Nightowl

I will give it a try , thank you. Can I upgrade with my current license or I need a different kind of license?

It's weird then , let's wait for a reply from ESET staff , they know more than me. And you are welcome bro.

Yes KB5025297 is Preview : https://support.microsoft.com/en-us/topic/april-25-2023-kb5025297-os-build-19045-2913-preview-a5e3f0ce-b9f1-40b9-a3fa-42b8093f3873 And I believe ESET is reporting for this KB5025221 You can see them here : https://www.catalog.update.microsoft.com/Search.aspx?q=cumulative+update+windows+10+x64

In the provided screenshot it's stated wrong You applied 2023-01 , ESET is showing 2023-04 Hence the install date , January , which each month should be a new update , 01 Jan , 02 Feb , 03 March , 04 April etc.. , but the missing months you have will be included in the latest one you will download. Microsoft releases that Cumulative Update , monthly , second Tuesday of the month , you will have the cumulative update package from MS

In the first comment of the video I think the detection is through PUA detections https://help.eset.com/glossary/en-US/unsafe_application.html?unwanted_application.html

I don't know bro , it's just my imagination as I don't work for ESET.

I believe it isn't supported 22.04 have kernel 5.15 which is the latest version that is supported by endpoint linux. https://help.eset.com/eeau/91/en-US/?system_requirements.html

I'd recommend jumping to ESET Cloud and protect the Linux machines from there with Endpoint Linux It's recommended but still you need to buy the minimum amount of licenses to have a Business Account. It explains almost why you rarely find a Home edition for Linux version not only here with ESET , and we find Endpoint one because some linux machines have to be protected at work environments It is true same goes for home linux , but it's not a priority I bet , but I imagine , once the product as GUI is fully ready in Endpoint , it will be made for Home version , since endpoint version is controlled through ESET Protect

I agree on this one, before clicking on Tools seeing all of the stuff together was easier on the eyes and less clicking ----- Just another suggestion that isn't important , give us the ability to choose the old ESET icon , old school one What difference it makes ? nothing , just nostalgia

I understood what you mean now, The Network Scanner that shows you which devices were inside your LAN Incase it's your LAN and it shows some Public IP from the scan , can you post a screenshot of it ? , you can blur most of the IP if you don't want to show it. And also for your better peace of mind , update your router to latest version offered by manufacturer , and change your WIFI passwords and check the computers that are connected in the network that they aren't somehow infected (could be not).

When ESET shows blocked attempts in Firewall logs or in Network Troubleshooter It means that the firewall is working and blocking attempts from the Internet But for example if you are connected to an Office WIFI or Home WIFI , and yet you are still seeing some Public IP addresses are trying to communicate with your PC , then you have to check your router and properly configure the firewall to block or reject all Incoming connections and keep All Outgoing as allowed , this incase you don't use any kind of service or portforwarding inside your LAN and have no need to come from Internet Side to Office/Home side.

Since you modified it brother , you broke the signature, you modified the contents as then the signature of the maker is broken This will give an indicator to A.I scanners that this file might be malicious. Because the A.I usually knows this software/installer as trusted and signed , then suddenly you uploaded it differently and unsigned , it will look suspicious to the Bots(A.I). The new un-modified installer that you uploaded got 2 detections , those are false-positives , the A.I might detect them because installer is new , it might feel it's a bit suspicous once you played with the HEX and added ZEROs, 2 more A.I hated your modification and found it suspicious and also you broke the signature of the developers. Since I was marked as a solution , I may be wrong or not 100% accurate , if I am mistaken , please correct me

I believe so not , but you can make it a bit different Connect the drive to some endpoint and you can force the endpoint to scan there , I think that works . but very slow.

Since AVs mark those applications as SAFE , most of their actions would be considered to be normal to the AVs if not all of their actions , and it's why malware developers get into the hassle of using a legit software for their illegal operation.

Thank you also Peter for assistance One last note is after clearing everything , one should reset Windows Firewall settings incase it's used because the Trojan will open ports for itself in Windows Firewall

Thanks to everyone involved in topic with help for this threat , I believe endpoints are clean now , will keep monitoring for weird things , if something happens I will report back And also thanks to ESET and Fortinet.

Also you are being blocked by Fortinet Try to download the website files to your computer , see which file ESET is sensitive to , replace it with original , or see what has been hijacked between original and modified one.

