-
Posts
37,944 -
Joined
-
Last visited
-
Days Won
1,504
Everything posted by Marcos
-
My Website is Blocked by ESET!
Marcos replied to Rajesh Patel's topic in Malware Finding and Cleaning
First of all, this forum does not serve as a means for reporting false positives nor false negatives. To report the alleged false positive to the ESET Security Research Lab, follow the instructions in the FAQ section at the right-hand side of this forum. Also don't forget to include the url which is blocked. Last but not least, we kindly ask you not to hijack someone else's topic next time but create a new one instead. Having said that, we'll draw this topic to a close. -
If you also use ESET Remote Administrator to manage Endpoints, you should be able to create the appropriate threat reports on a regular basis.
-
The Locky executable was supposed to be detected. On my test machine, I had one week old modules, disabled even real-time protection but the latest Locky was still detected and blocked upon execution. I can check ELC logs anyways, at least to review the configuration and make sure that ESET is not misconfigured somehow.
-
The latest variant of Locky was detected even with an outdated detection engine. When I executed it on a computer where ESET had not been updated for 1 week, it was detected in memory and blocked: Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here 8/22/2017 8:45:42 AM;unknown;file;Operating memory » C:\Documents and Settings\Administrator\Desktop\a.exe;a variant of Win32/Filecoder.Locky.L trojan;cleaned by deleting; It could be that an attacker remoted in via RDP, disabled ESET and then ran the ransomware. If you would like to investigate it, collect logs with ELC (choose Threat detection from the menu in ELC), upload the generated zip archive to a safe location and pm me a download link.
-
Already replied here: https://forum.eset.com/topic/12879-posted-2-times-since-no-one-saw-my-first-one. The detection is correct. Having said that, we'll draw this topic to a close.
-
If the former computer doesn't boot up, simply install and activate ESET on the new one. Otherwise the proper procedure would be to uninstall ESET from the former computer before activating it on the new one.
-
It seems to be a new TrickBot blocked in LiveGrid about 9 hours ago and the detection added in update 15954 released about 3 hours ago. If malware is already running in memory and we detect it, the process is either terminated or suspended. That said, even if you see a malicious process among running processes, it may be in suspended state and do nothing. The computer should be restarted to finish cleaning.
-
Web- and Phishing Protection disabled on Server 2016
Marcos replied to TomTomTom's topic in ESET Products for Windows Servers
Speaking about VirtIO drivers, this is what we have recently found out: It seems that there is a problem when Receive Segment Coalescing (RSC) is enabled on VirtIO Ethernet adapter. Our wfp drivers do not support RSC, which is perfecly fine and Windows should disable RSC on that network adapter. However, for some unknown reason when Windows tries to disable RSC on Virtio, the BFE service hangs (we believe that it could be bug in MS or VirtIO). While we are considering adding RSC support to our drivers, a workaround would be to use different NIC driver or to disable RSC in the network adapter properties, both for IPv4 and IPv6. It can be disabled via the registry as well; search for VirtioAdapter in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\<adapterID> and set RscIPv4 and RscIPv6 to 0, then reboot and install ESET -
That's all. You can harden the system against infection by using additional HIPS rules, e.g. if you don't need to use wscript.exe, cscript.exe, mshta.exe, javaw.exe and powershell.exe, you can create block or at least ask rules so that you have control over script execution.
-
Specifying Quarantine Levels
Marcos replied to moonbeam's topic in ESET PROTECT On-prem (Remote Management)
Files are always quarantined when they are cleaned or cleaned by deletion. -
The log is ok and no error is logged. We'll need to see what's going on when Windows starts. Therefore please temporarily enable advanced firewall logging in the advanced setup -> tools - diagnostics, change the dump type to full and restart the computer. If the firewall and web and email protection malfunction, disable firewall logging and create a dump by clicking Create in the Diagnostics section of the advanced setup. Finally collect logs with ELC, upload the zip file to a safe location (e.g. Onedrive, Dropbox, etc.) and pm me a download link.
-
Posted 2 times since no one saw my first one
Marcos replied to Ozmi's topic in Malware Finding and Cleaning
The detection is correct. This forum does not serve as a means for reporting detections to ESET. See the appropriate link in the FAQ section at the right-hand side of this forum. Since it's not a false positive, you don't need to report it as the detection would remain. Having said that, we'll draw this topic to a close. -
Is the mac address of the machines always same? Are they all physical machines and not VDI without persistent storage?
-
Home licenses are not managed via a web interface yet. We only have ESET License Administrator portal for managing business licenses for v6+ products. In the future, we plan to have a similar portal for home users too. However, that does not mean that we have no control over overuse. Distributors can contact you if overuse is detected and take the appropriate measures if the license has leaked to the public.
-
Detected and blocked by LiveGrid It's Filecoder.Locky. We'll need to investigate what happened during replication as it should have been blocked by LiveGrid hours ago. Strange that almost no other big AV vendors detect it yet.
-
It's important to realize that even with the best ad blocker users won't be 100% safe. For instance, popular websites may get compromised at times and may serve malware, either as iframe, script, external script or the attacker will replace otherwise perfectly legit app like a remote admin tool, torrent client, etc. with a trojanized one which also contains malware besides the legitimate application.
-
it's a one month old file, almost no big vendor detects it. Resembles DealPly PUA. Drops a batch file that deletes the exe. The file was passed for further analysis to find out if it's worth detection.
-
Never saw a blank notification window. Do you have the latest v10.1.219 installed?
-
No, this is not possible. Normally the content of quarantine should not exceed dozens of MB. How many files do you have in quarantine? Are they mainly very large files? What threat was found in them?