Marcos
-
Posts
37,941 -
Joined
-
Last visited
-
Days Won
1,504
Posts posted by Marcos
-
-
6 hours ago, Techindia said:
any update
It's your turn now. We received an email from you (a.........m@gmail.com) yesterday at 19:26 CEST and replied at 19:36, ie. 10 minutes after. Got no further emails from your address since.
-
Does disabling QUIC protocol in Chrome help?
-
We've received just one email that was replied about 20 minutes ago.
-
Not sure what you mean by file type since you have to copy the license key (ie. the string in the form BXXX-XXXX-XXXX-XXXX-XXXS) to clipboard and paste it into the activation window as shown above.
-
No, it was disabled. ESET had recognized the ransomware for at least one month when it was run on your machine which would not have been possible with real-time protection enabled.
Please provide the files and logs we requested from you at samples[at]eset.com and communicate with us primarily there please.
-
Didn't find any issues with the license. Did you enter the license key BXXX-XXXX-XXXX-XXXX-XXXS (characters replaced with X) in this window? If the date of expiration doesn't update immediately, try rebooting the machine. The product checks for license updates via DNS queries in a 5 min. interval.
-
A result of analysis was sent to your email address with a request for additional files and logs. Obviously the ransomware has been recognized by ESET for a month at least, maybe even longer with all the protection features taken into account.
The logs revealed that real-time protection must have been disabled at the time when the ransomware was run. Further logs should show if an RDP attack has been performed recently.
Last but not least, there's a good chance that decryption will be possible.
-
As far as I know, it was mainly active users in the forum who were primarily invited to the Insider program to participate on testing. @Peter Randziak should know best.
And yes, advanced machine learning will be supported and configurable in the final v13.
-
Firstly, this forum is not meant to be a channel for disputing detections or blocks.
Secondly, we're not going to play that game. There are numerous legitimate websites that got hacked and had a link to similar websites injected without the knowledge of the owner of the website and hidden by a malicious javascript.
Also a link to it was added as a comment to blogs and articles that were not moderated and protected against spamming, e.g. like this one about mobile phones written in Czech with various English spam in comments:
-
It works with v13 beta:
-
Please provide the public license ID (PLID) of your license so that I can look it up on files. You can post it publicly here, PLID cannot be misused for activation by others and it serves for identification purposes. I was unable to find any license registered to your forum's registration email address so it must be a different one.
-
Files were encrypted by Filecoder.Ouroboros. If you have an ESET license purchased, please collect logs with ESET Log Collector and email the generated archive along with the following stuff to samples[at]eset.com:
- a pair of an encrypted an unencrypted file
- the ransomware note with payment instructions
- the ransomware itself -
Do you want to replace the license key used for activation directly in ESET's File Security or Mail Security gui? Normally no action should be required after renewing a license and your existing license key is should be extended by another year or two.
-
I've entered your registration email address in the form https://www.eset.com/int/support/lost-license/.
Please check your email.
-
We'll need additional logs. Please carry on as follows:
- Disable Self-Defense
- Restart the machine
-
Enable heap tracing for ekrn:
wpr -HeapTracingConfig ekrn.exe enable - Restart the machine
-
Start tracing:
wpr -start Heap -filemode - Wait until the issue is replicated, ekrn memory usage should get above 200MB
-
Stop tracing:
wpr -stop heap_trace.etl
Please provide the generated log heap_trace.etl and disable tracing as follows:
- wpr -HeapTracingConfig ekrn.exe disable
- Enable Self-Defense
- Restart the machine
-
That is not the log C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\trace.log. Also please check status.html in that folder.
-
What exactly did you do? Do you see the agent connecting to the ESMC server? Did you send a software install task to clients? Any errors in the agent trace.log on clients?
-
Did you attempt to install Agent or you sent a software install task to clients with agent already installed?
As for deploying agent, use a GPO for that in a domain. You can also use the Remote Deployment Tool as per https://help.eset.com/esmc_smb/70/en-US/deployment_tool.html.
-
Please read this before you post
Do not report blocked websites
After cleaning a website from malware and taking measures to prevent further re-infection, request a re-check as per the instructions in the FAQ. This forum does not serve as a channel for requesting website re-check or disputing blocks or detections.In your case, removing references to deloplen.com should sort it. Having said that, we'll draw this topic to a close.
-
You can run a scan via the context menu on a group of machines:
Or you can schedule a regular on-demand scan via a policy assigned to the desired group(s):
-
That's weird because egui_proxy is just a simple gui for basic interactions and operations accessible from the tray icon menu. For other operations it launches the main egui.exe. The only process that can affect other programs is ekrn.exe.
It's possible that a complete memory dump from a manual crash when the issue occurs will be needed for analysis. Please raise a support ticket with your local customer care.
As for protocol filtering, you can find the setting here:
-
EFSW doesn't contain a firewall, hence it can't block RDP communication. Do you have KB2664888 installed?
Does temporarily disabling protocol filtering make a difference?
-
No problem here with v12.2.23:
Is eicar detected when you attempt to download it from https://secure.eicar.org/eicar_com.zip?
-
I've tested it and it worked. Moreover, nobody else has reported issues with sound signals either. You can try creating a Procmon log from scanning a single file and I'll check it out then.
unable stop virus
in Malware Finding and Cleaning
Posted
ECLS Command-line scanner, version 7.0.2097.0, (C) 1992-2018 ESET, spol. s r.o.
Module scanner, version 19940 (20190830), build 42596
Scan started at: Wed Sep 11 12:46:06 2019
name="975f6d0b2b10f2e77fc9e98adf12e4c40946398b", threat="a variant of Win32/Filecoder.NXE trojan", action=""
Don't wonder about the difference in name; the Filecoder has been renamed just recently and it was given a more friendly name.
Still between Aug 30 when a detection was added for that particular variant (not taking into account Ransomware shield and other proactive protection techniques) and Sept 10 when the ransomware was executed there was plenty of time.
Checking the event logs revealed that update was failing with "unauthorized access" error (probably due to invalid license) since Aug 12 until Sept 10 and that appears to have been the main cause of the infection. The problem with license also caused LiveGrid not to work and Ransomware shield didn't work either because of missing data from LiveGrid.
I'm still waiting for logs to find out if there was also an RDP attack at that time.