Jump to content


  • Posts

  • Joined

Everything posted by schuetzdentalCB

  1. Aloha, any idea why ESET Endpoint Security IDS Rules or Network Attack Protection Rules are not working when using an internal hostname? For example: Connection to Admin Shares is blocked when using IP Address...but if i'm using the Hostname for this IP its just allowing it this cant be right?? its just not reacting when im using a hostname..
  2. @pronto only thing i can tell you is that the file: 06.03.2021 03:37 92.032 owaauth.dll hasn't been changed (in my environment) since initial exchange installation. but yours did. maybe you check that file and also run this scan which is quite good: https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite/
  3. ahh nevermind...figured it out. When Dynamic Thread Defense is uploading a file, it's counting "infected" statistic up...maybe a bug?
  4. Hey, ESET Filesecurity shows me 15 infected files.... but there is nothing in side the ESET Log (Detections)....how is that possible? ESMC is also showing me no infected files. Or does a network generic attack also count as "infected object"?
  5. thanks's, sadly nothing fits my setup in those new patches
  6. Aloha, is ESET Filesecurity able to detect the CVE-2021-26855 Hafnium exploit? We have a Exchange 2013 CU10 physical which we cant patch to cu23 to install the security patches from ms. so atm we are working with geo-ip blocking and filesecurity to prevent a hack^^ also putting it behind vpn is not an option so not ideal environment atm... maybe eset can detect that kind of attack? i think it will atleast find dropped trojans... - for now nothing has happended to the server, no dropped files or logs which would show an attack..
  7. Too early for me...just deactivated network adapter and it still directly isolates the testclient. so it looks like its working how it should no waiting for protect server needed
  8. Hi, is it correct that a Client Task which should start an Network Isolation with a Trigger that reacts on Event-Log Criteria, is processed directly on the client without waiting for feedback of ESET Protect Server? - It looks like that for me. (Would be great if im right because so i can diretly isolate a client which has found malware on it (so in case it still starts ransomware and eset detects it after a few moments it can't spread over the network...even if our network system shouldn't be vulnerable for this network spread stuff.. but i like to build some extra protections..you never know). there are still excel files out there which are starting an OLE Object and after a few seconds you have som jpg file in AppData and Temp with Trojan Detections. And that would just isolate that one infected system and wouldn't crypt a whole company ^^ Testing: After i download an infected file and unzip it, ESET detects it and just 1 second after, it isolates my test machine (i can see that in eset endpoint security application). so event log trigger is processes on the client itself without waiting for eset protect info? or do i have a mistake in thinking?
  9. What i'm doing atm is: HIPS Rules which are denying any execution from explorer.exe and then an additional rule which allows explorer.exe to start mspaint.exe, winword.exe, and so on. (not 100% bulletproof, but a good way to restrict the normal user) - you can use this for any kind of applications and executions. restrict starting executables out of an winrar archive, - maybe this helps you.
  10. Include BadUSB Prevention like G Data's USB Keyboard Guard. That would be cool. It scans all connected devices and after that, every other/new connected usb device will need to be allowed manually. user interaction or by eset protect backend.
  11. When restarting a Client by sending a restart task, the client is killed without giving the client the chance to save any files. would be great to extend the restart feature with some kind of "choose time after restart will be executed and show a message box". atm i just create a "run command" task with shutdown /r /t *time* /c "pc will be restarted in x minutes" running under C:\ but maybe it would be a useful feature for other customers.
  12. Funny thing is if you remotly install older Endpoint Security/Antivirus Version it's working. (for me) - i have the same issue but with the newest Endpoint Security Version.
  13. Maybe something interesting regarding the secure browser feature: Trojan's with implemented Keylogger Function like the QuasarRAT can still record input from eset's secured browser window. - or maybe i misunderstand this function and its only protecting against hardware keyloggers?
  14. hey, just found this new Feature in my ESET Security Management Center when editing client policies for Eset Endpoint Security: Looks like that this feature is not recognized by the clients? Endpoint Security itself doesn't have that menu feature when checking directly on client. also theres nothing happening when adding a protected website? is it some beta stuff?
  15. Hi, why is it that eset is able to block acces to smb share and c$ adminshare but its not working when using the hostname \\hostname\...? its even not logging the event when using hostname instead of local ip. also when using custom ids rule which says block admin share acces its not working. i know i could block it on remote pc/server site but im just curious about this.
  16. Hey, is anyone having an idea how to use eset hips to prevent google chrome from saving .html files to the local harddisk? most download links like from wetransfer are not using a direct link to the downloadable file like wetransfer.com\dl\sample.html which could be blocked by webcontrol easily. is hips able to work with wilcard paths like *.*.html like the webcontrol module? in my tests it wasn't responding to this. so i think no.. sometimes there are incoming mails with legit wetransfer or dropbox download links which then just download a .html file with some stupid phising content to steal office 365 login data or whatever. and as the code isn't malicious it's not detected by spamfilter or eset (most of those mails are too new to be detected that fast). I dont trust employees which are clicking on everything which looks free or interesting ^^ - on the other hand i cant block every filesharing service...maybe theres a way to use hips to stop chrome from saving a specific file type to the harddrive? thanks for any ideas
  17. Do you have SSL/TLS Filtering enabled? And on the same Policypage "add root cert to browser" - Function Enabled? I think ESET needs to work with its own browser cert to decrypt browsed https pages.
  18. no idea? - already tried to reinstall the whole ESLC appliance but stillt 122 pending updates with same error after a few seconds.
  19. Hi, already googled it but cant find any real answer to my problem. as there is no SSH available in ESET Shared Local Cache i cant do anything attached please find a screenshot with the error. already checked: firewall is not blocking update servers/repos, internet access working fine on the machine, mounted vmware tools .iso over vsphere to the machine because of the error message but that did not change anything. update task from ESMC is also not working. best regards maybe anyone knows how to fix this or i re-install the VM. Christian
  20. Today ESET marked the same File which looks like something as an microsoft update as a trojan on 3 PC's. - Maybe someone can tell me something about this? Looks Like False Positive to me. Threatname: XML/Runner.M Hash: B885CB1F1F93D57B56F07EF5789AECA4CA170336 file:///C:/Windows/servicing/LCU/Package_for_RollupFix~31bf3856ad364e35~amd64~~18362.535.1.6/amd64_microsoft-onecore d..ectxdatabaseupdater_31bf3856ad364e35_10.0.18362.387_none_8b2d87237c70998c.manifest THX
  21. hi, just a short question. if eset endpoint with activated EDTD configured like above, is it really blocking .exe, .bat, and so on until its analyzed by EDTD? in my test with an unkown file i was still able to execute it after download over chrome browser. (edtd was still checking the file online at this moment). - what is eset doing to prevent a user from running an unkown file? changing nfts permissions or something like this?
  • Create New...