KAMIRAN Support

We test it and it work, We don't know why they want to use authenticating , they are a government and they want maximum security. We told them that this is a limited proxy just for ESET servers.

Hi deras. One of our customers want to enable authenticating in Apache http proxy in ERA appliance ( Centus 7). It is possible ? and how ? , Because we did not find any document about this from ESET .

Thank you, MartinK, Your help was useful , We chain 2 Apache proxy successfully. In some cases their proxy servers has no caching so we must use apache to increase internet bandwidth. And our problem is main proxy servers that requiring authentication. is there any way to connect ERA apache to a password protected Proxy servers ?

Hi All, In one of our Customers Network , ERA Server (Windows2012) has no direct internet connection , They want to connect Apache Http proxy to their local proxy server so Clients will use apache Https proxy. So How we can configure apache http proxy to use internal proxy from another server to coonect to internet ? Regards.

Hi , in Some servers we see this problem that icons beside of client disappear suddenly. in some cases when user remove clients in ERA , it will cause this problem next time that Agent connect to server and appear in ERA. What is the problem ?

We are working on this case for detection of WMIRun.A ( In memory scan ) with ESET Virus Lab.

We see s.th new , Memory scanner scan nothing . Look at the screen shot. Any Idea ? Why Non of ESET moderators post about this kind of fileless infections ?

Yes you are right, We saw firewall rules that block 445 in the infected servers ! It seems that they enter the server using eternalBlue and then block 445 to avoiding others enter the server ! We are working with ESET support to detect this WMIrun.a in memory sacanner. Right now no success. I am not sure that eset can detect WMIRun.A in memory. Are you agree with me ?

Still KVRT can detect this type of infections But ESET cann't. Memory Scan log : Log Scan Log Version of virus signature database: 15549 (20170608) Date: 6/8/2017 Time: 3:03:34 AM Scanned disks, folders and files: Operating memory Operating memory » C:\Windows\System32\apisetschema.dll - is OK Operating memory » C:\Users\Administrator\Desktop\tools\Autoruns\autoruns.exe - is OK Operating memory » C:\Windows\System32\msyuv.dll - is OK Operating memory » C:\Windows\System32\userinit.exe - is OK Operating memory » C:\Windows\System32\WcsPlugInService.dll - is OK Operating memory » C:\Windows\SysWOW64\en-US\sechost.dll.mui - is OK Operating memory » C:\Windows\SysWOW64\en-US\shlwapi.dll.mui - is OK Operating memory » C:\Windows\SysWOW64\oleacc.dll - is OK Operating memory » C:\Windows\SysWOW64\ieframe.dll - is OK Operating memory » C:\Windows\SysWOW64\shdocvw.dll - is OK Operating memory » C:\Windows\SysWOW64\WindowsCodecs.dll - is OK Operating memory » C:\Windows\SysWOW64\propsys.dll - is OK Operating memory » C:\Windows\SysWOW64\xmllite.dll - is OK Operating memory » C:\Windows\SysWOW64\uxtheme.dll - is OK Operating memory » C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll - is OK Operating memory » C:\Windows\SysWOW64\taskschd.dll - is OK Operating memory » C:\Windows\SysWOW64\ntdsapi.dll - is OK Operating memory » C:\Windows\SysWOW64\wbem\fastprox.dll - is OK Operating memory » C:\Windows\SysWOW64\wbem\wbemsvc.dll - is OK Operating memory » C:\Windows\SysWOW64\wbemcomn.dll - is OK Operating memory » C:\Windows\SysWOW64\wbem\wbemprox.dll - is OK Operating memory » C:\Windows\SysWOW64\rsaenh.dll - is OK Operating memory » C:\Windows\SysWOW64\cryptsp.dll - is OK Operating memory » C:\Windows\SysWOW64\RpcRtRemote.dll - is OK Operating memory » C:\Windows\SysWOW64\apphelp.dll - is OK Operating memory » C:\Windows\SysWOW64\ntmarta.dll - is OK Operating memory » C:\Windows\SysWOW64\version.dll - is OK Operating memory » C:\Windows\SysWOW64\profapi.dll - is OK Operating memory » C:\Windows\System32\wow64cpu.dll - is OK Operating memory » C:\Windows\System32\wow64win.dll - is OK Operating memory » C:\Windows\System32\wow64.dll - is OK Operating memory » C:\Windows\SysWOW64\cryptbase.dll - is OK Operating memory » C:\Windows\SysWOW64\sspicli.dll - is OK Operating memory » C:\Windows\SysWOW64\advapi32.dll - is OK Operating memory » C:\Windows\SysWOW64\sechost.dll - is OK Operating memory » C:\Windows\SysWOW64\msasn1.dll - is OK Operating memory » C:\Windows\SysWOW64\comdlg32.dll - is OK Operating memory » C:\Windows\SysWOW64\crypt32.dll - is OK Operating memory » C:\Windows\SysWOW64\KernelBase.dll - is OK Operating memory » C:\Windows\SysWOW64\wintrust.dll - is OK Operating memory » C:\Windows\SysWOW64\nsi.dll - is OK Operating memory » C:\Windows\SysWOW64\ws2_32.dll - is OK Operating memory » C:\Windows\SysWOW64\psapi.dll - is OK Operating memory » C:\Windows\SysWOW64\shlwapi.dll - is OK Operating memory » C:\Windows\SysWOW64\rpcrt4.dll - is OK Operating memory » C:\Windows\SysWOW64\user32.dll - is OK Operating memory » C:\Windows\SysWOW64\usp10.dll - is OK Operating memory » C:\Windows\SysWOW64\msvcrt.dll - is OK Operating memory » C:\Windows\SysWOW64\setupapi.dll - is OK Operating memory » C:\Windows\SysWOW64\gdi32.dll - is OK Operating memory » C:\Windows\SysWOW64\Wldap32.dll - is OK Operating memory » C:\Windows\SysWOW64\devobj.dll - is OK Operating memory » C:\Windows\SysWOW64\msctf.dll - is OK Operating memory » C:\Windows\SysWOW64\iertutil.dll - is OK Operating memory » C:\Windows\SysWOW64\cfgmgr32.dll - is OK Operating memory » C:\Windows\SysWOW64\kernel32.dll - is OK Operating memory » C:\Windows\SysWOW64\clbcatq.dll - is OK Operating memory » C:\Windows\SysWOW64\shell32.dll - is OK Operating memory » C:\Windows\SysWOW64\oleaut32.dll - is OK Operating memory » C:\Windows\SysWOW64\ole32.dll - is OK Operating memory » C:\Windows\SysWOW64\imm32.dll - is OK Operating memory » C:\Windows\System32\ntdll.dll - is OK Operating memory » C:\Windows\SysWOW64\lpk.dll - is OK Operating memory » C:\Windows\SysWOW64\ntdll.dll - is OK Number of scanned objects: 64 Number of threats found: 0 Time of completion: 3:03:37 AM Total scanning time: 3 sec (00:00:03) KVRT scan result is attached . Any idea ? We must use manual cleaning in this kind of threats ?

