Jump to content

jdashn

Members
  • Posts

    105
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by jdashn

  1. I wonder if something can be done with HIPS rules to prevent the exploit? similar to the ACL (deny System modify on the spooler/drivers folder) workaround that is being suggested?
  2. I just wonder why a virus would be content with making your mouse movements difficult, when it'd be data/creds exfiltration and ransomware that'd typically be the goal. I'd also imagine notifying you of infection via mouse difficulties would be the last thing the attacker would want? I wonder if there is a simpler solution? Occam's razor and all? Maybe you've got a bad mouse driver that only fails when loading up windows vs linux? Would there be software by the hardware manufacturer that might be adjusting bios settings in windows (i know i've seen tools from HP and Dell in enterprise env that'll do that, maybe they're shipping them in home versions now too) for you? Have you attempted updating/reinstalling bios? Have you attempted using different hardware? I know you're looking for an AV based solution, but while you've selected the hammer, i dont think your issue is a nail. Jdashn
  3. I'd personally say that the weaponized portion is the crypto-currency that allows for 'Trace-Free' payment. If law enforcement could 'follow the money' there would at least be some risk when that person tried to redeem the giftcard or money order, etc -- with crypto there is no risk of being caught when you collect your funds so ransomware can flourish. Money mules aren't caught, they don't snitch up the line, so ransomware gangs and nation-states can increase the size of their bankrolls allowing them to purchase and find more and more (and more sophisticated) zero days and other hacks (again using untraceable crypto currency) . If crypto didn't represent a potentially HUGE investment opportunity for the wealthy (and more people realized it's direct correlation to ransomware), it'd already be dismantled and illegal. I wonder what percentage of Crypto currency was originally purchased as payment for ransom, and how that has effected it's price, and how many people were made millionaires or more on the backs of that ransom (purchases of crypto result in that crypto's price rising)?
  4. Awesome!! thanks a ton to both of you for your quick replies!
  5. As of this morning i'm getting a lot of alerts across the orginization for: hxxp://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEgRY8NzrWAjZ4J4grl19QqsePQ= For each alert the last bit of the address changes, but this part is the same: hxxp://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR+5mrncpqz/PiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7/Oo7KECEg They all also have a target address of : 104.91.166.211 Just wondering if there is more information on this, what might be causing it, if this is an indicator of a primary infection, etc. Thank you!! Jdashn
  6. Just to be clear, it's still only Ubuntu and Redhat you support for Version 7 right? Are there plans to expand this or should we look for another solution for AV on Linux? (Fedora, SuSe, etc) Thanks!!
  7. Maybe you misunderstood my comment? I said that i wished ESET had our backs on this like they did for eternal blue. Not that the vulnerability is similar, obviously SMB1 is different from this CryptoAPI vulnerability, also different from Apache struts for that matter. All three have been patched to varying degrees by their respective software vendors, all three exploit very different things. I was asking if Eset would block and alert on attempts to exploit the CryptoAPI Vulnerability (as they do with attempts to exploit Eternalblue, apache struts, etc, etc) mostly so i can tell our decision makers that not only are we patched, and our checkpoint firewall will block the attacks, but ESET has our backs as well. If not and our only layers of defense are our firewall (it will alert at attempts of cryptoapi spoofing), and the patching of windows (there is also an event triggered on exploit attempt here), so be it - I was just asking if we had a 3rd layer of protection in ESET on this particular vulnerability. Is this something you know the answer to @itman or is this a better question for @Marcos ? Thanks!
  8. Would have hoped i could tell our decision makers that not only have we patched but Eset would also have our backs on this (similar to eternalblue, etc). Seems this is not the case judging from @Marcos 's comment? Just want to be sure, would hate to sell ESET short.
  9. I am guessing there are parts of what is in pre-release that are more complex to test, and could have further reaching impact than the exclusion of a port for scanning. Which would be why they've not released this 'fix' as it's a part of a larger update package, that is still being tested. I wonder, though, if this piece could be released to the general codebase, before the testing on the rest of the 'update' is completed. I would guess that you're just going to be doing the exclusion of the ports for scanning on the back end, so pretty simple to test and know is working. Is this maybe one of those cases where Dev and Testing don't know that this part of the update is turning away home use customers, and causing a lot of consternation among the client base (likely a TON more than what you see here, we all know in support you only ever get 1% of complaints via forums, or email -- easier to buy a new product than complain). Heck maybe if Dev and Testing knew they'd be able to put this available for release, but I can't see that with a fully functional forum like this that the moderators here aren't regularly working with dev/test and letting them know of the daily buzz on the forums (heck a few might even have accounts and read?). I'd imagine that releasing a portion of an Update is relatively simple, seeing as how everything has been made more modular with eset, but honestly I dont know how development works here, could be that to uncouple this update from others would mean far more work and delays in other areas. Could be that a large enterprise customer is asking for a feature, and that has been fast-tracked, and other projects have to wait. I guess really what i'm saying is that who knows why it's taking so long, yes it could be that they're waiting to click that button for no 'good reason' aside from 'thats how we do it' .. or it's a lot more complex than the minimal information that we get via the forums would lead us to believe.
