Jump to content

0xDEADBEEF

ESET Insiders
  • Content count

    244
  • Joined

  • Last visited

  • Days Won

    3

0xDEADBEEF last won the day on June 5

0xDEADBEEF had the most liked content!

2 Followers

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I'd like to participate in the early access program 😁
  2. yes, but waiting for each ask prompt to timeout generally makes the system unusable upon a boot. Therefore I hope ESET can add such reminder for rules of this type.
  3. My view is that enabling one or several operations with all src and target monitored (block or ask) will have the potential to prevent the system from working correctly. Of course one may feel that customizing HIPS rule is for pros and then it is their responsibility to make it right. I, however, suggest to also add a warning at least when adding such rule because it is easy to make such mistake and it just happened to a user yesterday.
  4. I noticed that the HIPS rule sanity check (the mechanism that remind the user that "the created rule is too generic and may crash the system") only applies when both source apps and target app files are set to "all" AND when all application operations are enabled. Shouldn't this check be effective as long as the source and target are both set to "all"? I am asking this because I saw someone locked himself out by accidentally adding a rule that only blocks the application start and with src and target set to "all". In this case the sanity check doesn't notify the user of the danger of such rule and the computer will crash in the subsequent boot.
  5. 0xDEADBEEF

    Rootkit?

    ah ok
  6. 0xDEADBEEF

    Rootkit?

    They are using their own in-house kernel logging sandbox... Current version of cuckoo is too easy for sandbox evasion Is MITRE ATT&CK a sandbox service? The visualization seems pretty nice and more behaviors of these two samples get unrolled
  7. 0xDEADBEEF

    Rootkit?

    Cool, I have the analysis report attached here: https://www.hybrid-analysis.com/sample/ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6/5b47ac647ca3e10e8b151f68 https://www.hybrid-analysis.com/sample/1b6c9775414e8206bada248c461f2ac62af17e68bafef8391c1716879ab3e83f/5b47b0c07ca3e145ff6dff53 Now ESET detect it as dropper btw.
  8. 0xDEADBEEF

    Rootkit?

    I am not sure, seems to be legitimate software/PUA but some apparently flag it as rootkit 🙄
  9. 0xDEADBEEF

    Rootkit?

    Hi I've sent you a message with the link to the sample, thanks
  10. 0xDEADBEEF

    Rootkit?

    sha256: ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6 ESET only detected it as generic PUA
  11. 0xDEADBEEF

    Startup Scanner?

    Not really.. I kinda get what AMS's trigger is. The startup scanner is a bit different. My current observation is the startup scanner encompasses two major scanning methods: the file scan and the memory scan. When the realtime monitoring is disabled, not all malware that can be detected by the default scan engine will trigger the startup scanner detection. I can imagine if a malware drops a binary to a key location (e.g. some autorun folder), it will trigger a file scan activity from startup scanner. I am not sure about any other cases. Behaviorally, It is not as trivial as the realtime monitoring that one can expect a scan whenever a file is created/executed.
  12. 0xDEADBEEF

    Startup Scanner?

    though I don't think disabling the scheduler will disable the malware triggered startup scan detection.. I will do an experiment tonight and see Actually I am more interested in the triggers of such scanner (not the triggers by the scheduled task)
  13. 0xDEADBEEF

    Startup Scanner?

    The confusing part is: 1. disabling realtime filesystem protection permanently (means reboot will keep it off) will still have startup scan detection. 2. there is no setting to enable/disable startup scan in the settings. It will be triggered when certain types of malware execute (likely the ones that try to be persistent), so it is triggered by a malware event, instead of a periodic task. I have yet tried to disable the related entries in the task schedule to see if they are related 3. pausing protection will then have no alerts from either realtime scan or startup scan. AMS still works though. So that's why I think pausing protection also pauses startup scan. 4. And startup scan also scans memory object (I saw threat detected in memory alert from startup scan for some samples). Does it mean that startup scan includes both file scan like realtime monitoring and memory scan like AMS? I saw no document documenting this scanner.. that's why I post the question here.
  14. 0xDEADBEEF

    Startup Scanner?

    Hmm, I saw behaviors different from your description in EES7. If I simply disable the realtime monitoring permanently in the setting, executing an old cerber sample will result in a detection from a start up scanner. However, pausing the protection using the tray menu (without disabling realtime monitoring in the setting) moves the detection of the same sample to AMS. That's why I think pausing the protection also pause the startup scanner. Other samples have similar situation.
  15. 0xDEADBEEF

    Startup Scanner?

    Cool thanks. Wondering if this is the settings for configuring the startup scanning? BTW, am I correct that pausing the protection using the right click menu in the tray will also pause startup scan? Seems there is no standalone knob for turning this on or off in the setting menu.
×