Proactive Services

Malware installer link, when hovered over: Clean installer link:

Interesting that some people are having trouble reproducing this. I can still re-create this as follows with Firefox or IE11 (clean profiles, clean machines both tested): Visit hxxp://sourceforge.net/projects/smplayer/files/Unstable/redxii-unstable/ Works if you're logged into SF or not. To get the malware installer: There is some bold blue text beside "Looking for the latest version?". The blue text reads "Download smplayer-14.3.0-win32.exe (21.4 MB)" Don't click on the link yet. Just below is some more blue text which states: "Direct Download Link". By default here, it reads "Off". If it reads "On", click the link so that it toggles to "Off". Screen shot when hovering over "Direct Download Link" (to follow, having problems with this editor) Click the "Download smplayer-14.3.0-win32.exe (21.4 MB)". An HTTPS POST transaction is initiated to ids.sourceforgecdn.com (I know this because Firefox gives me a prompt about sending information over a secure connection.) The malware installer is offered which has exactly the same file name as the clean installer: smplayer-14.3.0-win32.exe MD5: c29bf625fbc151f025ecfb135ed3065b Icon: "SF" Authenticode signature to the name of: IC-Forge via COMODO Code Signing CA 2 Eset detects as: a variant of Win32/InstallCore.OY PUA VirusTotal analysis (Way to go Eset!) To get the clean installer: Ensure that the "Direct Download Link" is showing "On". Screen shot whilst hovering over (to follow, having problems with this editor) Click the "Download smplayer-14.3.0-win32.exe (21.4 MB)". HTTPS POST isn't sent (I get no prompt from Firefox.) A request is made to https://downloads.sourceforge.net and then on to hxxp://netcologne.dl.sourceforge.net/project/smplayer/SMPlayer/14.3.0/smplayer-14.3.0-win32.exe Clean MD5: 2e8bf2cae67facb0ea0669b4e6851901 Icon: Orange DVD folder with a disc Authenticode signature to the name of "Open Source Developer, Ricardo Villalba" via Certum Level III CA No Eset detection VirusTotal results (0)

Looks like it's bundled with InstallCore when the "Direct Download Link" is set to "Off". I put this in a VM and it pulled down all sorts of . You really, really don't InstallCore's malware on your computer. Find an alternative software and, ideally, report this abuse to sourceforge. They should not be hosting malware.

Hi jeremyf, It sounds like its worth checking your Eset settings to make sure you're making the best use of the various protections it offers. Check that your config is set to use Advanced Heuristics and detect potentially unwanted and unsafe software. Make sure it's being sent to the clients correctly too - I have found that some of the options are not picked up from the config XML files. It's worth going through every page and setting to check the options are set up how you want them to be. If your computers are high spec enough, run Advanced Heuristics on every option. Look at installing Microsoft's Enhanced Mitigation Toolkit. This adds another layer around Internet Explorer, Office, Adobe Acrobat etc. and, if you enable it, any other program. I've been installing this on all client computers by default now with very few problems. This will significantly help when protecting against drive-by exploits - one of its main functions. Evaluate your network shares to make sure that users can only access what they need to. It's easy to put in a temporary fix to a permissions problem to allow users to access everything but not get round to re-securing shares. Check that the workstations have as little access to each other as they need. Also make sure your backups are made in a way that malware on a trusted client or the server can wipe them all out. Assume your server gets a virus like cryptolocker, and do what you can to mitigate what it can do. Also check that the programs your users have installed are set up securely - Adobe Reader, in particular, has a lot of options to lock down JavaScript, launching external programs, accessing the Internet etc. If you use Java, switch off the browser plugin or lock it down to specific sites. We all know how bad Flash is at updating itself - so set a schedule to manually check it.

EMET is never overkill as it addresses different threats than anti-virus systems do. I've been rolling out EMET 4 to customers without problem, and trialing EMET 5TP which seems to be fine so far. Note that the recent Flash zero day is mitigated by EMET!

Well having written a detailed reply to your question I was told by the forum: "Your secure key, used to verify you are posting the topic, did not match the one submitted. Please go back, reload the form, and try again." I can't get it to submit and having come back to this page, my reply is gone. I'm sure someone else will come along and answer your question.

Great to see Eset reaching out to its users to ask these questions. I imagine that it can be difficult to gauge what is best if you don't know what your users prefer! I'd also like to be able to optionally send telemetry to Eset about which UI elements are used most so that you can collect these sort of statistics in larger volumes.

Thanks for the prompt reply! Glad to hear the documentation will be amended too.

I'm having trouble finding documentation for the /clean-mode parameter for ecls.exe. The command-line, GUI and web site knowledge base help all state: There is no detail as to the difference between these and the three available options in the GUI. Would someone please clarify this?

I always uninstall Ask toolbar whenever I see it on customer computers and it never stops bundled software from working. Ask toolbar is a one of the many unwanted programs I come across often and I am glad that Eset is detecting it.