Nightowl

Kaspersky just published an analysis on CamScanner:
https://securelist.com/dropper-in-google-play/92496/

Just came across a case when a user was hit by Filecoder.Phobos and asked how come they got infected with ESET installed. After analyzing logs, we found out that:
- the detection for the ransomware was added at least 2 months before the incident
- password protection of ESET's settings was not enabled
- detection of potentially unsafe applications was disabled

We also found out that:
1, A brute-force RDP attack was performed:
- Administrator had 22 377 failed login attempts
- ADMINISTRATOR had 5 438 failed login attempts
- ADMINISTRADOR had 1 102 failed login attempts
- ADMIN had 710 failed login attempts
2, There was a suspicious RDP connection from a foreign country
3, A local user GhostUser has been created recently
4, A legitimate tool that can be misused to kill security software has been installed recently (detected as pot. unsafe application)
5, Event logs have been recently cleared.

This is a proof that just having a security software installed is not enough; firstly RDP must be secured. Secondly, all critical operating system updates must be installed. Fourthly, ESET must be protected with a password and detection of potentially unsafe applications enabled to prevent protection from being tampered by unauthorized persons.

This is not an excuse. I see this all the time in the customers logs when brute force attacks are performed against RDP.

For more information, please refer to:
https://support.eset.com/kb6567/
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

Detected by many AVs:

I believe that it's possible through a windows failover cluster, you are counting on windows though in such cases and not on an Eset feature
https://help.eset.com/esmc_install/70/en-US/installation_cluster_windows.html

 

I never attempted to block Cortana using Eset HIPS. I use O&O ShutUp 10 to "harness" its activities.

Great! thank you!

Cheers for the clarification. Never use it so wasn't sure. 

You still get to set a scheduled scan or use it as on demand scanner but not as real time , indeed it does get disabled when ESET is installed in order to avoid conflicts.

Thanks @Rami . Good to know I'm not the only one at least I guess. 

Appears to me, the clients got nailed by a true 0-day malware. Also, it appears Eset created a new signature for this bugger, Win64/Vools.P.
It is encouraging that Eset was still able to detect it via AMS using a prior variant DNA signature.
BTW - what was the source of the svchost.exe injection?

Yes a 0-Day malware !
A Service with a Dll injector "FunctionRPCHelper.dll" that inject svchost.exe
😎

ESET is known for being light since the first version it was released when other AVs was plaguing and killing the machines like Norton in the XP days.
I believe ESET is still doing the same thing , staying light till this day. that might be the decision of saving the "15-26MB" of RAM.

ESET is known for being light since the first version it was released when other AVs was plaguing and killing the machines like Norton in the XP days.
I believe ESET is still doing the same thing , staying light till this day. that might be the decision of saving the "15-26MB" of RAM.

ESET is known for being light since the first version it was released when other AVs was plaguing and killing the machines like Norton in the XP days.
I believe ESET is still doing the same thing , staying light till this day. that might be the decision of saving the "15-26MB" of RAM.

ESET Internet Security does have a firewall included so that's why GlassWire firewall is disabled , so they won't conflict with eachother , you need to remove GlassWire firewall , If you would like to keep using it , then you will need to switch Internet Security for Antivirus.

That's perfectly ok. What would not be ok if the engine constantly doesn't get updates after more than an hour.

I have reinstalled Windows due to the bug of the CMD that I've posted about earlier (It's not related to ESET) , but I can confirm that Refer to your friend is not available for me also , I did download ESET from International Website , activated it again with my license , and Refer button is missing.
ESET Internet Security 12.0.27.0

Hello @Rami 
You are right ! That is a very friendly program?

It's not that big deal in my opinion @nonamelab, It's a way to bring more people to use ESET and in the same time giving the person who invited the other person who doesn't use ESET , a month of usage or more I don't remember exactly.

It's not that big deal in my opinion @nonamelab, It's a way to bring more people to use ESET and in the same time giving the person who invited the other person who doesn't use ESET , a month of usage or more I don't remember exactly.