Nightowl
-
Posts
1,857 -
Joined
-
Days Won
17
Posts posted by Nightowl
-
-
1 hour ago, eornate said:
Thanks your advice but it's the same issue.
I tried to go to the link that the error gives you but it's not found
An ESET staff might help you faster than me but I will try my way.
Let's check if your server isn't corrupted in some parts
Please run this in CMD admin :
sfc /scannow
The sfc /scannow command will scan all protected system files, and replace corrupted files with a cached copy
-
22 minutes ago, eornate said:
Hi everyone,
Today i installed Eset file security version 9 on my windows server standard 2016 but it appeared error as screenshoot
I've been read the link reference but i can not solve.Anybody can help me ?
https://www.eset.com/int/business/download/file-security-windows/
Try Version: 10.0.12014.0 if it works
-
1 hour ago, van thai said:
How to resolved this problem?
Try to temporary disable your Web Access Protection , it probably should work , but I know you will remain without Web Access Protection , but this is my workaround for accessing my VPN application. (no I don't work for ESET , so not an official answer)
-
18 minutes ago, Peter Randziak said:
When I made contact in July , I received that it's a Known Issue between VPN and Web Access Protections and it will be looked on in the future.
-
I have updated to 10.1.8.0 and re-enabled Web Access Protection but sadly same problem remains , I've tested because I have read from release logs that it got improved.
It can be re-produced by downloading FortiClient VPN (VPN only) deb package from here
https://www.fortinet.com/support/product-downloads
And having ESET web access protection to be running in the same time.
No need for login or passwords or VPN's IP , the GUI will not work as long as Web Access Protection is running.
Thank you.
-
16 minutes ago, usereset22 said:
I did that and I will try now and still same thing but It's blocking a lot of things. but less than before but the issue is still there. my question is, is it like something i need to worry about that my PC is hacked? or this is just normal? like can someone explain to me please.
It's normal , if you got your ISO from here https://www.microsoft.com/en-us/software-download/windows10ISO
It's safe because it's Microsoft, other than that like what you posted about SearchApp.exe , it's the search which built into Windows , it communicates with the internet probably with Bing
-
Just sit your detections to Aggressive in ESET and HIPS in Smart Mode
And if you want to control what goes out and in , you can go with Interactive Mode in Firewall , but will give you lot of alerts for the first time till everything get configured , you can use the Learning Mode before going Interactive Mode.
In TCPView you will see lot of attempts and connections by Windows itself because it communicates with other things and with microsoft etc , but if you obtained iso from Microsoft and formatted and installed it , I doubt it would be tampered with iso , but anyway , you can run a deep scan with ESET after you set everything to aggressive detection and reporting and if you still don't trust the result of ESET , you can check another free scanner like Sophos Hitman or any free scanner that won't run as real-time so it doesn't conflict with ESET real-time protections.
-
What are you surfing to in Edge? or what Extensions are you using in Edge?
-
Rambler is a website that is similar to Yahoo/MSN and is owned by Sberbank , I doubt it will launch attacks on specific users to steal their instant messaging accounts
Another connection is that the attackers used emails from Rambler.ru services , which is the same thing if the attacker used gmail or proton or whatever , since even bad actors that aren't connected to PC work used ProtonMail which is based on Switzerland.
It doesn't matter where it's coming from , even if from your friends , if the link isn't supposed to come or the message look weird , don't open it
-
11 hours ago, itman said:
If you decide to use SRP, I strongly advise you read this article: https://4sysops.com/archives/mitigating-powershell-risks-with-constrained-language-mode/ . In a nutshell, you add PS1 and PSM1 to the list file extensions SRP monitors for.
Many are currently deploying the registry environment variable hack to set PowerShell to Constrained Language. As the article notes, its trivial for a hacker to bypass this hack method.
Thanks for your assistance ITMAN
I will check it out.
I wish I had an easier route rather than messing with Microsoft's GPO
-
11 hours ago, itman said:
Here's something else you can explore; Software Restriction Policies (SRP).
SRP is already preconfigured to block most Windows executable format and additional file extensions can be added as needed. Also PIF extension is already including in the list.
Next is these restrictions apply to designated Windows directories. The below screen shot shows I am applying these restrictions to %Temp% directory via disallowing them;
As to applying the above in regards to your Skype ,vbs issue and for that matter, all other executable code downloads, perform the following.
1. It appears the default download location for Skype is the Downloads directory. Create a new directory/folder to be used for Skype downloads.
2 Change the default Skype download directory to the new directory you created as shown here: https://www.technobezz.com/how-to-change-a-default-download-folder-on-skype/ .
3. Create a new SRP path rule specifying the full path specification for the new directory you created. Set its Security Level to Disallowed.
I assume the same capability to change default download location also exists WhatsApp, etc..
Also, SRP saved my butt when some .cmd script attempted to run at Win logon time; apparently from the registry;
Of note is I have an Eset HIPS rule to monitor all cmd.exe startuo and it didn't catch this.
I was looking at it yesterday (SRP) , but your explanation is better than what I was reading , I will give this one a try , and apply it to specific folders like Downloads , TEMP etc. and will see what happens
About Downloads location , I bet I can keep it there , I just put the wanted extentions to be blocked
Thank you bro.
-
18 hours ago, itman said:
I don't know about download prevention via Eset. But based on this posting: https://superuser.com/questions/1582309/received-a-possible-malware-vbs-on-skype-and-ran-it , these .vbs scripts are being run via Powershell.
