Jump to content

frapetti

Members
  • Posts

    37
  • Joined

  • Last visited

About frapetti

  • Rank
    Newbie
    Newbie

Profile Information

  • Location
    Argentina

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Also note what i wrote on the Lenovo forums: So, in my case, deleting the driver didn't seem to have caused any problems. For what i readed, it's used in tools to perform PC management in enterprise environments, firmware upgrades, diagnostics, and the like, so i assume that deleting it could prevent you from doing that, and that reinstalling or updating the tool that installed could restore the driver (but make a copy of it, just in case).
  2. The first step should be visiting the support website from the PC manufacturer. If there are any updated drivers, firmware, installed software, etc, it would be there.
  3. I can confirm that i'm having this issues in some Endpoints and Servers, and restarting doesn't not fix the issue most of the time, but disabling and re-enabling AMSI on the advanced ESET configuration fixes it and is less disruptive than a restart.
  4. Hi, I also was needing to download and offline installer, as to avoid downloading the product in every computer that it needs to be installed (it's a slow process with the internet speed we have). The good news, is that i found a way to do it: the installer has a gear icon on the title bar, and you can predownload the ESETOfflinePackage.dat file there. As described here on "Offline Cache download": https://help.eset.com/epi/4/en-US/cloud_win.html Regards
  5. I don't know what vps.ovh.net is, but they seem to host a massive phishing campaing that uses domains that look very similar to the authentic domains:
  6. Thanks. I tried that, but it don't seems to trigger the rule, so i added two additional items to the list (before, only personal.com was on the list): And this is the rule: I suppose it's because the rules check the envelope sender's domain and not the from field, and the mail server protection log shows this: So i added an additional rule to check the mail from address: And also added the vps.ovh.net domain to the Blocked Senders list: I suppose that the only way to test it, is to wait for another mail to arrive from that domain, right? Regards
  7. Hi, I setted "Action to take on SPAM message" to "no action", because we prefer to add "[SPAM]" to the Subject instead of sending it to quarantine. However, now we want to quarantine messages from a specific domain, so we tried adding that domain to "Blocked Body Domain", "Blocked Senders" and "Blocked Domain to IP" lists, expecting for it to take precedence (after all, those are local, manual blacklists), and for the message to be blocked, but instead it seems that ESET just uses it to determine that the message is SPAM, then just adds the "[SPAM]" string to the Subject and allow the message to be delivered. Is there any way to block, or quarantine the message if it is found on some of the local blacklists, while keeping "no action" set for SPAM messages? Regards
  8. Thank you. Now it seems clear that if an EDR or XDR solution is needed, an ESET product that includes Inspect is required. Any product without Inspect is neither EDR nor XDR.
  9. Thanks, Marcos. In the following page for PROTECT Advanced, i'm reading that "Advanced Threat Detection" enables "Protection against ransomware and new, never-before-seen threat types that uses adaptive scanning, machine learning, cloud sandboxing and in-depth behavioral analysis". So, i was wondering if that is considered as EDR, or ESET Inspect is needed for EDR capability. https://www.eset.com/int/business/advanced-protection/#feature-overview Regards
  10. Hi, I know that the words AI and advanced protection are often mentioned on ESET's Endpoint Antivirus and Security pages, but which of the PROTECT offerings can officially be considered EDR protection and which ones an XDR protection? Regards
