Jump to content

0xDEADBEEF

Most Valued Members
  • Content Count

    361
  • Joined

  • Last visited

  • Days Won

    3

Kudos

  1. Upvote
    0xDEADBEEF gave kudos to itman in game driver FP   
    Appears Eset not alone here. At least one other AV is also flagging the driver: https://www.reddit.com/r/HonkaiImpact3rd/comments/f26zrh/vmprotect_suddenly_being_blocked_by_antivirus_is/
    And it appears Eset is detecting Winnti's malware fingerprints here: https://github.com/eset/malware-ioc/tree/master/winnti_group#samples-1
  2. Upvote
    0xDEADBEEF gave kudos to Marcos in game driver FP   
    The detection is correct. The purpose of the driver is questionable and having such driver running in the system is risky. You can exclude the file from detection, however.
  3. Upvote
    0xDEADBEEF gave kudos to Marcos in ESET Smart Caching Questions   
    It's all just about smart optimization, nothing else and nothing more. It's caused by obfuscation that the txt file was not detected.
    1, Advanced heuristics doesn't scan scripts, there's a script scanner for that and the command-line (AMSI) scanner on Windows 10.
    2, Scripts are not run sandboxed.
    3, HIPS doesn't monitor file operations but real-time protection does.
    We'll try to address it asap but if turns out to cause more harm then good then we'll probably leave it until it's addressed in a smarter way in the future utilizing HIPS.
  4. Upvote
    0xDEADBEEF gave kudos to Marcos in Ransomware SDEN   
    Files were encrypted by Filecoder.LockedFile. According to the logs, there were about 170,000 failed attempts to log in via RDP as "administrator" and alike in approx. one day when the encryption occurred. Also an older version of EFSW 6.5 without Ransomware shield was installed.
    The OP was informed and improvements in protection were suggested.
  5. Upvote
    0xDEADBEEF received kudos from Peter Randziak in Question about Web Protection   
    The only reason I was mentioning this is because web protection has more sensitive heuristics than on-demand scan or realtime scan, as Marcos has stated in this thread.
    This means though the realtime scan or AMS will anyway catch the malware if the file is extracted to disk or memory, it might missed the more sensitive heuristic in the web protection layer, if my understanding is correct. As for how much more sensitive the web protection is compared to normal scanner, I've no idea
  6. Upvote
    0xDEADBEEF gave kudos to Marcos in Question about Web Protection   
    A quote from https://en.wikipedia.org/wiki/Firefox_Send:
    All files are encrypted before being uploaded and decrypted on the client after downloading. The encryption key is never sent to the server.
    That means ESET scans only encrypted files, ie. it's impossible to detect anything there.
     
    From the technical documentation (https://github.com/mozilla/send/blob/master/docs/encryption.md :
    The secret key is appended to the share url as a #fragment and presented to the UI
    That means the key only leaves the machine when the user transmits it manually, so there's no reliable way for us to get to it.
  7. Upvote
    0xDEADBEEF gave kudos to Marcos in Question about Web Protection   
    Correct. Also web protection blocks known sites that distribute malware so even if there's a new unrecognized variant, the download would be blocked.
  8. Upvote
    0xDEADBEEF received kudos from Peter Randziak in Malware removal being extremely slow   
    After updating to 12.1.31, the performance issue gets largely resolved. The sample that originally takes 15 sec to delete now only needs 3~4 sec in the latest version. 
    Anyway I've messaged u the new log on 12.1.31
  9. Upvote
    0xDEADBEEF received kudos from Peter Randziak in Malware removal being extremely slow   
    seems the performance issue is largely resolved in the latest version that is just released today. The deletion latency has dropped from 15 sec to 3~4 sec.
  10. Upvote
    0xDEADBEEF received kudos from Peter Randziak in ESMC (ERA7), EDTD, EEI, Endpoint v.7 Early access is available for evaluation!   
    A bit confused with the in-product upgrading process. I have added the beta repository and ran component update task on the machine with ERA server, but I didn't see the ERA being upgraded to ESMC. Did I miss something? The component upgrade task states "finished"
    Update: seems there are some issues with my ERA server's agent. After a manual clean up, I've got it successfully migrated to ESMC using a clean installation and successfully got the clients connected.
  11. Upvote
    0xDEADBEEF gave kudos to MartinK in ESMC (ERA7), EDTD, EEI, Endpoint v.7 Early access is available for evaluation!   
    This seems like if configuration policy for AGENT with beta repository was not yet applied in moment of upgrade task execution. This might happen in case new configuration policy and task are fetched by AGENT in one connection...
  12. Upvote
    0xDEADBEEF received kudos from persian-boy in ESET Endpoint Security 7 is available for evaluation   
    Yes I was running that exact file in VMWare with Windows 8 Pro. My files got encrypted immediately and the payload deleted itself after encryption is done.
    I've also tried to run exactly the same sample in a VMWare Windows 7 Pro image, and it also encrypted the file.
    I have sent you private msg with the sample I used
  13. Upvote
    0xDEADBEEF received kudos from persian-boy in ESET Endpoint Security 7 is available for evaluation   
    Unfortunately v7 with latest definition and all protection layers on fails to block this ransomware sample :
    SHA256: 683ea0257ab6310dc5a6a65acc63737259eb044f0a000ba58d63e8e75533ae72
    All files are encrypted despite ESET detected some ransom note files as Filecoder.FV
    From the livegrid information, it is already with some number of users
  14. Upvote
    0xDEADBEEF gave kudos to MichalJ in ESET Endpoint Security 7 is available for evaluation   
    In general, the recommended approach to test the Ransomware Shield would be: 
    - keep the real time protection enabled 
    - disable detection on "file read" (general file access), file execution and removable media access. Keep only the "file creation" on, as ransomware shield monitors behavior, for example renaming of files. We have tested it, and it will be detected by ransomware shield (check the another attachment). 
     
