KAMIRAN Support

We test it and it work, We don't know why they want to use authenticating , they are a government and they want maximum security. We told them that this is a limited proxy just for ESET servers.

Hi deras. One of our customers want to enable authenticating in Apache http proxy in ERA appliance ( Centus 7). It is possible ? and how ? , Because we did not find any document about this from ESET .

Thank you, MartinK, Your help was useful , We chain 2 Apache proxy successfully. In some cases their proxy servers has no caching so we must use apache to increase internet bandwidth. And our problem is main proxy servers that requiring authentication. is there any way to connect ERA apache to a password protected Proxy servers ?

Hi All, In one of our Customers Network , ERA Server (Windows2012) has no direct internet connection , They want to connect Apache Http proxy to their local proxy server so Clients will use apache Https proxy. So How we can configure apache http proxy to use internal proxy from another server to coonect to internet ? Regards.

Hi , in Some servers we see this problem that icons beside of client disappear suddenly. in some cases when user remove clients in ERA , it will cause this problem next time that Agent connect to server and appear in ERA. What is the problem ?

We are working on this case for detection of WMIRun.A ( In memory scan ) with ESET Virus Lab.

We see s.th new , Memory scanner scan nothing . Look at the screen shot. Any Idea ? Why Non of ESET moderators post about this kind of fileless infections ?

Yes you are right, We saw firewall rules that block 445 in the infected servers ! It seems that they enter the server using eternalBlue and then block 445 to avoiding others enter the server ! We are working with ESET support to detect this WMIrun.a in memory sacanner. Right now no success. I am not sure that eset can detect WMIRun.A in memory. Are you agree with me ?

Still KVRT can detect this type of infections But ESET cann't. Memory Scan log : Log Scan Log Version of virus signature database: 15549 (20170608) Date: 6/8/2017 Time: 3:03:34 AM Scanned disks, folders and files: Operating memory Operating memory » C:\Windows\System32\apisetschema.dll - is OK Operating memory » C:\Users\Administrator\Desktop\tools\Autoruns\autoruns.exe - is OK Operating memory » C:\Windows\System32\msyuv.dll - is OK Operating memory » C:\Windows\System32\userinit.exe - is OK Operating memory » C:\Windows\System32\WcsPlugInService.dll - is OK Operating memory » C:\Windows\SysWOW64\en-US\sechost.dll.mui - is OK Operating memory » C:\Windows\SysWOW64\en-US\shlwapi.dll.mui - is OK Operating memory » C:\Windows\SysWOW64\oleacc.dll - is OK Operating memory » C:\Windows\SysWOW64\ieframe.dll - is OK Operating memory » C:\Windows\SysWOW64\shdocvw.dll - is OK Operating memory » C:\Windows\SysWOW64\WindowsCodecs.dll - is OK Operating memory » C:\Windows\SysWOW64\propsys.dll - is OK Operating memory » C:\Windows\SysWOW64\xmllite.dll - is OK Operating memory » C:\Windows\SysWOW64\uxtheme.dll - is OK Operating memory » C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll - is OK Operating memory » C:\Windows\SysWOW64\taskschd.dll - is OK Operating memory » C:\Windows\SysWOW64\ntdsapi.dll - is OK Operating memory » C:\Windows\SysWOW64\wbem\fastprox.dll - is OK Operating memory » C:\Windows\SysWOW64\wbem\wbemsvc.dll - is OK Operating memory » C:\Windows\SysWOW64\wbemcomn.dll - is OK Operating memory » C:\Windows\SysWOW64\wbem\wbemprox.dll - is OK Operating memory » C:\Windows\SysWOW64\rsaenh.dll - is OK Operating memory » C:\Windows\SysWOW64\cryptsp.dll - is OK Operating memory » C:\Windows\SysWOW64\RpcRtRemote.dll - is OK Operating memory » C:\Windows\SysWOW64\apphelp.dll - is OK Operating memory » C:\Windows\SysWOW64\ntmarta.dll - is OK Operating memory » C:\Windows\SysWOW64\version.dll - is OK Operating memory » C:\Windows\SysWOW64\profapi.dll - is OK Operating memory » C:\Windows\System32\wow64cpu.dll - is OK Operating memory » C:\Windows\System32\wow64win.dll - is OK Operating memory » C:\Windows\System32\wow64.dll - is OK Operating memory » C:\Windows\SysWOW64\cryptbase.dll - is OK Operating memory » C:\Windows\SysWOW64\sspicli.dll - is OK Operating memory » C:\Windows\SysWOW64\advapi32.dll - is OK Operating memory » C:\Windows\SysWOW64\sechost.dll - is OK Operating memory » C:\Windows\SysWOW64\msasn1.dll - is OK Operating memory » C:\Windows\SysWOW64\comdlg32.dll - is OK Operating memory » C:\Windows\SysWOW64\crypt32.dll - is OK Operating memory » C:\Windows\SysWOW64\KernelBase.dll - is OK Operating memory » C:\Windows\SysWOW64\wintrust.dll - is OK Operating memory » C:\Windows\SysWOW64\nsi.dll - is OK Operating memory » C:\Windows\SysWOW64\ws2_32.dll - is OK Operating memory » C:\Windows\SysWOW64\psapi.dll - is OK Operating memory » C:\Windows\SysWOW64\shlwapi.dll - is OK Operating memory » C:\Windows\SysWOW64\rpcrt4.dll - is OK Operating memory » C:\Windows\SysWOW64\user32.dll - is OK Operating memory » C:\Windows\SysWOW64\usp10.dll - is OK Operating memory » C:\Windows\SysWOW64\msvcrt.dll - is OK Operating memory » C:\Windows\SysWOW64\setupapi.dll - is OK Operating memory » C:\Windows\SysWOW64\gdi32.dll - is OK Operating memory » C:\Windows\SysWOW64\Wldap32.dll - is OK Operating memory » C:\Windows\SysWOW64\devobj.dll - is OK Operating memory » C:\Windows\SysWOW64\msctf.dll - is OK Operating memory » C:\Windows\SysWOW64\iertutil.dll - is OK Operating memory » C:\Windows\SysWOW64\cfgmgr32.dll - is OK Operating memory » C:\Windows\SysWOW64\kernel32.dll - is OK Operating memory » C:\Windows\SysWOW64\clbcatq.dll - is OK Operating memory » C:\Windows\SysWOW64\shell32.dll - is OK Operating memory » C:\Windows\SysWOW64\oleaut32.dll - is OK Operating memory » C:\Windows\SysWOW64\ole32.dll - is OK Operating memory » C:\Windows\SysWOW64\imm32.dll - is OK Operating memory » C:\Windows\System32\ntdll.dll - is OK Operating memory » C:\Windows\SysWOW64\lpk.dll - is OK Operating memory » C:\Windows\SysWOW64\ntdll.dll - is OK Number of scanned objects: 64 Number of threats found: 0 Time of completion: 3:03:37 AM Total scanning time: 3 sec (00:00:03) KVRT scan result is attached . Any idea ? We must use manual cleaning in this kind of threats ?

