Nightowl
-
Posts
1,818 -
Joined
-
Days Won
17
Kudos
-
Nightowl gave kudos to URBAN0 in Conflicting On ESS Modes?
Now since you've mentioned, it does rig the bell.
Long ago when Outpost (Agnitum) was still around I think I did that exactly. I run system in learning mode then switched to Interactive to deal only with new occasional popups.
When I first got ESET I would do the same, but I really want it to have less and less of my input and I only did that on clean, just installed system I would run in learning mode, get the base rules, install Firefox let it run on learning for a while longer then switch to Auto and leave it at that, so far has been OK.
Thank-you
-
Nightowl gave kudos to safety in I got ransomware attacked in 2016, I have the files, how to decrypt them?
I think the decryption of your mp3 files was correct using esetteslacryptdecryptor.exe, but there is also a second layer of encryption, and this, unfortunately, is Cryptowall 3. Judging by the first 16 bytes at the beginning of each file after decryption. (The first 16 bytes are the same for all files)
723800F3740E5CF011BDB7F6EE44EC63
-
Nightowl received kudos from itman in Question about a Virus
I guess @Purpleroses is confused between HTTPS scanning and secure browser protection
Browser protection helps incase something bad passed and was able to intercept your keystrokes or something like that , the secure browser will be scrambling your keystrokes , so whatever eavesdropping or logging you keys , will have it encrypted.
HTTPS scanning is different , ESET will add it's own certificate into the machine then it will be able to scan the HTTPS traffic , and if a malware was sent through that HTTPS traffic , ESET will be able to pick it up , without the certificate that ESET adds , it will not be able to scan the HTTPS traffic
I could be mistaken of what I described , correct me if I am wrong please.
-
Nightowl received kudos from micasayyo in Conflicting On ESS Modes?
I think Learning Mode is more designed to be used with Interactive Mode
You let the firewall learn the machine for a while and then you switch to Interactive Mode , in that case you will have to manually allow/block traffic to unlearned apps after that.
And learning mode will put apps and traffic that it learned and allow them or block them(it could block maybe idk), after that you can also look at the list and remove unwanted rules if the software added something you don't want
but if you are looking to use Automatic Mode , then keep it Automatic
-
Nightowl gave kudos to safety in Pc infected with cyberfear@decryptor, SEXAXGLSY files
1.5 years after the leak, the builder began to work smarter, but at first the folder with the builder files remained on the disk.
Some of the attackers do not change the private key for a long time (decrutor), and after redeeming the key there is a chance to help other victims.
>>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9
>>>> Your personal DECRYPTION ID: 0D4726C60545E66F4343434343434343
>>>> Your personal DECRYPTION ID: 0D4726C60545E66FEFE02D17117DDA22
>>>> Your personal DECRYPTION ID: 0D4726C60545E66F7A63330CE76CDAF9
-
Nightowl gave kudos to avielc in ESET is blocking VPN for apps installed after ESET
Joining Nightowl - Forticlient is one of the more widespread VPN used (specifically used by our company + 2 clients I recommended using ESET too.
Thanks
-
Nightowl received kudos from avielc in ESET is blocking VPN for apps installed after ESET
Please give support for Forticlient and don't forget about it
https://www.fortinet.com/support/product-downloads
-
Nightowl gave kudos to jia_yang in Blocking Specific Programs
firewall service deny or give it a try.
-
Nightowl gave kudos to Marcos in Pc infected with cyberfear@decryptor, SEXAXGLSY files
Files were encrypted by FIlecoder.BlackMatter (detection added in July 2022). Unfortunately decryption is not currently possible.
ESET was probably not installed at the time of encryption.
An adversary gained access to the machine and created several folders from which the ransomware was run (some letters were replaces with ?):
C:\Documents and Settings\M??c\Downloads\LockBit3.0-Builder-Ransomware-main
C:\Documents and Settings\M??c\Downloads\LockBit-Black-Builder-main
C:\Documents and Settings\M??c\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000
TeamViewer was installed 2 days prior to the encryption.
UAC is disabled. Make sure to enable it.
Also we recommend enabling detection of potentially unsafe applications.
-
Nightowl gave kudos to Marcos in Real-time file system protection is non-functional on Server 2016 / ESET Server Security 9.0.12013.0
This worked for me:
- set a system date from before Dec 7
- rebooted the server to ensure that drivers are loaded
- installed EFSW 9.0.12018.0 over 9.0.12013.0
- rebooted the server
-
Nightowl gave kudos to Daidai in Empty dropdownbox in Service when creating/editing firewall rules after EIS upgraded to 17.0.15.0
The issue is resolved in 17.0.16.0, thank you ESET.
