Jump to content

Marcos

Administrators
  • Content Count

    15,421
  • Joined

  • Last visited

  • Days Won

    665

Marcos last won the day on July 18

Marcos had the most liked content!

Profile Information

  • Gender
    Not Telling
  • Location
    Slovakia

Recent Profile Visitors

18,889 profile views
  1. This value is set by the operating system and 3rd party vendors have no reason to change OS settings that are controlled by the OS itself. By default, the value FeatureBits doesn't exist. We do not inject eamsi.dll whatsoever. If a particular process utilizes AMSI, the OS is responsible for loading the said dll into it. No. The said certificate is intended to sign ELAM drivers only. Microsoft doesn't sign 3rd party dlls.
  2. Most likely this is what happened: - an attacker logged in with administrator privileges (stole an admin password, guessed it or brute-forced it) via RDP - ESET was not password protected so they paused or removed the AV - the attacker ran a ransomware to encrypt files - the attacker re-enabled AV protection. First of all, make sure that RDP is properly secured and a lockout policy is set to prevent brute-force attacks. For improved security, use 2FA. If you don't need RDP, disable it. To improve AV self-defense, set a password to prevent unauthorized users from disabling or uninstalling the AV. Also we recommend enabling detection of potentially unsafe applications so that hackers cannot use legitimate tools to circumvent protection. I'd suggest the following steps: - collect logs with ESET Log Collector - put a handful of encrypted files (ideally Office documents) along with the ransomware note (payment instructions) into an archive - submit both archives to samples[at]eset.com and wait for further instructions.
  3. https://www.vice.com/en_us/article/9kxp83/researchers-easily-trick-cylances-ai-based-antivirus-into-thinking-malware-is-goodware Every AV company must not rely on machine learning itself. We use a combination of different approaches, including AI and ML, as also mentioned at https://www.eset.com/int/about/technology/. Related documents and articles: https://www.eset.com/blog/enterprise/is-the-ai-hype-muddling-the-meaning-of-machine-learning/ https://cdn1.esetstatic.com/ESET/BLOG/Whitepapers/2018/ESET_AI_hype.pdf https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_MACHINE_LEARNING_ERA.pdf
  4. Do you have the repository set to AUTOSELECT so that installers are downloaded from the closest CDN server? Do you use a firewall or proxy that might possibly disrupt the communication or corrupt downloaded files?
  5. Now try re-enabling HIPS (don't forget to rename Drivers_bak back to Drivers) but disable: - Advanced Memory Scanner - Self-defense Let us know if the problem returns or if it works without issues. If the issue doesn't occur, try enabling self-defense and test it for a while. Then re-enable AMS and make another test.
  6. I have the same but cannot reproduce it. As long as the secure browser opens, it's secure. The green frame and logo is just an indication that you're browsing securely. I'd suggest opening a support ticket with your local customer care for further troubleshooting of the issue.
  7. Please read this before you post reads: Do not report blocked websites After cleaning a website from malware and taking measures to prevent further re-infection, request a re-check as per the instructions in the FAQ. This forum does not serve as a channel for requesting website re-check or disputing blocks or detections. Having said that, we'll draw this topic to a close.
  8. In the list of installed applications you see if a particular application can be uninstalled remotely:
  9. Is the software you attempted to uninstall installed in the Program files folder and appears in the list of installed programs in the Control Center?
  10. We are very sorry for the delayed announcement. It is our goal to post announcements on time with the release of new product versions so that you have all information about the releases at your disposal on time. We can assure you that we're working on improvements in this field to prevent this from happening in the future.
  11. Just to make sure, do you have reporting of non-ESET applications enabled via an agent's policy?
  12. This cannot be true because when SSL filtering or the whole protocol filtering is disabled, the SSL (https) communication bypasses ESET completely so there's no chance we would intervene in it in any way. You can test the behavior when a self-signed untrusted certificate is used here: https://self-signed.badssl.com/ You should be asked by the browser if you want to continue to the website.
  13. There's nothing to fix on our part. SystemRequirementsLab is PUA and therefore the url is blocked as PUA. PUA detection is optional. The question is why Catalyst accesses the PUA url but that's not a question for us but for the maker of Catalyst. If you are ok with giving information about your IP address and country to the PUA vendor, you can add the blocked address to the list of allowed addresses so that it's not blocked.
  14. The membership in dynamic groups is evaluated by agent on clients. Therefore agent must first connect to the ESMC server to receive information about dynamic groups. Then it evaluates the membership in DG and sends this information to the ESMC server the next time it connects to the server.
  15. This is what happened: 1, You use another free AV with its real-time protection active and you ran a scan with ESET Online Scanner to see if ESET finds a threat missed by your AV that could be still on your machine. 2, Upon running ESET Online Scanner, you opted for detection of potentially unsafe applications which cover legitimate tools that could be misused in the wrong hands and some toolbars too. This detection is disabled in ESET's products by default. 3, The free version of your AV is known to be distributed with a toolbar that ESET detected during the scan. 4, The toolbar was detected in your AV's folder so it could be that the AV protected it from being removed by EOS.
×
×
  • Create New...