Yes All Security patches are installed, these malware may be installed before these security activities. As you said as we find a coinMiner in This server may be it used EthernalBlue. We are working on this case ...

Yes , Even We can block them by HIPS. This is the HIPS rules when Svchost.exe run scrcons.exe : Time;Application;Operation;Target;Action;Rule;Additional information 6/7/2017 3:58:11 AM;C:\Windows\System32\svchost.exe;Start new application;C:\Windows\System32\wbem\scrcons.exe;blocked;Block Scrones; look at KVRT new detection for this type of threats ( Picture that is attached )

Right now we find 6 new threats in this server that ESET lab detect them today : item.dat - Win32/Agent.WTF trojan Autorun_Script.txt - JS/Agent.NUN trojan Chr0me.exe - Win64/BitCoinMiner.AX application ms697A.exe - Win32/Agent.YWQ trojan mscorsvw_v3.0.0.6.1.exe - Win32/Agent.YWQ trojan regedit32.vbs - VBS/CoinMiner.DU trojan Autorun_Script.txt is containing the scrips in ActiveScriptEventConsumer. We will check the result in infected servers.

No this threat is popular because we see this variant in many servers. Yes We can stop it with HIPS rules but we are working to help ESET to detect it. Right now no detection. Just When an EXE file is downloaded by Scrone.exe ESET will detect it. But we want to add this to memory detection , S.th like kaspersky.

Today we find another server that is infected by WMI infections and ESET did not detect it. We are working on samples with ESET virus lab and ESET support to see how ESET will Detect and clean it. You can see the attached picture of this infections. This WMI insfections is called "Fish" that KVRT detect it as WMIRun.a If any one need samples i can share it via Private Messages.

it seems that problem is solved , Because in some cases activation is done.

Hi all , Today we see this error over many of customers , Even Home Editions . "ECP.20006 " Windows were XP Service pack 3 and windows server 2003 (Hotfixed are installed ) it seems that OLD version of windows (XP based ) has this problem.

Thank You dear itman. we will use these techniques in next infection that we find, and we will report the result. right now we have not any infected server to check these solutions because we clean them manually.

As we said in previous post in this case we clean the infection by deleting ActiveScriptEventConsumer class using wbemtest.exe . But in these case we must customize because it will download threats by scrcons.exe or may be run windows script using that process. We will check them in next case that Happened .

Thank you Dear ITMAN

Yes as you mentioned Creating a WMI permanent event subscription requires administrative privileges on a system. But in these cases we don't know how it can inject WMI database because all ports is secure , WINDOWS was updated and patched and RDP , 1433 and ... are secured. in these cases, threat just try to download a file that ESET detect it and from these alert Administrators find that WMI is infected. We are working in this case and we will inform if repeated. The interesting think for us is how kaspersky can detect it as a memory infection and my question is " Can ESET detect such these WMI infection in memory and how can we send samples to ESET while no files are exist. And any idea about how these infections will enter the administrator in inject to WMI ?

Hi dear ESET moderators. in these days we are facing a new threats family that use WMI and run under it's processes. as these infections is file-less we try to stop them by deleting ActiveScriptEventConsumer class , But ESET did not detect them in memory. We test Kaspersky Removal tools and it show that memory is infected with WMI infections and cure it. I want to know how can we collect and send these samples to ESET lab and will ESET detect these infections in memories ? We think that abusing WMI in these day may cause another ransomware to born.

We check these all and all were correct but the problem is not 12H or 1 day , it is about 3 months difference !!! And not 3 month ago ! 3 month later , Also ERA did not show any error that it seems it did not feel any problems, just last connected date is 3 month later. in one case it was AUG 2017. Right now upgrading to v6.5 solved the problem.

Dear Michal, Yes after upgrade to 6.5 it will be solved but we have over 300-400 Customers because we are an ESET partner, So we want to know is it a bug or s.th els ? These cases are on Windows platform.

No idea ?

Hi dears, In these days we have problems with ERA 6.4 and we must upgrade all our customers to 6.5 and in most cases it will be fixed. In ERA console 6.4 last connected date in incorrect while every thing is OK , Agent is connecting , Policies will apply , Even last connected time is updated but with wrong date ( about 3 month difference ) For example right now it show that last connect time is in 2017 Aug !!! Server And Client time is right . is it a Bug in 6.4 ?