Gregecslo

Hi. We have same issue but with Firefox. Error 0xc0000005 After pre-release updates all if fine again. When can we expect this to be released to prod?

Today (or yesterday) appeared new policy settings for WAP in policy manager. Disabled it all good.

I downgraded to 10.0.328.0 which works OK. No need to downgrade to V9 for me.

Hi. We have ERA on prem and deployed new linux version on our webservers. Thing is, that "wapd" proccess is consuming CPU and eventually webserver stops working. How can we disable WebAccess protection or unload it forever? In policy I can`t see option at all... On linux we just need ondemand scan and RTP and nothing else. Also pages were loading really slow (those hosted on our webserver).... It seems like half baked solution for now, had to go to older version.

Something like this: https://octobercms.com/forum/post/being-attacked-please-help?page=1#post-37387

If somebody does POST request with malicious file inside POST request PHP will process it (execution is done in PHP TMP folder) and that is where detection comes from. This also happens to me on server where nothing is installed but apache + php... Deleted ESET, SAME post request came, no files were dropped (but file was naturally in PHP). Problem would be if you find XXXX.php file which was dropped in webserver folder...

This I don`t know. For me, detection came from this: 95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And it seems that exploited vuln is: https://support.alertlogic.com/hc/en-us/articles/115005740363-Metasploit-WordPress-Ajax-Load-More-Arbitrary-File-Upload Again, I have NO wordpress site installed (but ESET did detect it anyways in PHP TEMP which IS NORMAL), server returns 404 or 500.... That`s why I said that OP should check POST requests on server...

Yes you did I also found it. URLSCAN.IO shows multiple scans for this domain with different Webshells hosted on it. @FTL We also got this detection, but it`s OK because at least for us, webserver returned 404 or 500 when POST request was made (we do not host wordpress at all). So basically this is automated script, that tries to exploit some wordpress vulnerability and if successful, curl downloads webshell. Example: 95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And yes, detection occurred on: file:///tmp/phpMjc32fg which is normal, because PHP processed this POST request. So in my opinion nothing happened with your server, but check where that post request was made and make sure WP and plugins are up to date.

Hi. I did contact them, waiting for response. But I think (have limited info here) that 2.2.2.2 does not belong to actual organisation that owns the hotspot I believe that they just used/abused this IP address (and addressing) in their INTERNAL network... Because this IP is owned by Orange and it`s located is Egypt, faaar from country our people had problems...

Hi! Today we had to connect to guest WiFi hotspot and we encountered this: Uniform Resource Identifier (URI): hXXp://2.2.2.2/fs/customwebauth/login.html?switch_url=hxxp://2.2.2.2/login.html&ap_mac=00:44:33:04:5d:41&client_mac=00:22:33:ea:c2:41&wlan=COM-Guest&redirect=www.msftconnecttest.com/redirect Process name: C:\Program Files\Google\Chrome\Application\chrome.exe Event: An attempt to connect to URL Rule: Blocked by internal IP blacklist Scanner: HTTP filter Target address: 2.2.2.2 As a result, people were unable to attend meeting on time. Can you please explain why is this blocked and how to prevent connectivity issues in the future? Thanks!

OK greta, will files be placed back to original location? Or do we have to do it manually? Thanks.

I will start new topic.... We have at least 30 detections on 2 files from Eset ML engine: https://www.virustotal.com/gui/file/4e94404222b0c7c4a901c1b105deb1edde9ed7d8ea6fc7604cde04a907ac6c8a https://www.virustotal.com/gui/file/557980d06f68e4116683ac2e203b1dcbed78ea07352aa9481a807e9077f5a5ef Both are from Lenovo and both are cca 9-10 months old. FP? Thanks!

Hello. Do we have more info on this one?

CAS-03808-C3Q7Y8

Can I open it directly with you guys? It`s rather high priority as this server must be online...

Hi all. Ubuntu server 22.04, latest agent + eset for linux (9.1.91.0). After some time, server becomes unresponsive, cant connect to SSH, cant login from VM console, only hard reset helps. Syslog: Jan 23 10:18:29 ubuntu_servername kernel: [934614.091702] eset_rtp: wait for scanner reply timeout, path: /var/log/elasticsearch/graylog.log, event: CLOSE, id: 100235012 pid: 22553 5 days later: Jan 28 10:46:34 ubuntu_servername kernel: [432084.098389] eset_rtp: wait for scanner reply timeout, path: /var/log/mongodb/mongod.log, event: CLOSE, id: 47512486 pid: 1060 If I remove ESET all good.

I have efs...

Huh, so basically with this enabled eset dont scan common webshell folders and they can run almost unrestricted since you also dont scan w3wp proccess. MS wording has changed dramatically since last years proxylogon and proxyshell, have you adopted any of their recommendations from their offical blogs? Thanks!

Hi all! With all ProxyNotShell and proxyshell stuff in mind, can you clarify something for all of us. If I have ESS (latest V9) configured like this: Does ESET scan for webshells in http frontend folders? According to: https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ So what exactly is excluded if we use above option? Only DB files and logs, or entire folders of Exchange? Thanks!

But its legit file: SHA265: d24beb9d51c93a497508d99605bd60d3bec3152cf115ee002a0edd78fdd2893c ? I can`t find file list and their hashes... Sorry, just downloaded installer and extracted, file hashes match.

But its legit file: SHA265: d24beb9d51c93a497508d99605bd60d3bec3152cf115ee002a0edd78fdd2893c ? I can`t find file list and their hashes...

Hi. I updated one of my linux servers to 9.0.174.0 Now other security vendor installed on same linux server flagged scand (/opt/eset/efs/lib/scand) as malware. /opt/eset/efs/lib/scand; SHA265: d24beb9d51c93a497508d99605bd60d3bec3152cf115ee002a0edd78fdd2893c VT: https://www.virustotal.com/gui/file/d24beb9d51c93a497508d99605bd60d3bec3152cf115ee002a0edd78fdd2893c Note: I don`t use elastic, but it detected something in above VT link. Question: Is /opt/eset/efs/lib/scand; SHA265: d24beb9d51c93a497508d99605bd60d3bec3152cf115ee002a0edd78fdd2893c legit ESET file? Thanks!

True. But it`s not detected. Do the same thing with older version = detected and deleted I think that detection was made for older versions or sth like that. Maybe correlated to HermeticWiper (like using legit driver to do bad stuff). I don`t know, only ESET can confirm this.

This one is to blame: https://www.virustotal.com/gui/file/0e76203802a524becd00392518a1b9cea5e6cddb8a6cf1b43dca4290f67c0305/details It`s original process explorer but earlier version and it`s detected by ESET (even if VT show it`s not). This one creates the SYS driver and puts it into system32\drivers folder. Newer versions don`t do this...

So I tried: 1. Same folder eicar = got detected and deleted 2. Same folder real malware = got detected and deleted 3. Same folder procexe sys = NOT detected So I suppose real-time protectrion IS working, but not detecting sys file at all. Then I uninstalled EEA, rebooted and reinstalled. PC was in te same group, so same config was applied. After modules updated, I again tried with sys file and: Threat type: Potentially unsafe application Threat name: Win64/ProcessExplorer.A Scanner: Real‑time file system protection Action performed: Cleaned by deleting Can someone explain me this? I`m unable to