Jump to content


Most Valued Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by 0xDEADBEEF

  1. Not sure if this is a bug or issues only on my computer. It seems ESET's official website will change web content according to the browser's user agent.. So when I browse using Ubuntu, the top portion is missing, as shown below... If I use a user agent switcher and change to IE for example, the top part is fine.. My browser's user agent string is: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
  2. ESET detects a popular official game downloader as Generik trojan for some days. The sample 768596273459d8c3e01c77ffcc0f631bf79f3b6c.zip is uploaded to ftp server. Original file is downloaded from here Also I am wondering if these two apks (in the ftp server d693ae624fa9c0ebfbbf019cb53def036a51e719d693a.zip and fc3a46a4bbbee9ca2c053b388873bfdb9bd93f57.zip) are malicious or not. ESET detects them as a variant of Android/Obfus.AY and a variant of Android/TrojanDownloader.Agent.KU. They both are relatively popular android apps downloaded from the official website. This game
  3. RanSim from my view is not a correct way to test ransomware protection. Since itman has more info on that, I will skip those details. The art of detecting the malware automatically is to precisely locate the difference between it and benign programs. This can be very subtle in some cases because antivirus has limited view on program’s intention. Take winrar as an example, if a bad guy use it to silently batch encrypt all your docs and delete the original files without telling you, this legitimate program is a “ransomware”. In that sense how does an antivirus know if these behaviors should
  4. ESET indeed has behavioral analysis against ransomware from my own testing (and the Beh.XXX family which is used to flag potential ransomware behavior now has more members), it is rare to see it being effective though because most samples are already detected by the scan engine already (some slip through the defense though) ? Actually this is also the first time I encounter a real-world fresh sample being caught by the ransomware shield. Ransomware shield is the last defense layer in such case with the cost of some files being encrypted. Of course ESET can further implement the roll-back
  5. the ransomware detection was triggered, the process is terminated and the original binary is quarantined (yes there is a threat prompt). However, some images are encrypted already, and the malware has successfully achieved persistence. So in the next boot the ransomware shield is triggered again, and more files are unfortunately encrypted. The major threat is cleaned only after the second ransomware shield quarantine event. By saying the cloud detected it as malicious, I was referring to EDTD's detection. The file is marked as malicious by EDTD upon the first encounter already, so I expec
  6. Thanks for the explanation. Looking forward to seeing Augur's improvements
  7. I've encountered a rapid ransomware sample around 15 hours ago. At that time, ESET's scanner couldn't detect it (while other major vendors already detected it on VT). The ransomware shield can stop it before it encrypting more of my images. The cloud also detect it as malicious at that time. However the scan engine/cloud blacklisting is still not updated to detect such sample as of now. Wondering if this is expected or not.. the sample is uploaded with the name 713995310B25497E94432F22D262B84EF196AEA3.zip BTW the scan engine takes a while to scan this 4MB file, which is a bit unusual.
  8. Debugging log may contain private info, so sending through private message is the correct way to do it. BTW the issue reports I saw previously have similar symptom: they also reported that re-install might work but after reboot the problem comes back again. So hopefully ESET can identify and fix the issue with your help.
  9. I have seen sporadic reports recently saying the new 11.2 significantly slows down Tencent QQ start up (takes nearly a minute, while in normal situation will only be a second or two to show the login window). They said rolling back to 11.1 helped. This doesn't happen on all users with Tencent QQ installed, most people report that they don't have such issue. Currently I don't have sufficient info (e.g. if they also install other security software) so I didn't raise this in the forum, but this post seems to be related to the issue reports I saw.
  10. Surprised that other users didn't report this in the forum...
  11. Mine detects it, but I have to disable my adblock plugin to see ESET's prompt because my adblock will block the mining script before ESET kicks in.
  12. yes, but waiting for each ask prompt to timeout generally makes the system unusable upon a boot. Therefore I hope ESET can add such reminder for rules of this type.
  13. My view is that enabling one or several operations with all src and target monitored (block or ask) will have the potential to prevent the system from working correctly. Of course one may feel that customizing HIPS rule is for pros and then it is their responsibility to make it right. I, however, suggest to also add a warning at least when adding such rule because it is easy to make such mistake and it just happened to a user yesterday.
  14. I noticed that the HIPS rule sanity check (the mechanism that remind the user that "the created rule is too generic and may crash the system") only applies when both source apps and target app files are set to "all" AND when all application operations are enabled. Shouldn't this check be effective as long as the source and target are both set to "all"? I am asking this because I saw someone locked himself out by accidentally adding a rule that only blocks the application start and with src and target set to "all". In this case the sanity check doesn't notify the user of the danger of such
  15. They are using their own in-house kernel logging sandbox... Current version of cuckoo is too easy for sandbox evasion Is MITRE ATT&CK a sandbox service? The visualization seems pretty nice and more behaviors of these two samples get unrolled
  16. Cool, I have the analysis report attached here: https://www.hybrid-analysis.com/sample/ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6/5b47ac647ca3e10e8b151f68 https://www.hybrid-analysis.com/sample/1b6c9775414e8206bada248c461f2ac62af17e68bafef8391c1716879ab3e83f/5b47b0c07ca3e145ff6dff53 Now ESET detect it as dropper btw.
  17. I am not sure, seems to be legitimate software/PUA but some apparently flag it as rootkit ?
  18. Hi I've sent you a message with the link to the sample, thanks
  19. sha256: ed3d2b851d8427973ef3bff301e4cc09d9422fb38a2bd4ab85b339d87ee177d6 ESET only detected it as generic PUA
  20. Not really.. I kinda get what AMS's trigger is. The startup scanner is a bit different. My current observation is the startup scanner encompasses two major scanning methods: the file scan and the memory scan. When the realtime monitoring is disabled, not all malware that can be detected by the default scan engine will trigger the startup scanner detection. I can imagine if a malware drops a binary to a key location (e.g. some autorun folder), it will trigger a file scan activity from startup scanner. I am not sure about any other cases. Behaviorally, It is not as trivial as the realtime m
  21. though I don't think disabling the scheduler will disable the malware triggered startup scan detection.. I will do an experiment tonight and see Actually I am more interested in the triggers of such scanner (not the triggers by the scheduled task)
  22. The confusing part is: 1. disabling realtime filesystem protection permanently (means reboot will keep it off) will still have startup scan detection. 2. there is no setting to enable/disable startup scan in the settings. It will be triggered when certain types of malware execute (likely the ones that try to be persistent), so it is triggered by a malware event, instead of a periodic task. I have yet tried to disable the related entries in the task schedule to see if they are related 3. pausing protection will then have no alerts from either realtime scan or startup scan. AMS s
  23. Hmm, I saw behaviors different from your description in EES7. If I simply disable the realtime monitoring permanently in the setting, executing an old cerber sample will result in a detection from a start up scanner. However, pausing the protection using the tray menu (without disabling realtime monitoring in the setting) moves the detection of the same sample to AMS. That's why I think pausing the protection also pause the startup scanner. Other samples have similar situation.
  • Create New...