PassingBy
-
Posts
135 -
Joined
-
Last visited
-
Days Won
1
Posts posted by PassingBy
-
-
On 4/14/2024 at 10:25 AM, Marcos said:
Please refer to https://forum.eset.com/topic/40574-msilmicrosoftbingd/ where it was discussed. Note that the Bing detection is not malware but potentially unwanted application which are not detected by default.
Yes, but your notification kept blocking me from dragging files in File Explorer and i began to wonder what could BING have to do with an internal, offline process while trying to connect to the outside. So i cleaned it up eventually.
I still do not understand why all these generally "online" processes intrude into the internal offline tasks on the machine. There is no need whatsoever for Bing to know what i move around into my laptop.
Maybe i am wrong
Thanks for the reference.
E.
-
So, i was putting some order in my "Downloads" folder, and all of a sudden, each time i tried to drag and drop files into different folders, the process crashed and ESET showed the MSIL BING_C Pua notice. I ignored it but it became impossbile to use file explorer and drag file...mid-drag the notification would pop, the drag process would freeze and i had to click "Ignore" again. It all went into a loop until i clicked "Clean".
I don't mind the cleanup, even if each time that happens, the active themes in my display and access window stop changing and everything becomes very boring.
Are these MSIL BING_[LETTER] really a threat? Was Bing monitoring my operations in File Explorer when ESET triggered the notice? Why does that happen? What does BING have to do with my folder operations?
Thanks for any insight.
E
-
On 4/7/2024 at 11:49 AM, Marcos said:
Could you please uninstall v17.1.9 and install v17.0.16 from https://forum.eset.com/files/file/133-eset-security-17016/ ?
Does the speed issue actually go away and returns as soon as you upgrade to v17.1.19 and disabling http/3 makes no difference? What about disabling Network traffic scanner?
Sorry Marcos, i was late in seeing this. Connectivity seems more or less fine, except for moments of real slowdown and overheating. I suspect part of the initial slowness was due to the post-Quake issues in Taiwan. We had som 4g/5g issues for a few days after the quake. No disruptions, but slowdowns.
I will keep monitoring and if further issues arise i'll post here again.
Best.
E.
-
My Internet remains slow with HTTTP/3 on or off. It's just not as it used to be. Works well with EIS disabled.
-
Thanks Marcos.
Useful insights as usual. I retried this morning with both HTTP3 on and off and i see no signs of changes. On the positive side, the connection speed seems to be better. If it can help, we had a major quake here a few days ago and connectivity was never disrupted but speed did suffer at some points. I am mulling whether that is the issue rather than the update. I'll keep an eye on it and be back on this same thread if there is any news.
Many thanks.
-
1 hour ago, Nightowl said:
You are welcome
There is a topic about it here also :
Many thanks. I will have a check. There are many suspicious files from Lenovo Vantage. They show with Wireshark and similar apps. I am not quite sure what to make of it all. I am just unhappy with the intruding tendencies of Lenovo apps.
-
So i am using mostly my mobile 4g for a while as i prepare to move to a different location.
I had reasonable speeds so i didn't really worry about it. But as soon as i installed the latest EIS version my browsing experience on both mobile and laptop became incredibly slow. I also notice quite an increase in heat on the laptop.
If i disable EIS, everything goes back to normal.
Any clue on how to fix this?
Thanks
E.
-
1 hour ago, Nightowl said:
Try to update the Lenovo tools to a more recent version if that doesn't fix the ESET detections then you can ignore it or proceed to remove the Lenovo tools
Unsafe detection with Lenovo probably means what has been detected is vulnerable therefore ESET doesn't like it because it can be exploited to infect the machine.
I've googled about the OneKey Optimzer , It's related to the battery management in the Laptop, if there is no recent version with the vulnerability that ESET is mad about fixed , then I would ditch that and use Windows internal power management.
Hi Nightowl,
Thanks for the insights. Actually, Vantage was just updated and now the Energy/Battery section offers a lot more of data. The configuration on this Yoga does in such a way that Windows power management doesn't offer the same functions so i need to keep Vantage. I guess my next machine won't be a Lenovo.
-
As per headline.
I ran a scan, which is still ongoing and instantly these two files popped up.
C:\Drivers\OneKey Optimizer\setup.exe » INSTALLSHIELD » OneKey Optimizer.msi » MSI » ISSetupFile.SetupFile42 » INNO » {app}\bin\reaper_u.dll - a variant of Win32/Lenovo.G potentially unsafe application - action selection postponed until scan completion
C:\Drivers\OneKey Optimizer\setup.exe » INSTALLSHIELD » OneKey Optimizer.msi » MSI » ISSetupFile.SetupFile42 » INNO » {app}\bin\reaper.dll - a variant of Win32/Lenovo.G potentially unsafe application - action selection postponed until scan completion
Sole difference between the two seems the name "dll" and "u.dll"I think they're part of Lenovo Vantage, which i only use for power management but has lots of exe tasks ongoing on my machine, including some i never liked too much but keep going.
