legal liability and the like. This is primary reason that they haven't publically stated that the only way to fully known your system is clean is to so an image restore prior to Aug. 15 or reinstall your OS. Pretty damn irresponsible in my opinion.
  8. See comment #118 at https://forum.piriform.com/index.php?showtopic=48869&page=6 May be all about $$$....nothing would surprise me these days.
  9. Interesting Samples

    My knowledge is limited but would a whitelisting program have caused issues with the ccleaner incident e.g. because it is whitelisted it could ignore malicious activity
  10. One thing that has confused me is that Avast/Piriform has not released any tools. Surely a standalone tool to detect all traces and remove them would make a lot of customers feel safer
  11. HIPS and Anti-Stealth not working

    Sorry. You don't know which ones. Just try to re-install those mentioned in the thread I quoted. This always solved the problem for me (I have the same problem with each program update since version 9).
  12. Probably, earlier I've used english interface of Windows 10, now it's russian. Sometimes its normal, sometimes not, I've updated EIS, so we'll see.
  13. Hi My WAN addresss change. I revoke old certificate. Generate new certificate but user cannot connect. Pleaae help how to generete new certificate step by step?
  14. Are you really using the latest v10.1.219? If so, I assume it could be that some of the standard fonts is not installed.
  15. ahaha this is so funny
  16. Last Connect

    We have several computers that show in the Remote Administrator Console as having not connected in a long time. When you check the computers they show that they have indeed connected and everything is up to date. Additionally the ELA console show them as connected today. Any idea how I can reconcile the endpoints with RA console correctly? Thanks!
  17. This issue is currently being investigated. Seems that there is problem in configuration of ESET update servers affecting update files for latest endpoint products (v6.6): no cache-control related headers are sent by ESET servers. In case this is confirmed, re-configuration of ESET servers should be enough to enable caching for all users of ep6.6 mirror. Regarding update.ver caching: file is cached because of missing "no-cache" headers sent from update servers, but this should not affect security product update -> each time product checks for updates, it sends HEAD request with "no-cache" properties so that file is not server from HTTP proxy. Update.ver should be server from cache only in case initial HEAD request shows that file on ESET servers is the same as the one cached.
  18. New Nude Ransomware

    Ahh just seen the analysis time of 20hrs ago and never realised there was a newer version of the same site on the same site lol
  19. New Nude Ransomware

    I haven't streaked in about 45 years...not going back now, can't run as fast.
  20. CCleaner

    Either you're a trifle bit confused (comparing a PUA to a trojan) or attempting a humorous interjection...but the conversation is at : https://forum.eset.com/topic/13175-ccleaner-v5336162-and-ccleaner-cloud-v1073191-had-been-compromised/?page=2
  21. New Nude Ransomware

    https://www.virustotal.com/#/file/c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5/detection the old virus total site it seems not updated!
  22. New Nude Ransomware

    https://www.virustotal.com/en/file/c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5/analysis/1506022612/ Please add a detection as the last thing people want to see is my body lol Would post a pic of the lock screen, but would break the forum rules ....... Aka nRansom
  23. Licence activation problem

