Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by Marcos

  1. ESET should display an alert some time after the reboot which is the sign that you can stop logging and save the Procmon boot log. Provide fresh ELC logs then as well so that I can check the PID of the righ svchost process.
  2. Looks like logging to the Procmon boot log was stopped before the malware was detected, correct? You should stop logging after the detection, otherwise the malicious file won't be logged.
  3. Please check C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\status.html and trace.log on the client for possible errors.
  4. You can upload it to a file sharing service, e.g. wetransfer.com and drop me a message with a download link.
  5. The Procmon log is not from a boot. Please refer to the section https://support.eset.com/kb6308/#boot logs Also upload logs collected with ESET Log Collector please.
  6. According to https://support.eset.com/kb37/, ESET Cyber Security Pro 6.8 and ESET Cyber Security 6.8 are compatible with Catalina. Do you have the latest version of ECS installed?
  7. You have a rootkit in your system that hides away from the OS and other applications, including AVs. Please provide: - Logs collected with ESET Log Collector - a Procmon boot log (https://support.eset.com/kb6308/)
  8. 1, Try running a full disk scan with ESET Online Scanner to rule out possible malware infection. 2, Collect logs with ESET Log Collector and upload the generated archive here. I'd also suggest opening a support ticket with your local customer care so that the issue is tracked and dealt with properly.
  9. And most importantly - back up, back up, back up. By doing so you will protect your data even against sudden hardware failures.
  10. In the first place, you should secure RDP. Ideally allow it only in your LAN and for connections from outside use VPN or RDP with 2FA. Also I'd recommend enabling the account lockout policy, As for ESET, you can harden settings by enabling detection of pot. unsafe applications and protecting settings with a password. You can also enforce default real-time protection settings by a policy so that the settings cannot be changed locally on clients by users.
  11. Phobos is typically run by attackers after brute-forcing RDP, logging in as a user with administrator rights and disabling or killing antivirus. In order to investigate what happened and to provide you with a list of things to harden the system against such attacks, please email samples[at]eset.com the following: - a handful of encrypted files (ideally Office documents) - the ransomware note with payment instructions - logs collected with ESET Log Collector.
  12. It's normal, the service runs in the Network Services account by default:
  13. All detections come from EdgeTransport.exe, ie. it's malware detected in spammed email that was cleaned / removed by ESET.
  14. To start off, please collect logs with ESET Log Collector and upload the generated archive here. I'll need to check files with the hashes that were detected as ML/Augur.
  15. Do you have the importance level of OS updates set to recommended, important or critical updates? If set to "optional", try selecting the more important ones:
  16. I'd suggest raising a support ticket with your local customer care since the issue seems to be completely different than the one discussed in this topic. Most likely a complete memory dump from the point when the issue is manifesting will be needed. Instructions for generating a complete memory dump are available at https://support.eset.com/kb380/. You can also drop me a message with a link to the dump when ready so that we at ESET HQ can analyze it as soon as possible.
  17. Massive encryption activities themselves are not enough for recognition of ransomware since encryption per se is not a bad thing and is often used for legit reasons. An example could be moving files to a password encrypted archive. Although it's not very common, the action itself is not malicious if carried out with the knowledge of the user. Anyways, we'll check what conditions were not fulfilled in order for RS to trigger detection.
  18. What version of the Configuration Engine module do you have?
  19. Unfortunately, the detection created by an automated system was removed during a purge of simple automated detections in 2018 after 2 years of no detection of the malware from 2016. We've created a smart generic detection for it and the file is already blocked.
  20. Correct. If you are unable to contact the seller, it sounds weird. When purchasing a license, purchase from an authorized distributor or reseller so that you don't buy a leaked license that will be canceled.
  21. The public license ID doesn't exist. You'll need to contact the seller from whom you purchased the license and provide them a proof of purchase, e.g. a receipt if you purchased a retail version in a store.
  22. Does temporarily pausing web access protection make a difference? If not, what about temporarily disabling protocol filtering for a test?
  23. You must have purchased your license somewhere in the past. Where was it? Do you have any confirmation email sent after purchase? If not, you should contact the seller from whom you purchased your license.
  24. First of all, please install ESET Internet Security, activate a trial license and run a full disk scan. ESET Online Scanner performs only an on-demand scan of disks and cannot actively protect your system and prevent it from being infected by malware.
  • Create New...