Any advice?
Thanks
E.
-
8 hours ago, itman said:
Article on this activity here: https://www.nbcchicago.com/consumer/evite-scam-watch-what-you-click-this-holiday-season/3297616/
Thanks Itman. I had read about it. Once i realized something was wrong i checked to see whether there were security notices about it and found out it was around since at least 2019. Both my laptops and mobile are working fine but this morning i noticed some email services on my mobile aren't synching. Access to most emails seems fine but i didn't check all accounts. I did change the password for the account i used to experiment with the Evite invitation minutes after testing it. Rechanged it once more one day later. But my email client on Android isn't synching (i had tried to open also through Android relying on the idea that the phishing threat was designed for Windows). Not clear whether there are issues caused by that specific action or whether a recent mail client update is causing the issue. The client update (third party app) occurred almost simultaneously.
-
8 hours ago, Marcos said:
You can supply me with the url or the whole file via a private message for perusal.
I just did. Bit late but i got busy. Other people in a group received the same email, too. So the account was definitely hacked.
-
Hi everyone,
First, i am aware this should be in another section but i put it here just as an appetizer of potential further investigation, which i hope is unnecessary.
The story in short is this:
1) I received a fake Evite invitation from a well known contact.
2) Since i found it strange i sent him an email using the same account he used for the invitation (i have no other account) asking whether he had actually sent it (imagining a Man in the Middle thing). No reply.
3) Despite the suspicious activity, including the links etc., i gave it a shot with a secondary account i use. The result was a denied access in both cases, on both Edge (Outlook 365 automatic redirection, asking me to connect to Adobe cloud with one of my email accounts) and Firefox showing a 403 error.
4) I changed the password on my email account used to run the attempt. No other malicious behavior noticed.
5) Contacted Evite which confirmed the email is not from them and confirms the malicious nature of the email, advising me to clean up the data/cookies from all my browsers (all those used to executed activities on the email).
Question: Any chance I am infected with something and ESET missed it? I can submit a copy of the email if necessary, but i'd prefer not to if possible.
Thanks in advance for any insight.
Rick
-
I can't quite get the changes. For a start i need 3 licenses, not 5. I may need a VPN but i don't surely need a password manager and the rest of the features. The prices are completely off. Why can't they just offer standard Internet Security + VPN for the number of licenses we need? I have 2 laptops and 1 mobile device. Why do i have to pay 2 extra licenses?
Who is doing the marketing over there? Mickey Mouse? -
18 minutes ago, Marcos said:
I don't see any obvious errors logged, everything seems to be ok as long as direct cloud communication is concerned.
What I would recommend is changing the logging verbosity to Information from Diagnostic and deleting C:\ProgramData\ESET\ESET Security\Logs\hipslog.dat in safe mode which has grown to 226 MB already.
Also I see a lot of connections closed by server 111.249.134.80 which appears to be located in Taiwan. However, this is not any of ESET's servers and should not have any correlation with the LiveGrid issue.
The IP is reportedly my provider. It is Taiwan. That is one of the reasons why i have been posting more frequently of late. Geographic position and other factors, add up to the strange behaviors of machines and networks. If you recall i posted a while ago on strange IP behaviors. I still have those. I waste considerable amounts of time monitoring those. Last but not least, i have someone who tries daily to find the password of one of my email accounts through repeated attempts to login. He managed to open a Venmo account without being able to access my email and despite me deleting the confirmation emails i got from Venmo. He probably did through social engineering. Bottom line, i am having a quite stormy period with threats and when the AV behaves like that i like to know what is going on.
I will skip the ticket. It's just too troublesome.But thanks for the feedback.
E.
-
17 minutes ago, Marcos said:
The attachments here are accessible only by ESET staff. As for opening a support ticket, it's quite easy. Open https://support.eset.com, click Contact technical support at the bottom:
Then select Home or Business -> Other issue -> Other -> "No, I still need help. Contact technical support" and fill in the form.
As to the ticket: 1) The log is too big to be uploaded. 2) As i was completing the process the below occurred. I guess i won't try a second time as it's too lenghty.
Thanks in advance for any help you may provide based on the log.