  10. And just to be sure i'm not missing something, there is no way to install Eset AV or Security on a Windows Server OS? No eset web control possible on a windows Server OS, right? Sorry again to pester! Thank you, Jdashn
  11. Does ESET have any suggested applications that would provide this service? (guessing not?) Or plans to add the webcontrol feature to the Windows server protection applications sometime soon? (If not could this be put forward as a feature request?) Thanks!! Jdashn
  12. Sorry to be a pain, but i want to be sure i understand before applying this to (for example) a domain controller. If i implement the logging as you've got the example above: If I browse to a website that ESET in the past has found malware on, and blocks for me, this would be allowed If i browse to a website that has active malware on it, eset should find, and block this (given that it's something that it knows about and regularly blocks anyway, IE not new). So i'm guessing that if i want to have a secure domain controller (one that would be more likely to block a website that could be malicious), and log web activity that happens on that domain controller you're suggesting that i may want to look to another way of logging web activity outside of ESET?
  13. Awesome! Thanks for the warning, and the help!! I had guessed that putting * in under allowed sites, could start logging, but was unsure if that would then mean that i was allowing malicious sites? I'm guessing no? Thanks again!!! Jdashn
  14. @Marcos Thanks a ton for the reply!! These would be application servers, DB servers, Domain controllers - none of which should actually be regularly using the web. So web traffic should be in 0 pages per day range. Not a machine people SHOULD be using for web activity, so i'd guess the logs would actually be very small? (or would this be logging more than i'm thinking?) I dont want to fully block, as you never know what emergency would crop up - But obviously i'd like to monitor and make sure that we're alerted to those situations, and can ask for justification (lets say if we saw someone browsing their hotmail account on a domain controller). Even if the data would just get logged locally, and i could grab the logs regularly and parse them outside of ESMC, i was just thinking that ESET would be the best tool for this job, since it should be monitoring all that traffic anyway. Also, this is in relation to Eset File Security (v7.X) , i think that 'Web Control' rules are only available in the 'Endpoint' products, not the server products-- unless i'm missing something? Thanks Jdashn
  15. I feel like i've seen the answer to this question in the past, but have had no luck in finding the answers. Is there a way in ESET File Security to log all web history? (Blocked + Allowed?) Unfortunately i've got a server where a regular user has Administrative access and i'd like to see if i can utilize ESET to log all web traffic on this machine. Thanks!! Jdashn
  16. Awesome! Thanks, suppose that's what I get for reading an article a few days old. In the future, if I, or more often my boss sees one of these articles with a threat named is there an easy resource i can use (and i can point my boss to) to provide the information you've provided me? It'd be great the next time XYZ threat comes along in the news, i can at least say no worries eset has us covered.. see! Thanks again!! Jdashn
  17. The article i just read on it said no one is currently detecting? Any thoughts on when it might be? https://thehackernews.com/2019/07/linux-gnome-spyware.html Jdashn
  18. @itman thats only for the webserver built into PHP (that is designed for app dev, and shouldn't be forwarded to the net), not PHP it's self, right?
  19. There are some good free softwares out there for viewing browser history logs, and usb access logs. I'd just make sure that keeping browser history is enforced via gpo (if you can). Then they can't delete out the logs after each use, keeping you blind to their activities. While you're at it with the GPO, lock down the browsers so they can't install extensions/addins. You could also lock down (via ESET Device Control) exactly which (down to Serial number, but as broad as make, or model) usb keys' they're allowed to use. I'd also look to disable booting from USB via the bios, and lock the bios with a PW (if you can boot to usb you can run tails or some such with no IT visibility). And like tom said... document, document, document... Talk to your boss, make sure you're in the clear for the 'watching'. Is this user an Admin on the computer in question?