  11. Hi, We have a problem with 1 client PC. On PROTECT Console it showed as not connected for several days. We uninstalled everything from ESET on that PC, then reinstalled with Endpoint Security All-in-one installer, but still doesn't show up in the Console. Agent status.html shows: Error: Replication connection problem: Authentication was not possible due to unavailable remote server or its unwillingness to respond Task: CStaticObjectMetadataTask Scenario: Automatic replication (REGULAR) Connection: <server>:<port> (edited for privacy) Connection established: false Replication inconsistency detected: false Server busy state detected: false Realm change detected: false Realm uuid: 00000000-0000-0000-0000-000000000000 Sent logs: 0 Cached static objects: 1 Cached static object groups: 1 Static objects to save: 0 Static objects to delete: 0 Modified static objects: 0 All replication attempts: 21 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ While the tail of the Agent trace.log shows this: 2024-06-07 14:33:52 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:34:02 Error: AuthenticationModule [Thread 22ac]: CFingerprintReader::ReadCurrentFingerprint: fingerprint reading failed with error=[Response for request of type DeviceFingerprintRequest (request id: 14) was not received in time] 2024-06-07 14:34:02 Error: AuthenticationModule [Thread 22ac]: DeviceEnrollmentCommand execution failed with: HW fingerprint could not be obtained. 2024-06-07 14:34:02 Warning: CReplicationModule [Thread 1d2c]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2024-06-07 14:34:02 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:34:12 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:34:22 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:34:33 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:34:43 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:34:53 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:35:02 Error: AuthenticationModule [Thread 191c]: DeviceEnrollmentCommand execution failed with: HW fingerprint could not be obtained. 2024-06-07 14:35:02 Warning: CReplicationModule [Thread 1d2c]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2024-06-07 14:35:02 Error: CReplicationModule [Thread 1d2c]: InitializeConnection: Replication connection problem: Authentication was not possible due to unavailable remote server or its unwillingness to respond 2024-06-07 14:35:02 Warning: CReplicationModule [Thread 1d2c]: InitializeConnection: Not possible to establish any connection (Attempts: 1) [RequestId: 6e48b9c3-5703-4a75-b6e2-77ce6477460d] 2024-06-07 14:35:02 Error: CReplicationModule [Thread 1d2c]: InitializeFailOverScenario: Skipping fail-over scenario (missing last success replication link data) [RequestId: 6e48b9c3-5703-4a75-b6e2-77ce6477460d] 2024-06-07 14:35:02 Error: CReplicationModule [Thread 1d2c]: CAgentReplicationManager: Replication finished unsuccessfully with message: Replication connection problem: Authentication was not possible due to unavailable remote server or its unwillingness to respond, Task: CStaticObjectMetadataTask, Scenario: Automatic replication (REGULAR), Connection: <server>:<port>, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 00000000-0000-0000-0000-000000000000, Sent logs: 0, Cached static objects: 1, Cached static object groups: 1, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0 2024-06-07 14:35:02 Error: AuthenticationModule [Thread 191c]: DeviceEnrollmentCommand execution failed with: HW fingerprint could not be obtained. 2024-06-07 14:35:02 Warning: CReplicationModule [Thread 1d2c]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2024-06-07 14:35:03 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:35:13 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:35:23 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:35:33 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:35:43 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:35:53 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:36:03 Error: AuthenticationModule [Thread 1910]: DeviceEnrollmentCommand execution failed with: HW fingerprint could not be obtained. 2024-06-07 14:36:03 Warning: CReplicationModule [Thread 1d2c]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2024-06-07 14:36:03 Error: CReplicationModule [Thread 1d2c]: InitializeConnection: Replication connection problem: Authentication was not possible due to unavailable remote server or its unwillingness to respond 2024-06-07 14:36:03 Warning: CReplicationModule [Thread 1d2c]: InitializeConnection: Not possible to establish any connection (Attempts: 1) [RequestId: 9f710165-fffc-4fed-ba56-c3b5a1bd4457] 2024-06-07 14:36:03 Error: CReplicationModule [Thread 1d2c]: InitializeFailOverScenario: Skipping fail-over scenario (missing last success replication link data) [RequestId: 9f710165-fffc-4fed-ba56-c3b5a1bd4457] 2024-06-07 14:36:03 Error: CReplicationModule [Thread 1d2c]: CAgentReplicationManager: Replication finished unsuccessfully with message: Replication connection problem: Authentication was not possible due to unavailable remote server or its unwillingness to respond, Task: CStaticObjectMetadataTask, Scenario: Automatic replication (REGULAR), Connection: <server>:<port>, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 00000000-0000-0000-0000-000000000000, Sent logs: 0, Cached static objects: 1, Cached static object groups: 1, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0 2024-06-07 14:36:03 Error: AuthenticationModule [Thread 1910]: DeviceEnrollmentCommand execution failed with: HW fingerprint could not be obtained. 