Jump to content


  • Posts

  • Joined

About schuetzdentalCB

  • Rank

Profile Information

  • Location
  1. Aloha, any idea why ESET Endpoint Security IDS Rules or Network Attack Protection Rules are not working when using an internal hostname? For example: Connection to Admin Shares is blocked when using IP Address...but if i'm using the Hostname for this IP its just allowing it this cant be right?? its just not reacting when im using a hostname..
  2. @pronto only thing i can tell you is that the file: 06.03.2021 03:37 92.032 owaauth.dll hasn't been changed (in my environment) since initial exchange installation. but yours did. maybe you check that file and also run this scan which is quite good: https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite/
  3. ahh nevermind...figured it out. When Dynamic Thread Defense is uploading a file, it's counting "infected" statistic up...maybe a bug?
  4. Hey, ESET Filesecurity shows me 15 infected files.... but there is nothing in side the ESET Log (Detections)....how is that possible? ESMC is also showing me no infected files. Or does a network generic attack also count as "infected object"?
  5. thanks's, sadly nothing fits my setup in those new patches
  6. Aloha, is ESET Filesecurity able to detect the CVE-2021-26855 Hafnium exploit? We have a Exchange 2013 CU10 physical which we cant patch to cu23 to install the security patches from ms. so atm we are working with geo-ip blocking and filesecurity to prevent a hack^^ also putting it behind vpn is not an option so not ideal environment atm... maybe eset can detect that kind of attack? i think it will atleast find dropped trojans... - for now nothing has happended to the server, no dropped files or logs which would show an attack..
  7. Too early for me...just deactivated network adapter and it still directly isolates the testclient. so it looks like its working how it should no waiting for protect server needed
  8. Hi, is it correct that a Client Task which should start an Network Isolation with a Trigger that reacts on Event-Log Criteria, is processed directly on the client without waiting for feedback of ESET Protect Server? - It looks like that for me. (Would be great if im right because so i can diretly isolate a client which has found malware on it (so in case it still starts ransomware and eset detects it after a few moments it can't spread over the network...even if our network system shouldn't be vulnerable for this network spread stuff.. but i like to build some extra protections..you never know). there are still excel files out there which are starting an OLE Object and after a few seconds you have som jpg file in AppData and Temp with Trojan Detections. And that would just isolate that one infected system and wouldn't crypt a whole company ^^ Testing: After i download an infected file and unzip it, ESET detects it and just 1 second after, it isolates my test machine (i can see that in eset endpoint security application). so event log trigger is processes on the client itself without waiting for eset protect info? or do i have a mistake in thinking?
  9. What i'm doing atm is: HIPS Rules which are denying any execution from explorer.exe and then an additional rule which allows explorer.exe to start mspaint.exe, winword.exe, and so on. (not 100% bulletproof, but a good way to restrict the normal user) - you can use this for any kind of applications and executions. restrict starting executables out of an winrar archive, - maybe this helps you.
  10. Include BadUSB Prevention like G Data's USB Keyboard Guard. That would be cool. It scans all connected devices and after that, every other/new connected usb device will need to be allowed manually. user interaction or by eset protect backend.
  11. When restarting a Client by sending a restart task, the client is killed without giving the client the chance to save any files. would be great to extend the restart feature with some kind of "choose time after restart will be executed and show a message box". atm i just create a "run command" task with shutdown /r /t *time* /c "pc will be restarted in x minutes" running under C:\ but maybe it would be a useful feature for other customers.
  12. Funny thing is if you remotly install older Endpoint Security/Antivirus Version it's working. (for me) - i have the same issue but with the newest Endpoint Security Version.
  13. Maybe something interesting regarding the secure browser feature: Trojan's with implemented Keylogger Function like the QuasarRAT can still record input from eset's secured browser window. - or maybe i misunderstand this function and its only protecting against hardware keyloggers?
  • Create New...