-
Nightowl gave kudos to Nate Simpson in No support for Ubuntu 23.04
As I understand from one of my colleagues this is because it is locked to an extended hardware support module
"linux-headers-generic-hwe-22.04 " is required which is an LTS specific package not needed in the rolling releases. Enabling support/use of "linux-headers-generic" would seem to at least partly resolve the issue - even if this was only available as an alpha/unsupported config
-
Nightowl gave kudos to Mr_Frog in Product renaming confusion
You have to read this and you will get it:
https://help.eset.com/home_eset/en-US/products_features.html
-
Nightowl received kudos from itman in Threat: HTML/ScrInject.B trojan false-positive website
Clicking "Go Home" would trigger
hxxps://watchseries.id/home;HTML/ScrInject.B trojan
-
Nightowl gave kudos to eornate in Can not install Eset file server for windows server standard 2016
Hi,
After update OS system, i can install the ESFW.
Thanks your support.
-
Nightowl received kudos from van thai in Can't get to localhost:3000
Try to temporary disable your Web Access Protection , it probably should work , but I know you will remain without Web Access Protection , but this is my workaround for accessing my VPN application. (no I don't work for ESET , so not an official answer)
-
Nightowl gave kudos to Peter Randziak in ESET Endpoint Linux v10 Web Access + FortiClient
Hello @Nightowl,
thank you for the update.
What response have you received from the ticket?
Peter
-
Nightowl received kudos from Peter Randziak in ESET Endpoint Linux v10 Web Access + FortiClient
When I made contact in July , I received that it's a Known Issue between VPN and Web Access Protections and it will be looked on in the future.
-
Nightowl gave kudos to Marcos in TrojanDownloader:O97M/Emotet!pz
We confirm it's a false positive by Microsoft.
-
-
Nightowl gave kudos to nabeelmansoor in Scheduled Scans
Provide an option to select a default icon for ESET - like Kaspersky offers - I find the old icon to be neat!
-
Nightowl gave kudos to santoso in Invalid uninstall code
Hello Nightowl,
Thank you, folow the instruction and finally can uninstall it
Thank you,
Hello Kieran,
It solved with Nightowl suggested link.
Regards,
-
Nightowl gave kudos to Marcos in nod32 detection PowerShell/Agent.AQD
The machine has not been restarted almost for 2 days. Please restart it and see if the malware is cleaned from the registry during a startup scan. I don't see any reason why it wouldn't be since the Scheduled task is normally detected here.
Also I'd strongly recommend enabling:
Web access protection
Anti-Phishing protection
LiveGrid - feedback system
With Web access protection off you open the door to Internet-borne threats and we cannot help you clean the infection until ESET is configured properly for protection.
-
Nightowl received kudos from Peter Randziak in ESET Endpoint Linux v10 Web Access + FortiClient
Thank you Peter , I will do if something happens
Thanks for the assistance.
-
Nightowl gave kudos to itman in Stealers not detected
Today's discussion is why is initial detection of infostealers; recent malware loaders I have analyzed; etc. so difficult to detect? For starters, they employ both sandbox and behavior evasion tactics.
My analysis of the above yields the following activities;
1. Spawning one or more identical child processes of itself.
2. Malicious code injection into one of the child processes usually done remotely but not always, and execution of that code.
Sandbox evasion occurs if the initially run .exe; usually a shell, detects it is being monitored, it simply creates a process that does not perform any of the above activities. Of note is there is nothing malicious about this payload (parent) process.
Behavior evasion occurs by performing above 1). and 2). activities. How?
It deals with how most AV's do behavior monitoring. If the AV detects anything suspicious with the payload (parent) process, it will set a hook, usually a .dll, into that process to monitor activities. If the parent process spawns a child process/processes copy of itself, no monitoring hook is set in those processes.
Since the child process is now running in an un-monitored AV state, malicious code injection into it can occur unimpeded.
Next is many legit processes processes spawn copies of themselves; most notably browsers.
There is a Sigma rule that detects parent child process cloning. Once triggered, process reputation evaluation needs to be performed.
If the process reputation status is unknown or low, the parent process needs to flagged as suspicious and blocked from executing. Alternatively, the AV needs to set its behavior monitoring hook into any spawned child process. The issue here is it appears these child process's are being created from the dropper shell and not the parent process. Therefore, shell processes need to be monitored for like behavior.