    Hi, I opened a ticket at ESET France Support for the deactivation problem. I'll let you know if we find something. For the second point I think you're right. Our customer use a master to prepare the laptops. I'll ask them which tool they use to install their laptops and the hardware specifications. And wewill try your suggestion to deactivate from ELA and reactivate it back.
  24. I'm assuming update.ver isn't supposed to be cached. Here's a section of yesterday's cached-requests.log from Apache. Note that the only clients that are occasionally receiving a cached update.ver are the ones that have been updated to 6.6.2046. 10.10.10.105 - - [21/Sep/2017:00:04:48 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.134 - - [21/Sep/2017:00:07:01 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.105 - - [21/Sep/2017:01:04:48 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.134 - - [21/Sep/2017:01:07:00 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.134 - - [21/Sep/2017:03:07:01 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.134 - - [21/Sep/2017:06:07:03 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9600 10.10.10.134 - - [21/Sep/2017:07:07:05 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9599 10.10.10.134 - - [21/Sep/2017:09:07:13 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9599 10.10.10.134 - - [21/Sep/2017:11:07:05 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9656 10.10.10.105 - - [21/Sep/2017:12:04:53 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9656 10.10.10.134 - - [21/Sep/2017:12:07:05 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9656 10.10.10.134 - - [21/Sep/2017:13:07:05 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9656 10.10.10.104 - - [21/Sep/2017:13:57:09 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.105 - - [21/Sep/2017:14:04:52 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.134 - - [21/Sep/2017:14:07:07 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.86 - - [21/Sep/2017:14:20:27 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9621 10.10.10.105 - - [21/Sep/2017:15:04:53 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9626 10.10.10.134 - - [21/Sep/2017:15:07:10 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9626 10.10.10.134 - - [21/Sep/2017:17:07:08 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9626 10.10.10.104 - - [21/Sep/2017:17:57:14 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9613 10.10.10.105 - - [21/Sep/2017:18:04:55 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9613 10.10.10.134 - - [21/Sep/2017:18:07:07 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9613 10.10.10.86 - - [21/Sep/2017:18:20:28 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9613 10.10.10.134 - - [21/Sep/2017:19:07:08 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.105 - - [21/Sep/2017:20:04:55 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.134 - - [21/Sep/2017:20:07:07 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.105 - - [21/Sep/2017:21:04:55 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.134 - - [21/Sep/2017:21:07:07 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.105 - - [21/Sep/2017:22:04:55 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.134 - - [21/Sep/2017:22:07:07 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.134 - - [21/Sep/2017:23:07:08 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9635 I also get requests for update.ver in revalidated-requests.log a couple times a day. Also only from the clients that have been updated to 6.6.2046. Here are those entries copied from that log: 10.10.10.104 - - [20/Sep/2017:14:57:02 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9633 10.10.10.134 - - [20/Sep/2017:16:06:59 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9633 10.10.10.105 - - [21/Sep/2017:19:04:55 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.104 - - [21/Sep/2017:21:57:15 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9658 10.10.10.105 - - [21/Sep/2017:23:04:57 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9635 10.10.10.134 - - [22/Sep/2017:07:07:08 -0500] "GET hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver HTTP/1.1" 200 9606 Am I reading the logs incorrectly? If I grep update.ver from htcacheclean.exe -a -p "c:\ProgramData\Apache HTTP Proxy\cache" I get this: hxxp://um05.eset.com:80hxxp://um05.eset.com/eset_upd/v5/update.ver? hxxp://um02.eset.com:80hxxp://um02.eset.com/eset_upd/v5/update.ver? hxxp://38.90.226.40:80hxxp://38.90.226.40/eset_upd/v5/update.ver? hxxp://um21.eset.com:80hxxp://um21.eset.com/eset_upd/v5/update.ver? hxxp://update.eset.com:80hxxp://update.eset.com/eset_upd/v5/update.ver? hxxp://um07.eset.com:80hxxp://um07.eset.com/eset_upd/v5/update.ver? hxxp://91.228.166.13:80hxxp://91.228.166.13/eset_upd/v5/update.ver? hxxp://91.228.167.21:80hxxp://91.228.167.21/eset_upd/v5/update.ver? hxxp://um09.eset.com:80hxxp://um09.eset.com/eset_upd/v5/update.ver? hxxp://91.228.167.133:80hxxp://91.228.167.133/eset_upd/v5/update.ver? hxxp://38.90.226.39:80hxxp://38.90.226.39/eset_upd/v5/update.ver? hxxp://update.eset.com:80hxxp://update.eset.com/eset_upd/ep6.6/dll/update.ver? hxxp://91.228.166.16:80hxxp://91.228.166.16/eset_upd/v5/update.ver? hxxp://38.90.226.37:80hxxp://38.90.226.37/eset_upd/v5/update.ver? The clients I've updated to 6.6.2046 do seem to have the latest definition updates (currently 16123) despite occasionally being served cached update.ver files, so I'm not sure what's going on. A little help deciphering this would be great.
  25. 6.6 Application Statuses

    Fyi, I now have the latest configuration module but I still can't disable these two statuses from ERA. ESET Support Case 69797 has been opened. No ETA yet...
  26. Interesting Samples

    My point of reference was preventing any non-whitelisted app from running. If a whitelisted app has a vulnerability, it can be exploited. Most exploiting is done against Internet facing apps such as browsers, .pdf readers, and e-mail clients. Plus Eset has exploit protection that is not conditioned by an particular HIPS mode setting.
  27. Licence activation problem

    For the problem of the random deactivations, this will be needed to be further investigated as we have not noticed anything suspicious on our side. Concerning the different number of computers between ERA / ELA. According to our evidence, multiple computers are having the same Seat ID, means they do share the same fingerprint. Are those machine virtualized / cloned anyhow? What is the hardware, on which they are installed? You can fix it only by deactivating them (from ELA) and then reactivating them again.
  28. Same observation was made by others in the security forums where past testing of Cylance was performed. That is that, they are not only using blacklisting but also signatures in their detection processing. Most by now have correctly deduced that Cylance is "smoke and mirrors" protection. The bottom line is that backdoor detection via behavior analysis from a trusted app is virtually impossible to detect. Establishing a remote connection is normal behavior for most applications to support auto updating for example.
  1. Load more activity