-
1 minute ago, Marcos said:
The attachments here are accessible only by ESET staff. As for opening a support ticket, it's quite easy. Open https://support.eset.com, click Contact technical support at the bottom:
Then select Home or Business -> Other issue -> Other -> "No, I still need help. Contact technical support" and fill in the form.
There it is. Will re-try the ticket, too.
Thanks
-
6 minutes ago, Marcos said:
You can upload it here but I'd recommend opening a support ticket as well so that the case is properly tracked and logs be checked by developers.
Thanks Marcos,
Opening a ticket from the support gets me through the Knowledge Base and the usual drill and there seems to be no easy way to open a ticket with a human operator. I understand why it's done but it proves impossible to get to open a ticket fast. I wish it was just as easy as "Open a ticket" straight from the UI of ESET.
I'd prefer not to upload in public here, if at all possible. -
8 minutes ago, Marcos said:
Since we are not aware of any issues on our end, we'd need advanced logs from time when the issue occurs for perusal. To enable advanced logging, navigate to Help and support -> Technical support and enable advanced logging.
Done. Do you collect automatically?
-
Dear all,
This just happened. Any clues?
Also, earlier today i found two unknown users in the "Security" tab of the C drive. After checking the two SIDs i removed them. One didn't reappear, the other reappeared. ESET kept working also after a reboot and the issue below occurred randomly about 10 hours later, while watching videos. No other events detected.Thanks a lot for your help.
Brief edit: This seems to be fixed, all alone. I'd still like to know whether the issue was on the ESET side.
E.
-
On 3/14/2023 at 9:49 PM, itman said:
IPv6 addresses in the fe80::/64 range are local link addresses used for connectivity purposes on your device's local subnet. These addresses are not routable beyond the local subnet. Here's a good article that explains this in more detail: https://zivaro.com/what-you-need-to-know-about-ipv6-link-local-addresses/ .
Also note that if your network connection in Eset is set up as trusted, all fe80::/64 addresses are automatically trusted.
-EDIT-
I guess I should also explain the ff02:: connections so you don't bork that processing.
Open a command prompt window and enter the following command:
netsh int ipv6 show neigh
The output displayed will be similar to the following. Note that I have redacted my addresses. Also if you use a Wi-Fi connection, the Interface will be shown as such:
What you observe is the result of DHCPv6 processing assigning via neighborhood discovery local link ff02:: equivalent broadcast addresses for your device and devices on your subnet allocated IPv6 addresses. The only IPv6 addresses not converted are my DHCPv6 DNS server and the fe80:: address assigned to my router/gateway.
Dear Itman, thanks for the kind explanation and for the time you devoted to this.
Understood.Thanks a million.
R.
-
3 hours ago, itman said:
As far as the Eset IP address shown, Robtex lookup shows:
Of note is Eset server connections are all IPv4 as far as I am aware of.
Are you connecting exclusively via IPv6 since your screen shot only shows a local link IPv6 address? If so, your router is converting IPv4 addresses to IPv6 ones via 4to6 tunneling method. This might account for the strange activity you referenced.
I am not worried about ESET connections. I am investigating the IPv6 addresses in the screenshot below (often it is just one associated). Since they are set as private and no information is provided i think it's normal to express a degree of doubt on what they are doing in my machine. The second doubt is why EIS is not blocking them as instructed.
-
11 hours ago, Marcos said:
Please provide complete logs. If necessary, upload the generated archive to a file sharing service and drop me a pm with a download link.
Still it's not clear to me if you are concerned that ESET (ekrn) is communicating with unknown IPv6 addresses or that something else is communicating. Note that in automatic mode all outbound communication is allowed.
The question is: Why despite me setting rules for IPs and domains i want to block they still show among my connections? Is the firewall blocking or those rules are inefficient? Am i doing something wrong? If so what? Bottom line. How can i actually block IPs and Domains from EIS?
-
23 hours ago, Marcos said:
Please provide:
- logs collected with ESET Log Collector
- a couple of screenshots with comments that would clarify your concernsHi Marcos
Apparently the log is too big and won't let me upload it. Can you kindly clarify what part do you need?
Thanks
-
10 hours ago, Marcos said:
Please provide:
- logs collected with ESET Log Collector
- a couple of screenshots with comments that would clarify your concernsHere is a screenshot of what i see. On the right (redacted IPs) you have the normal IPs...they're mostly fine and link directly to my router's IP
On the left you see the others. That's today's. I have others for other days.
I will try to drop a log later on but i think the screenshot is eloquent enough.
MSIL BingC PUA
in Malware Finding and Cleaning
Posted
I installed it separately years ago because my background screens wouldn't change It was signaled as PUA on several occasions on and off during these years. But this time ESET wouldn't let me work on my files to eventually i had to act on it.