  20. Hello, I believe i've seen a few posts in this forum section about this issue, but they've been archived, without a resolution. This is just one of our machines, most of which look similar to this. I've seen it mentioned that this is due to a hardware fingerprinting issue where the machine gets a new license for each new Mac Address? Seems odd, this tablet does do an ethernet connection, wifi, and cellular, but that would be three.. there are 12 there listed for this machine, since September, and i'd guess by the numbering scheme there have been a 'few' more generated. I'm not totally sure, as this was just reported to me today, but it appears that we might also be loosing task history (and quarantine/detection) on machines that are getting a new license this way. In the other archived posts there are replies that state this is a known issue (with maybe the exception of the history loss) and that it's being worked on, did I miss the post where it's been solved, or is this still being worked on? Is this fixed in EBL, and i should migrate there? Is there some setting, or setup that i've done wrong here? Thanks! Jdashn
  21. 1. Without a doubt! It would quite a bad job move to exclude *.doc files from scanning, typically i'd like to have zero exclusions, but some business critical software that we use does require exclusions, Citrix for instance has what i listed above just for one server type in their ecosystem. Several of our other products require various other db files or file types to be excluded from scanning on their servers, or even on the desktops. 2. Awesome, i was a little confused and was worried i was missing something, thanks for clarifying! 3. The files listed are put forth as files that cannot be scanned during the provisioning process in a citrix environment per Citrix. Additionally we do have several other pieces of software that also recommend that certain file types are excluded from scanning odd db files and other file types used by EHRs or Claims management software or HR systems. I'm not really going to be able to override the documentation they've provided - but i can say we did experience widespread oddities only in our production environment before these were in place, that we do not experience after (This though was only for our prod environment, under load - we were unable to replicate in test environments with few users, i can't replicate so i can't say it was eset for sure or not). So my concern is not if i should enter the exclusions as required by vendors, but how is the best way to ensure that files i'm directed to not allow scanning on, dont get scanned. I enter once for realtime, then once for on-demand scan, then for idle-state scan, then for startup scan (to be a bit more exact in what i'm talking about, when i say multiple places ). So that means that someone has to remember to hit all 4 of those spots, to enter the same information. i'm not trying to say ESET is bad or anything, i'm just trying to figure out if i'm seeing this wrong or if there is something i'm missing here? Or if there might be a way to keep from duplicating work? Thanks a ton for looking at this! Jason
  22. Sorry i've been away from this thread! Thanks for this, but when you actually try to enter in a file type *.doc for example, in ESMC under File Exclusions you get an error. To exclude a file type it seems you need to go to the threatsense area for each scan type (Realtime, Malware, ( and each cleaning mode too?)) to exclude them in an ESMC policy. Infact i believe in v6 Console you could specify *.doc in the File/folder area, though i'm unsure now if it was working, or if there was just no error thrown to prevent me. 1 this is not for cleaning mode. This is asking why i've got to setup the file type exclusions separately from file exclusions and why i can't use a * in the middle of a path. It appears that for a citrix environment (in this one example, we have a few other Pieces Of Software that require some sort of file type exclusion) a provisioning server needs the following file types to be not scanned at all: *.vhd *.avhd *.vhdx *.avhdx *.pvp *.lok In order to achieve that it seems I would have to exclude them from realtime scanning, and specific scans like malware scans and what not (instead of the 1 spot i can exclude a Spesific file/folder hash or threat). I'm wondering if there is a single spot to enter so i don't have to enter it in multiple places. Generally we only use Strict cleaning. 2 I'm not sure this matters (as i use ESMC to manage these servers) but these particular machines aren't rebuilt daily, but some others with file type exclusions are. Realistically i'm just looking to see if there would be an easier way to setup an exclusion based on file type, instead of having to remember each spot that has a filetype exclusion parameter when we get a new piece of software or a software requirements are changed. This would reduce the possibility of human error, missing an exclusion, or forgetting to remove them in a spot when changes to these policies (or their initial creation) need to happen. As i said, maybe there is something i'm missing, or i'm not explaining this properly? Thanks a ton as always !!! Jdashn
  23. Instead of editing a 3rd time with another question to add, i'll just add another question here: When excluding a file where one of the folders is unknown: C:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Citrix\SubscriptionsStore\*\PersistentDictionary.edb This seems to be not possible with eset at all? Is there another notation i should be trying? I've seen some suggestion that \\ would work but would like to KNOW for sure before telling others this is in place and 'working'. Thanks as always!! Jdashn
  24. It appears (and i could be wrong) that the only way i can exclude a file type ( .vhd for example) would be to enter that in under the Threatsense Parameters for Each scan type? Is there a way i can enter the file type under path like *.vhd or something? Does the setting for real-time protection also count for malware scans and the others? Is there a list of all the places i've got to add these extensions to be sure they're not scanned? it seems kind of goofy to have the file type exclusions in a different spot, and to have to enter it in multiple places when there is a single spot to exclude files, hashes, and threats. Is this really the only way? Out of curiosity, is there a reason i'm not seeing for this to be this way? Thanks, Jdashn
×
×
  • Create New...