Jump to content

Marcos

Administrators
  • Content Count

    20,081
  • Joined

  • Last visited

  • Days Won

    870

Posts posted by Marcos


  1. Amsi.dll is a system dll whose purpose is to load AMSI providers. There is no relation between it and Windows Defender.

    What we do is we register an AMSI provider and that's it. The operating system itself decides when and what processes the provider will be loaded into. Despite the eamsi.dll being signed with a MS signature, it cannot be loaded into all processes; svchost.exe seems to be one of the exceptions and the OS protects it from any 3rd party dll being loaded into it regardless of signatures.

    Please do not compare Windows Defender with 3rd party AVs. Since it's a product of Microsoft, they can do virtually anything. But once they block any 3rd party dlls, other AV vendors cannot do anything about it. I will test some other AVs with AMSI providers as time allows.


  2. Module updates are very small, typically below 1 MB/day per client. My understanding is that clients in your LAN are supposed to update from ESET's servers through a proxy that caches update files (ie. not from a local mirror) while clients outside the LAN are supposed to update directly from ESET's update servers. If that's correct, then the proxy server is not configured neither under Tools -> Proxy server nor in the primary "My profile" update profile.


  3. Looks like a fatal problem with installation. No drivers nor ekrn are running. Please remove ESET in safe mode as per https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool. The install Endpoint manually and generate install logs as per https://support.eset.com/en/kb406-how-do-i-generate-an-installation-error-log-for-windows-eset-products. If the installation fails, please provide the install logs.


  4. Unfortunately I have no clue where the problem lies. Edge has only an uBlock Origin extension installed which is fine. There are quite many applications installed, hard to say if any of them could modify http communication. The logs didn't reveal anything suspicious.  I can only suggest to try replacing DNS servers 202.88.152.8 and 202.88.152.10 with Google's DNS 8.8.8.8 and 8.8.4.4.

    Is the malware detected even in safe mode with networking?


  5. Could you please change the dump to "complete" in the adv. setup -> tools -> diagnostics and click "Create" when the memory consumption by ekrn reaches approx. 1 GB?

    After generating the dump, collect logs with ELC, upload the generated archive to a safe location and drop me a pm with a download link.


  6. Do you get the detection as soon as you open in.forum.ivao.aero or site.aace.org in Firefox? Does it make a difference if you open it in Chrome or Edge? If you have more computers in the network connected via the same router, are you able to reproduce it on every machine? Please check DNS settings of your router if it's not configured to use a malicious DNS server.


  7. Please enable advanced operating system logging in the adv. setup -> Tools -> Diagnostics. Also change the memory dump type to Complete. Change the update type from regular to pre-release in the adv. update setup and wait a bit until the issue starts manifesting. Leave logging enabled for a few minutes, then disable advanced OS logging. While the issue is still manifesting, create a dump of ekrn via the adv. setup -> tools -> diagnostics -> Create (dump).

    Finally collect logs with ESET Log Collector, upload the generated archive to a safe location and drop me a personal message with a download link.

×
×
  • Create New...