If you are employing Eset recommended anti-ransomware HIPS rules, one of those is to block any script startup from PowerShell. Also, these rules include blocking any child process startup from wscript.exe.
Finally, this SuperUser posting examle might be invoking wscript via PowerShell .Net subassembly capability. That is prevented by setting PowerShell to Constrained Language mode.
As far as restricting what file types can be downloaded by Skype, it would be great if Eset had this feature: https://knowledge.broadcom.com/external/article/158783/prevent-exe-downloads-from-skype-using-a.html .
I will try to do it through Fortinet filters.(hardware firewall)
Thank you bro.
18 hours ago, itman said:If you are employing Eset recommended anti-ransomware HIPS rules, one of those is to block any script startup from PowerShell. Also, these rules include blocking any child process startup from wscript.exe.
I will try to google for best practices/hardening and take a look
Thanks for suggestions
Should also block Python,Firefox,Chrome,VLC,7zip,rar from running from AppData/TEMP or creating new applications from there like that remcos variant that brought it's vulnerable exes with it
I think in first place , since powershell , cmd is prevented , the next step of the vulnerable exes shouldn't come , but who knows
Anyone have suggestion?
-
Is there anyway to prevent *.VBS and *.PIF from being downloaded , received from Skype/Whatsapp etc ?
-
-
Hello , please check this sample , I sent also from my email
[TRACK#64EAFA9300F7].
EDIT : Support answered.
-
16 hours ago, Mohd said:
You mean : Advanced setup==> Protections==> potentially unsafe applications
it was off by default. I have changed it to "Balanced" now.
That should do it , and also there is Potentially Unwanted Application , enable them , if you want higher detections , you can go with aggressive reports and detections.
You can keep MBAM as second opinion scanner , without the real-time parts being active. , just a scanner when you need it as itman said , it will cause conflicts , doesn't matter which one you want to keep in the end it's your own opinion and thought of which proves to be better for your usage , but one realtime protection should be active at the time , otherwise it would conflict and cause problems and maybe blue screen crashes.
-
1 hour ago, Mohd said:
Hello,,
Recently I installed eset smart security premium and another Malware remover..
Eset did not detect any threat but the malware remover is blocking a riskware trying to communicate to outside server (Outbound)..
It's annoying me but this continues message appearing showing the IP address including port number and the application used.
Unfortunately, I'm not able to attach the message here! however, I'm communicating with them and waiting their analysis.
My question is, Eset smart security supposed to provide full protection isn't it? why it did not detect such that riskware?
Any tool provided by eset that detecting or protecting against above riskware?
Thanks
I have a question apart from other replies
Did you open detection of Unwanted and Unsafe applications ?
-
18 hours ago, itman said:
Kaspersky appears to be the only mainstream AV to detect these Cobalt Strike beacons at first sight. What I have observed is its initial detection name is prefixed with "VHO"
VHO and HEUR are the heuristic namings if I am not mistaken
You will find them on Checkpoint , ZoneAlarm , Bitdefender I think also , because those use the kaspersky engine.
-
16 hours ago, itman said:
According to the Dr. Web detail analysis, the version of python.exe used is the original Python language interpreter. That can't run locally w/o being installed as I posted previously. Well, it appears Python can be run remotely. I just found this "tidbit;"
I am sure that the PC I worked with didn't have Python and the person who works on it doesn't have any programming skills or anything , I even searched for Python traces on PC , there is not.
-
1 hour ago, SBrown said:
It was a gsm call. I don't think generally eset mobile security did it, but I'm interested about it if there is another person who experienced this. Maybe the mobile operator company have issues, or maybe the phones but i dough that to.
I believe so also , GSM or signal issue , because ESET won't touch the GSM parts if I am not mistaken.
-
14 hours ago, SBrown said:
About a week ago i bought eset mobile security for two phones. About 2 days ago it started doing a thing where if i make a call i can't hear my partner. This problem is on the two phones. I don't know it's done by eset or it is not. If i restart the phones it will work again but later, it will do it again.
Is it an internet call or normal GSM call
Internet whatsapp calls can be blocked in some companies or networks , that's why you might not be able to call for example.
ESET for Android doesn't provide a Firewall so there is no way it could have blocked it.
On my device I use it , but I never experienced such thing
-
15 hours ago, itman said:
Let's analyze.
First, the malware is embedded in a;
Next is what the malware does;
The malware is Python based. You can't run python.exe without first installing Python so it is assumed the malicious installer does that.
Since again Eset HIPS doesn't support global wildcard capability, I have previously created registry debugger entries to stop execution of python.exe and python3.exe.
This is what happened with me , the infected PC I worked on had a person who doesn't know programming and doesn't know even English language , so naming the files fruit and idea and stuff like this made it a bit suspicious , and there is no even Python installed , the RAT supplied its own Python.
-
On 7/31/2023 at 11:40 PM, itman said:
This is what I posted about recently , it's nice read by the way , thank you
https://news.drweb.com/show/?i=14728&lng=en
I found the Dr.Web article about it.
-
On 8/1/2023 at 1:18 AM, Teddie-Indonesia said:
Does anyone can open this Eset Password Manager web on : https://passwordmanager.eset.com/
I can't register as a new user and use the eset password manager right away. Please Help. Thanks.
Try changing your DNS in your computer/router
I don't see any reason for ESET to be blocked in Indonesia , other than that ESET have an office there so most likely it's not blocked and some other issue.
Threat: HTML/ScrInject.B trojan false-positive website
in Malware Finding and Cleaning
Posted
Clicking "Go Home" would trigger
hxxps://watchseries.id/home;HTML/ScrInject.B trojan