Jump to content

User21000

Members
  • Content Count

    9
  • Joined

  • Last visited

Kudos

  1. Upvote
    User21000 gave kudos to Raindex in ESET IS Blocking Chrome Installer and Google Chrome   
    Yeah just created an account to post, just started seeing the same thing out of nowhere, using EIS 13.0.24.0 with up to date modules it is still blocking certain links with the "URL/Urlik.AAO" detection, thought I had been infected on multiple machines with something and was going potty, below is the first 2 links that are being blocked:
     
    hxxp://r4---sn-aigl6ney.gvt1.com/edgedl/release2/chrome/AP1Corz6AzpUR-p1uwpDWl0_80.0.3987.132/80.0.3987.132_80.0.3987.122_chrome_updater.exe?mip=77.100.17.60&mvi=3&pl=24&shardbypass=yes&redirect_counter=1&rm=sn-8pgbpohxqp5-aigd7d&req_id=574377b647eefd0b&cms_redirect=yes&mm=42&mn=sn-aigl6ney&ms=onc&mt=1583279316&mv=u

    hxxp://r8---sn-8pgbpohxqp5-aig6.gvt1.com/edgedl/release2/chrome/Sg5vtxmsQ3DVgkY4fTNppQ_80.0.3987.122/80.0.3987.122_chrome_installer.exe?cms_redirect=yes&mip=77.100.17.60&mm=28&mn=sn-8pgbpohxqp5-aig6&ms=nvh&mt=1583279638&mv=u&mvi=7&pl=24&shardbypass=yes
     
    First detection contents(I had Chrome open in a Windows VM hence the "vmnat.exe":
    <?xml version="1.0" encoding="utf-8" ?>
    <ESET>
      <LOG>
        <RECORD>
          <COLUMN NAME="Time">03/03/2020 23:51:12</COLUMN>
          <COLUMN NAME="Scanner">HTTP filter</COLUMN>
          <COLUMN NAME="Object type">file</COLUMN>
          <COLUMN NAME="Object">hxxp://r4---sn-aigl6ney.gvt1.com/edgedl/release2/chrome/AP1Corz6AzpUR-p1uwpDWl0_80.0.3987.132/80.0.3987.132_80.0.3987.122_chrome_updater.exe?mip=77.100.17.60&amp;mvi=3&amp;pl=24&amp;shardbypass=yes&amp;redirect_counter=1&amp;rm=sn-8pgbpohxqp5-aigd7d&amp;req_id=d96ccf2aa9017d43&amp;cms_redirect=yes&amp;mm=42&amp;mn=sn-aigl6ney&amp;ms=onc&amp;mt=1583279316&amp;mv=u</COLUMN>
          <COLUMN NAME="Detection">URL/Urlik.AAO Object</COLUMN>
          <COLUMN NAME="Action">connection terminated</COLUMN>
          <COLUMN NAME="User">NT AUTHORITY\SYSTEM</COLUMN>
          <COLUMN NAME="Information">Event occurred during an attempt to access the web by the application: C:\Windows\SysWOW64\vmnat.exe (98A83D9FFB3B89749C7C6D91BFD61FEF6884DB86).</COLUMN>
          <COLUMN NAME="Hash">FB2EAA0695D89AA968B8C22531CDC96087FC31AD</COLUMN>
          <COLUMN NAME="First seen here">03/03/2020 23:51:12</COLUMN>
        </RECORD>
     </LOG>
    </ESET>
  2. Upvote
    User21000 gave kudos to jnsjns in May I ask why I got a warning of "URL/Urlik.AAO Object"?   
    Where is the link " certain urls. "?
  3. Upvote
    User21000 gave kudos to itman in Need help understanding Botnet.CnC.Generic detection event   
    Eset does use a blacklist of known botnet C&C servers. Only they know what it contains.
    However, Eset also uses this Botnet detection for inbound brute force attacks. Another thread on same alert here: https://forum.eset.com/topic/21967-increasing-botnetcncgeneric-detections/
     
×
×
  • Create New...