     


  15. Upvote
    0xDEADBEEF gave kudos to Peter Randziak in ESET Endpoint Security 7 is available for evaluation   
    Hello Rein,
    not an issue, will post an update here on the forums once a meaningful update will be available.
    <fun> On the other hand if the update is not available yet, one cannot have any issues with it :-D </fun>
    Regards, P.R.
  16. Upvote
    0xDEADBEEF received kudos from safety in ESET Endpoint Security 7 is available for evaluation   
    Cool, I was always wondering why ransomware shield was so blunt when prev layers are disabled. Will change the methodology then.
    Alright, tried to lock the virus definition and tested a new ransomware with all protect layers on, and the ransomware shield started to detect new suspicious variants. Though some files were still encrypted. The other sample (c3dc8906bc8a2f5fc680b099889762c27781a509) bypassed the protection on 0320 db.
  17. Upvote
    0xDEADBEEF gave kudos to J.D. in ESET Endpoint Security 7 is available for evaluation   
    Unfortunately disabling realtime protection cause ransomware shield less effective because it does not receive then all the events from the file system.
  18. Upvote
    0xDEADBEEF received kudos from persian-boy in ESET Endpoint Security 7 is available for evaluation   
    Feedback so far:
    1. Seamless upgrade from versions 6.5, 6.6: tried to upgrade from EES 6.6 to 7.0, the upgrade process was smooth, and all settings were retained. Threat logs and the software version are correctly reported to ERA. The system is Windows 10 16299
    2. Anti-ransomware protection: The testing system is WIndows 8.1 Pro in a virtual machine. First tried Cerber, and ransomware protection is effective (Beh.C1). Cerber is fairly old now, so I also tried 5~6 other recent ransomware samples which will encrypt files even in a virtual machine. Unfortunately, none of them were caught by the ransomware shield and files were encrypted. My testing methodology was to disable realtime protection and AMS and run the malware. The virtual system's key folders were pre-populated with documents and images. Of course one can argue that these sample can be detected by early layers like scanning...
    5&6. Process exclusions and hash exclusion: I tried a GandCrab sample, first adding its SHA1 to the exclusion list, and the realtime scan indeed skipped the detection. With AMS enabled this threat can still be detected post-execution. So I further added the executable to the process exclusion list, and AMS still detected it. Not sure if this is expected or not. UPDATE: I think GandCrab is a bit special, other samples will be successfully excluded
    Other issues: seems that in the settings, sometimes even if I don't change any options, there will be a confirmation popup asking if I want to discard current changes upon closing the setting window. This doesn't happen in all cases. On my side, the way to stably reproduce it is to navigate to "email client protection" page, and then to "web access protection" page, and then try to close the setting window.
    p.s. glad to see the maximize window button returns to the GUI, this makes touch screen operations less awkward
×
×
  • Create New...