Jump to content

Carl S

  • Posts

  • Joined

  • Last visited

About Carl S

  • Rank

Profile Information

  • Gender
  • Location

Recent Profile Visitors

1,984 profile views
  1. Re: 3, I don't have the management agent installed on that computer yet. Do I need to install that first? Seems like just to see it in the list I wouldn't have to do that. I saw all my other items like network printers, and bridge routers as "Rogue" at first. Seems like it should at least find it even if it isn't in there. But regardless, I should just go to the server itself and install the management software it should make it start showing up? Ours is supposed to be "Advanced" so, I think it's supposed to include the server(s).
  2. Absolutely. For now, I'm holding off on any more changes until Marcos posts again to the thread. One of my main concerns was that the logs said ESET was cleaning by deleting repeatedly over several days, but clearly it was either not deleting or something was putting it back. For now, though, it's gone 16 hours or so without being re-detected and it is still not in the registry since manually removing it yesterday.
  3. We have EES installed on all the client desktop machines, but also have servers running. Read this: https://support.eset.com/en/kb2299-which-eset-security-solution-should-i-install-on-a-server 1) One server has Exchange on it, but it is not our primary Exchange (which we have moved to Office 365 in the cloud), but our old Exchange which we have no new mail coming in, but occasionally need to connect to because it does have some old emails we need to retrieve on occasion for legacy reasons. It also has a SQL server instance on it. Is the Mail Security for Exchange Server the option still? 2) The other server has IIS and acts as a file server. I am assuming the ESET File Security for Windows Server is appropriate for it. That is the machine I currently have ESMC installed. 3) I do not see the first server in the list of computers in ESMC. So, I tried to manually add it by clicking Add New at the bottom of the computer listing in ESMC, I get the message: Some issues occurred during adding computers. FAIL> XXXXX.XX.local (Duplicity on server)
  4. Hi Marcos, here is attachment. I removed the value of the authHost line. But other than that, everything else is the same. FWIW, I have no new detections since the 4th. 10485-baker01-ees_logs.zip
  5. I was thinking that myself, even though I'm not all that familiar with the registry, it was clear the powershell string was pointing to that other registry item.
  6. Marcos, I re-ran the collector on a whim, and this time, it worked. I now have the zip file ready.
  7. Am I deleting the whole key / value pair or the value and leaving the key?
  8. Hmm. I get a message from the Log Collector that says "An error occurred during collection of files. See the log for more info."
  9. Working on this. I killed off the ESET agent accidentally, while trying to uninstall the competitor's product that wasn't successfully uninstalled before installing the ESET agent. Now up and running again, and will get the logs. (Ok, it's collecting right now) It's been years since I've submitted these type of logs, so remind me, do I attach them to the post, or send them in some other way? Seems like they may have some confidential stuff.
  10. The suspicious part seems to be: key: authHost value: rundll32 shell32.dll,ShellExec_RunDLL "cmd" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E').Auxibrkr))
  11. OK, found it by navigating to it. Could not get search to work. In the meantime, I have ESET client issues on that machine, probably due to my own fault.
  12. Duh, didn't catch that, I just cut and pasted. Thanks.
  13. When I search for that key I don't find it in regedit.
  14. This keeps showing up in one of our client machines in registry with the Registry scanner Detection engine 20939 (20200303) : Hash 8ECE3FFE602D59D1E38F9506F5DA1FC280AADAF8 \REGISTRY\USER\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run the ESMC says that it was "cleaned by deleting," but then it shows up a few hours later. Is there some way to identify a process that is reinserting this? Or what else should I do next?
  15. After fifteen years of using various versions of ESET NOD32 on my home computers and small offices, I have been trying to use it to replace our previous solution at the office. Today, after having a computer that got rolled back before the install of ESET endpoint client on 2/27 due to becoming unresponsive, I now see that client computer twice in the list with two different names. Not totally sure which is the new one and which is the old instance. I decided what needs to happen is that one of them needs to be removed from the ESMC. Is that right? In the ESMC, when I click on it and choose delete, it tells me there are three steps that must be completed. 1) Reset Endpoint Settings. 2) Stop computer management. 3) Remove computer from database. Since I didn't do 1 and 2 before reverting it, what should I do? If I send the instructions to the phantom one, will it affect the new one with the same IP but slightly different name? None of these instructions seem to really make sense in light of the situation I find myself in. I realize I might have done this differently, but I wasn't thinking of the impact this might have had on ESET when I was rolling it back.
  • Create New...