stackz

The loader and xworm payload are contained in the batch file. The payload is an encoded resource of the loader. If it's not executed as administrator, or is run in a virtual environment or thinks it's being debugged/analyzed, the loader will exit. If there were no other detections outside of the batch files, then I doubt infection took place. If your 'C' drive wasn't added as an exclusion in Defender, then the loader likely exited without infecting.

The final payload is xworm 5.2 - https://www.virustotal.com/gui/file/e5c423b29909bed8ab996d2f73db11e1e72d84a6ace0ba73feb1411764259d50?nocache=1 If Windows Defender is used, then the "C" drive is added as an exclusion. Like all RATs there's potentially passwords stolen and information from the clipboard. There should be a scheduled task (OneNote 71730) and shell:startup entry. This is the loader for the above file: https://www.virustotal.com/gui/file/7d5742c543a7f6412985e3ac832204931be7e1e20ca600e7434b534bbbc1e3a9

Re 77E5E64742EF85E2DD5F05C7571A98D0C6583346 - Time;Scanner;Object type;Object;Detection;Action;User;Information;Hash;First seen here 3/07/2023 9:58:53 AM;Real-time file system protection;file;D:\Downloads\77E5E64742EF85E2DD5F05C7571A98D0C6583346.bat;PowerShell/Kryptik.FU trojan;cleaned by deleting;;Event occurred on a new file created by the application: C:\Program Files\7-Zip\7zFM.exe (6F47DBFD6FF36DF7BA581A4CEF024DA527DC3046).;77E5E64742EF85E2DD5F05C7571A98D0C6583346;3/07/2023 9:58:45 AM

I can reproduce this. When you go to the VT page you are actually landing on the behavior page and ESET is picking up on some of the displayed Powershell script parts. See example pics below. So essentially there's no live malware to get infected from. At VT: In cache:

By removing the zeros, you've turned turned all those executables into binary junk that doesn't even run. That some AVs detect these things, shows that those AVs are not very good (to put it nicely).

That entry is a leftover from a removed app that was located in one of the Program Files folders, Download Autoruns. https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns Extract Autoruns64.exe and right click run as administrator. Accept the EULA. When it finishes scanning, select the Logon tab, the entry will be highlighted in yellow. Right click on the entry and delete it.

I assume it's a false positive as none of the app files are detected. https://github.com/winsiderss/si-builds/releases/download/3.0.6226/systeminformer-3.0.6226-setup.exe Real-time file system protection; file;D:\Downloads\systeminformer-setup.exe; Suspicious Object; cleaned by deleting; Event occurred on a new file created by the application: C:\Windows\explorer.exe (B2F6AB62DD429F078FBA2B7B42E88B51BD98EA3A).;B7C44AFD35ABFFC7292560E5CB4EB2219EE21EF3;

It's "Enable protected website redirection" that causes it.

It's where you were instructed in this post: https://answers.microsoft.com/message/d469b249-d6f3-4cda-a151-64d0b504aa12?threadId=313c4bbd-2faf-4689-a7be-ed56289563c9 Right click the tray icon and select Advanced setup. Web and email > Email client protection > Toggle off 'Integrate into Microsoft Outlook' or

Setup.exe rebuilt - https://www.virustotal.com/gui/file/a188e096c0f19e43d979132e16ec6f4499cac50d777e1de65d7a4ad777c897de/detection

It's definitely not ESET. The ID 1108 entries persist with ESET removed.

I just rebooted my system to look after reading this thread. I have a run of 1108 logged as audit success from early in boot, right after lsass starting and the auditing subsystem initialization. Here's the OP's screenshot translated

OK, I'm not particularly concerned, just it used to always populate automatically with all the apps that connected via SSL.

The SSL/TLS filtered applications list is not populating. SSL scanning seems to be working. Have tried clean reinstalling twice with the same result. Is anyone else seeing the same?

It's just Chrome preloading links from the search results. I get the same thing happen when Google searching the same address with MS Edge.

blendjets.su are serving up malware in the form of a fake Blender download. I emailed samples@eset.com over the weekend without response so far.

Rebuild the performance counters: https://docs.microsoft.com/en-us/troubleshoot/windows-server/performance/manually-rebuild-performance-counters Create a new data collector set by running performance monitor. The process is similar to the following guide, just select all the GPU related performance counters. https://help.tableau.com/current/server/en-us/perf_collect_perfmon.htm I don't believe this problem has anything to do with ESET, as the problem is affecting a far wider audience. Doing the above procedure worked for me.

Yes, it's fixed. Thank you!

Here are logs for perusal. essp_logs.zip

The script was also blocked here.

Things have changed. What if you enter: sc query epfwwfp ?

It just seems rather ridiculous, that if I have for example, C:\1\2\3\protected_file.txt If I make a rule to prevent modification of any file in 3, I also need to make a similar rule for 1 and 2 in case either 1 or 2 get renamed.

Just tested and confirmed. This is a real show stopper.

I've received no Detection Engine module update since 24387. Things I've tried: -Cleared update cache many times -Switched from pre-release to regular update -Switched back to pre-release Attached a pcap trace of an update attempt. trace.zip