2024-06-07 14:36:03 Warning: CReplicationModule [Thread 1d2c]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2024-06-07 14:36:03 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:36:13 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:36:23 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:36:33 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:36:43 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:36:53 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:37:03 Error: AuthenticationModule [Thread 2208]: DeviceEnrollmentCommand execution failed with: HW fingerprint could not be obtained. 2024-06-07 14:37:03 Warning: CReplicationModule [Thread 1d2c]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2024-06-07 14:37:03 Error: CReplicationModule [Thread 1d2c]: InitializeConnection: Replication connection problem: Authentication was not possible due to unavailable remote server or its unwillingness to respond 2024-06-07 14:37:03 Warning: CReplicationModule [Thread 1d2c]: InitializeConnection: Not possible to establish any connection (Attempts: 1) [RequestId: 02301c55-6031-434e-ac28-27df9451d5c6] 2024-06-07 14:37:03 Error: CReplicationModule [Thread 1d2c]: InitializeFailOverScenario: Skipping fail-over scenario (missing last success replication link data) [RequestId: 02301c55-6031-434e-ac28-27df9451d5c6] 2024-06-07 14:37:03 Error: CReplicationModule [Thread 1d2c]: CAgentReplicationManager: Replication finished unsuccessfully with message: Replication connection problem: Authentication was not possible due to unavailable remote server or its unwillingness to respond, Task: CStaticObjectMetadataTask, Scenario: Automatic replication (REGULAR), Connection: <server>:<port>, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 00000000-0000-0000-0000-000000000000, Sent logs: 0, Cached static objects: 1, Cached static object groups: 1, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0 2024-06-07 14:37:03 Error: AuthenticationModule [Thread 2208]: DeviceEnrollmentCommand execution failed with: HW fingerprint could not be obtained. 2024-06-07 14:37:03 Warning: CReplicationModule [Thread 1d2c]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet) 2024-06-07 14:37:03 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 2024-06-07 14:37:13 Error: CSystemConnectorModule [Thread 1dac]: CWbemServices: Could not connect. Error code = 0x80041002 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ I ran out of ideas. Generally a full reinstallation is enough to solve all agent problems, but this seems to be persistent somehow. This is the only client that seems to be affected. Any help would be appreciated. Regards
  12. I didn't find any pmxdrv64.sys file on the computer with pxmdrv.sys Files inside the System32 folder are supposed to be 64 bits, anyways. 32 bit files go inside SysWOW64. Not very intuitive, but that's the Microsoft way 😅
  13. I wrote Lenovo about the problem with this particular machine, but the answer from Lenovo is not very helpful. The computer is 5 years old, however: https://forums.lenovo.com/t5/ThinkPad-X-Series-Laptops/Vulnerable-driver-found-in-X1-Carbon-6th-Gen-notebook/m-p/5308580?page=1#6340257
  14. In any case, why is a message shown and logged every time any process has access to the file? Shouldn't the file be reported once instead? I had only one computer in the office showing those messages, and in a few hours there were like 500 detections on the PROTECT console saying that the process C:\Windows\System32\wbem\WmiPrvSE.exe was accessing the file C:/Windows/System32/drivers/pmxdrv.sys The detection is about a Potentially Unsafe Application, nothing more, so ESET is taking no action other than inform about it. It seems like i found the original article about the vulnerability: https://eclypsium.com/research/mother-of-all-drivers-new-vulnerabilities-found-in-windows-drivers/ . I wished that manufacturers stopped installing "backdoors" on out of band firmware just because it looks good in marketing. Huge risk vs doubtful benefit for most users.
×
×
  • Create New...