Raj Oberai
-
Posts
14 -
Joined
-
Last visited
Posts posted by Raj Oberai
-
-
12 hours ago, itman said:
That download site has malware on it. It tried to download a fake flash player update.
Go here: https://www.hybrid-analysis.com/ and upload ITAutoUtility.exe for a scan. It will report back a percentage e.g. xx/100 as to malicious status. Post what that percentage is.
Not sure what details to give you hence i shared the link above, hopefully it will work.
Only reference in percentage i can found there was this-
Classification (TrID)
- 84.4% (.EXE) Win32 Executable Microsoft Visual Basic 6
- 6.7% (.DLL) Win32 Dynamic Link Library (generic)
- 4.6% (.EXE) Win32 Executable (generic)
- 2.0% (.EXE) Generic Win/DOS Executable
- 2.0% (.EXE) DOS Executable Generic
12 hours ago, Marcos said:I'm getting the following notice regardless of whether HIPS is enabled or not. Didn't find any difference between HIPS being enabled and disabled.
The process ended normally in either case.
This file I don't have to click it myself, it needs to run when i click on a button (say login) on my software which use this file. When I don't have it as exclusion under Rules>HIPS it just don't open the webpage it is supposed to and nothing happens, when i add it as exclusion it opens the webpage just fine.
Thanks
-
17 hours ago, itman said:
Only Cylance flagged the file at VT.
However and of note is the following:
Appears the CompuOffice installer does contain malware.
Note that when VT does a scan, AVs employed are only performing static analysis. If this .exe employs exploit behavior, they probably wouldn't detect it.
Zip up the file as @Marcos requested and post it here. I'll scan the file on a site that does dynamic analysis.
-EDIT- I will also add if this process does indeed perform exploiting activity, it will be difficult to test. An exploit requires a vulnerability. If the vulnerability does not exist on the test device, the exploit activity will be blocked by the OS or not run at all.
I already zipped the file and Private Messaged it to @Marcos but he is yet to check his PM's.
I thought posting it here won't be safe hence PM'ed him.
Anyways here's the link for the file:
hxxp://www79.zippyshare.com/v/BdrcTBox/file.html
Thanks
-
On 3/3/2018 at 8:35 PM, itman said:
ITAutoUtility.exe has to stored somewhere on your hard drive. You posted previously it was located in C:\Users\USERNAME~1\AppData\Local\Temp directory. If so, go to VirusTotal web site and then upload it from the Temp directory for a scan. I am curious to see if any of the other AV vendors flag the file as malicious.
The above is the result of the scan.
Thanks
-
29 minutes ago, Marcos said:
For reproducing the issue would it be enough to get that exe and run it on our testing machines?
Don't think so as that exe is part of a software package, but if you want i can copy that and zip it and upload it here.
Thanks
-
On 3/2/2018 at 1:22 AM, Marcos said:
Ok, so re-enable Advanced Memory Scanner and now disable Exploit Blocker and Self-defense, one at a time.
Disabling Exploit Blocker does the job, i.e. I am able to run "exe" after that.
Didn't try to disable Self Defense as the real issue was known (atleast i think so)
Waiting for your advice as to what to do now.
Thanks
-
On 3/2/2018 at 12:37 AM, itman said:
This make no sense to me. By default, the HIPS would not block any .exe running from C:\Users\USERNAME~1\AppData\Local\Temp. If it did, most app installations would fail since many use that directory for installation .exe's.
I assume you have no existing user created HIPS rules that monitor .exe startup activity from C:\Users\USERNAME~1\AppData\Local\Temp directory?
As far as Advanced Memory Scanning detection possibility, it could also be Exploit or Ransomware Protection could be detecting something?
Have you checked your Eset logs; like the Detected Threats or the HIPS logs for any entries related to ITAutoUtility.exe?
It doesn't give any message, the exe just failed to load the webpage it is supposed to load.
On 3/2/2018 at 1:22 AM, Marcos said:Ok, so re-enable Advanced Memory Scanner and now disable Exploit Blocker and Self-defense, one at a time.
Ok will do it one by one and then report back if it helped in any way.
Thanks both
-
23 hours ago, Marcos said:
Basically it should work with default setting. Please temporarily disable the rule as well as Advanced Memory Scanner and check if the issue persists. I'd appreciate if you could provide me with instructions how to reproduce the issue.
Nope, not working.
Sorry for late reply.
-
19 hours ago, Marcos said:
Disabling HIPS was not suggested as an ultimate solution to the issue. Now please re-enable HIPS, disable Advanced Memory Scanner and reboot the computer. Let us know if the issue is gone or not.
Hi
Under HIPS > Basic > Rules > I added that application to allow and now it's working
Thanks a lot.
Will mark this as Solved (if user don't have that option then you please do it)
-
2 hours ago, Marcos said:
Is it detected upon execution? Does temrporarily disabling HIPS and rebooting the machine make a difference?
Yes, it's working after disabling HIPS and rebooting
But isn't it risky to keep HIPS disabled? Any way to make it work without disabling HIPS?
Thanks
-
2 hours ago, Marcos said:
Is it detected upon execution? Does temrporarily disabling HIPS and rebooting the machine make a difference?
Note, it's not detected upon execution. I have disabled HIPS and then tried but it didn't work (didn't reboot the machine after disabling HIPS though, will try that and revert).
-
-
19 minutes ago, Marcos said:
Remove all exclusions and exclude the path * with the detection name @NAME=MSIL/HackKMS.E.
My problem is not with that mate, it's with the "ITAutoUtility.exe", it's unable to launch until i pause protection, anyways i have done what you suggested.
-
Hello all,
I am using ESET Smart Security version 11.0.159.9, I have an application that i need to run on regular basis. I have added that Application to Exclusion list under-
- Real Time Protection
- Web and Email - Protocol filtering
- Firewall - Application Modification Detection
I have excluded the path of the folder where the application is installed as well.
The application creates a link for application in temp folder and starts from there, I can't add the temp folder to exclusions due to obvious reasons.
Can anyone help as to why despite adding it to exclusions it is not running unless i close ESET?
It's path is -
C:\Users\USERNAME~1\AppData\Local\Temp
I have attached the images for path of the application (highlighted in yellow) and the places i have added it to exclusions.
Please ask if any other details is needs, i will try and provide that.
Thanks
Raj
Application Excluded but still not running unless i close Eset
in ESET Internet Security & ESET Smart Security Premium
Posted
Yes it is India based Income Tax software. I am not too tech savvy and this is absolute must for me to run this a few times daily, what cautions can i take taking into consideration that I have to run this no matter what?
Heard about WannaCry but don't know too much about it.
Guess I am left with no other option than to add it to exclusions and proceed
Thanks for your time and help.