Yes All Security patches are installed, these malware may be installed before these security activities. As you said as we find a coinMiner in This server may be it used EthernalBlue. We are working on this case ...

Yes , Even We can block them by HIPS. This is the HIPS rules when Svchost.exe run scrcons.exe : Time;Application;Operation;Target;Action;Rule;Additional information 6/7/2017 3:58:11 AM;C:\Windows\System32\svchost.exe;Start new application;C:\Windows\System32\wbem\scrcons.exe;blocked;Block Scrones; look at KVRT new detection for this type of threats ( Picture that is attached )

Right now we find 6 new threats in this server that ESET lab detect them today : item.dat - Win32/Agent.WTF trojan Autorun_Script.txt - JS/Agent.NUN trojan Chr0me.exe - Win64/BitCoinMiner.AX application ms697A.exe - Win32/Agent.YWQ trojan mscorsvw_v3.0.0.6.1.exe - Win32/Agent.YWQ trojan regedit32.vbs - VBS/CoinMiner.DU trojan Autorun_Script.txt is containing the scrips in ActiveScriptEventConsumer. We will check the result in infected servers.

No this threat is popular because we see this variant in many servers. Yes We can stop it with HIPS rules but we are working to help ESET to detect it. Right now no detection. Just When an EXE file is downloaded by Scrone.exe ESET will detect it. But we want to add this to memory detection , S.th like kaspersky.

Today we find another server that is infected by WMI infections and ESET did not detect it. We are working on samples with ESET virus lab and ESET support to see how ESET will Detect and clean it. You can see the attached picture of this infections. This WMI insfections is called "Fish" that KVRT detect it as WMIRun.a If any one need samples i can share it via Private Messages.

it seems that problem is solved , Because in some cases activation is done.