I can confirm detections of what I sent because I sent same folder to both ESET and Fortinet because that what endpoints work with. <Regenererede.vbs> with MD5: e627f016283c17b4badc6f5b47f677d3 - <VBS/Agent.77d3!tr> <SciLexer.dll> with MD5: 688c0480ed192ed336911d7ed3730561 - <W32/Rugmi.0561!tr> <Fruit.png> with MD5: c2a09a3c72717c71a6ac22c9f342a0d2 - <Data/Agent.STGP!tr> <ms.png> with MD5: 7b2f3421621a080c2043e6c90821c618 - <Data/Agent.STGP!tr> <Fruit.png> with MD5: fd5cb5160053fcd028ad81016357dff5 - <Data/Agent.STGP!tr> <Pine.png> with MD5: 7f5546e1202e06e17c3eabe86107a504 - <Data/Agent.STGP!tr> <Fruit.png> with MD5: 0086f1ed58e6516027bdc7d8a6c2c9ad - <Data/Agent.STGP!tr>

So , since not most of the files are detected , most of them to be found in AppData/Roaming , with weird namings or Adobe , or in Local as Bhromium something like this , and somewhere in AppData you can find the firefox Simply searching for vlc.exe , firefox.exe , python.exe , notepad++.exe in AppData , will show you where it is staying most likely, and you can manually remove them Blocking *.imgur.com , and C&C server that is found on AnyRun report , will isolate the Trojan , the load cannot be downloaded from imgur again, and if there was infection , there is no connection to C&C ESET can pick it and clean the infected Powershell , and clean the things that was reported earlier in Threat , other scanners like Hitman , didn't pick anything , ESET did all the job , but still unpicked stuff , I deleted them manually. Task Schedulers for VLC and Python and Notepad ++ which are the legit softwares , but they are using them to load the Loads Once all cleaned , and schedulers disabled and removed , it shouldn't come back to life , nor be alive. Thanks for the note bro Actually this photo from BleepingComputer post you mentioned is actually how the trojan works File(came through whatever way) --> dll with whatever vulnerable software --> PNG from IMGUR -->Powershell to C&C (communication blocked by Fortinet first) , then ESET was installed to clean Powershell , which was successful to do so. Since dll beside a trusted application is a stealthy way for a malware to proceed , since everything mark is Trusted/Safe then trojan have no problem to proceed however it likes With pngs being downloaded from a Trusted/Safe place , no webfilter/dns filter would stop imgur.com unless it was filtered on purpose to stop users from accessing it Powershell would silently communicate with it's c2c server without being detected by anyone unless the c2c and the shell are detected by security vendors. If shell is not detected, and will be always revived by Schedulers if something happened to it , then access would be granted to the device all the time , and then anything can happen , ransomware or any other attacks.

Most scanners doesn't care about images in their nature I think? , this is why now malware developers use this way And since uploading the image to a very well known place like imgur, when the Trojan communicates with imgur , you will find it normal , someone is surfing photos. And the trojan would evade any web/dns filters you would set , since Imgur is trusted. This is one of the Fruits.

Those are the threats my brother , the trojan downloads them from imgur , to stay stealthy , and then will be changed to the wanted extention , fortinet already detects one of them , Fruit.png With every fake program the Trojan uses , it will have a .png file for it Notepad++ , VLC , Python , Firefox They are all legit versions , but probably some kind of old versions that have vulnerabilities , and Trojan uses them to acheive what need to be achieved , and communicates to C&C with Powershell , but ESET can stop it and remove it (powershell one).

I have sent more archieves that are supposed to be threats , they all have same password of "infected" they are attached on my email also with ESET sending. example of files : https://www.virustotal.com/gui/file/cadd19935b6d2bd7208402c760923bbaa2807633d0306c3cb15337227179399e?nocache=1 https://www.virustotal.com/gui/file/4bb7fcab55b4f55f74d98c20205148a69f33dc39f3f99d9c11d1b22a4476562f?nocache=1 https://www.virustotal.com/gui/file/08739fea7bfdf3b641709a3d5b6e6d64be4ea75375dda9fe5cf7234e40cfbe12/detection https://www.virustotal.com/gui/file/b2b8b97427bacead4a3de569d4901c13fb60131d7d9c5ba10fa885e13a9cc1f7?nocache=1

Try using this to prevent the script from running till you find the source of it : https://www.thewindowsclub.com/how-to-turn-on-or-off-windows-powershell-script-execution Look in System Scheduler , and look in Startup entries , this is the most usual places of how a malware could keep reviving itself after being removed.

I think so also

It isn't bro , because when the trojan troubled me with coming back to life everytime I kill it I thought to change strategy and remove Python from the computer that would render it's scripts useless , but there is no Python on the PC , I thought it was installed from before then I used HIPS to monitor what access this area , and then I thought I should get more aggressive now , I blocked the whole area to prevent anything from reading or writing to it using HIPS and I restarted then , python.exe and python39.dll ceased to be used by something else, something held them and prevented anything to touch it , even I can't add a firewall rule for it because I wanted to block it from communicating. I felt like maybe other scanner got it for restart cleaning? , but nope no scanner identified the python39.dll as malicious , only as suspicous because it's not Signed , but all the rest of the files even the modified ones have the company names , like for Firefox , everything have Mozilla , even the modified ones.(Unsigned)