Jump to content

Mauricio Osorio

Members
  • Posts

    80
  • Joined

  • Last visited

About Mauricio Osorio

  • Rank
    Newbie
    Newbie

Profile Information

  • Gender
    Male
  • Location
    Colombia

Recent Profile Visitors

1,538 profile views
  1. Hi guys, On this occasion I would like you to clarify this case for me. We have a customer who has an Oracle Linux server and has a problem with this malware. We have performed the installation of ESET File Security and we have these results after the system scan: Here they are in text in case you want to copy it: 14 de octubre de 2021 10:02 file:///u01/Oracle/Middleware/Oracle_Home/coherence/plugins/maven/com/oracle/coherence/coherence-work/o84www Linux/CoinMiner.RT troyano Eliminado 0FE31D4AAA7C108C62532F68BC18DC8427F053A8 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/xmrig Linux/CoinMiner.BK aplicación potencialmente no deseada Desinfectado por eliminación 04FCE56E89D790C3EDAA808E29BDDCE0147962D3 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/config_background.json Win64/CoinMiner.RO aplicación potencialmente no deseada Desinfectado por eliminación 25135CEB79CA61F723029CFA430B3965B91FE1F4 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/config.json Win64/CoinMiner.RO aplicación potencialmente no deseada Desinfectado por eliminación DDBDF28407927F39C16A4E0EB0F731E87C50A408 The problem is that the process that led us to discover that it is a CoinMiner does not disappear and if we stop it it reappears again. Here is a screenshot of the process: As you can see, the entire processor is consumed by this process. We suspect that they may be tasks left by the miner but we don't know how to identify and remove them from the system. Shouldn't the antivirus remove them? I attach the logs taken after the removal of the malware with the ESET File Security antivirus. (customer_info.zip) What should I do in this case? customer_info.zip
  2. Hi @MartinK thanks for your answer, This is the current proxy configuration in the agent policy: And this: It is unconfigured. I don't know what a good idea it is to configure the use of the http proxy in the agent because, as you saw above, the client has published the EP console with a public IP, but if that solves the problem we could do it. I will try to find another computer that has the problem with the connection, to enable full verbosity, because this one that we reviewed already connects well after restarting the eraserver service from SSH.
  3. Here are the logs on the client side. I hope you can review them @MartinK ELC_logs.zip
  4. I have been working with ESET products for a decade and I think it is one of the best options at the level of cybersecurity products and I would like to open this space so that we can share from day-to-day practice those security recommendations that we can make for you to our customers, but based on the findings of security solutions such as ESET Endpoint Security and then reported in the ESET Protect management console. Why? Because it is not usually very clear what I should do with those discoveries or reports that ESET Protect generates. I wish we could answer the following questions in this space: How can I reduce the number of incidents reported in the ESET Protect (EP) console ?: Based on the request of a client who belongs to the public health system of my country and who is alarmed because his network registers more than 2500 security incidents per month in the threats tab. Now my recommendation was to further limit users' internet access, block the use of USB storage devices and generic security recommendations, but I felt that we were wasting precisely all the information collected in EP and that the recommendations should rather than be generic. be based on the findings that are recorded in EP. At what time or scenario can I recommend to a customer that they should use ESET Dynamic Threat Defense or ESET Enterprise Inspector ?: In addition to the interest of cross-selling, how can I justify to my client that it is time to strengthen their network with any of these tools. Is there any non-generic factor that can justify making this recommendation? Example: We have detected that you have a large number of detections that come from emails and we think it would be a good idea for you to have sandboxing in the cloud at this time. And perhaps many other questions that you could contribute from your experience. As a purpose, what I would like is to take advantage of the information EP gives me and how I can make this information an added value for my clients. Welcome everyone!.
  5. Hi @MartinK Those logs are from EP not from problematic device, im going to get you the logs of the problematic device as soon as possible. Regards.
  6. Hi guys, I would like your help with this case. A customer uses OVA ESET Protect, but computers usually give this error when connecting to the console: And we have found a way to solve it and it is by restarting the eraserver service from the SSH connection. This is obviously is not a solution for the client because it is annoying to do this every time. If it is helpful I attach the logs of the OVA server. Regards!. customer_info.rar
  7. Ok @Peter Randziak i'll let you know what's the result. Regards.
  8. Hi guys I have a problem with a client's cloud console, because the console suddenly closes and shows this: How can i fix this? Regards.
  9. Sorry I did not read your comment in full. If the problem is not the WMI on the computer then what would it be? Regards.
  10. Hi @MartinK This is how that DG is configured: And this solve my main problem!. Now, is there a way to solve the WMI issue? Thanks a lot!
  11. Hi @Marcos thanks for your answer, as you say we are using this DG: The result of the DG for the computers that correctly report the installed software, (we have enabled the detection of third-party software in the agent configuration) is positive. But as you can see in the following image, this computer reports the antivirus to EP: To achieve the result we want, which is that we can detect the computers that have an agent but do not have antivirus installed, should we use a different DG?. Now obviously there is a problem with detecting installed software, which may be a WMI problem, as you say. Can I fix this so that the installed software can be detected again? Because right now it is not detected on that computer: Best regards.
  12. I have this case where an agent no matter how many times I reinstall it, it does not report correctly to the console. We show this case because we have an automatic installation task through a dynamic group that identifies the computers that do not have antivirus installed. But this computer always executed the installation task even when it had antivirus installed, that is why we realized that the agent is not reporting correctly in the console. Here you can see an image of the computer with your antivirus: And this is how the same computer looks on ESET Protect Server: As you can see highlighted, it does not report antivirus, or agent. I think it may be an operating system problem, but I would like you to help me find the problem, since I have 2 other computers with the same problem. How can i fix it? Thanks a lot!. You can download a Log Collector from here:
  13. Hola Gonzalo, te escribo en español ya que veo que eres de Uruguay. Muchas gracias por tu respuesta. Ya he sugerido eso a mi cliente, pero mi interés consiste en verificar si se puede hacer desde las políticas. Gracias por tu respuesta. Hello Gonzalo, I am writing to you in Spanish since I see that you are from Uruguay. Thank you very much for your answer. I have already suggested that to my client, but my interest is to verify if it can be done from the policies. Thanks for your answer. Saludos.
  14. Hi @Nightowl Thanks for your answer, yes, it has a password but that does not prevent it. The second option you propose could be my solution, but I would like not to have to do it if it is necessary. I would like to know if I can do it from politics.
×
×
  • Create New...