Jump to content

Tzatz

Members
  • Posts

    23
  • Joined

  • Last visited

Kudos

  1. Upvote
    Tzatz gave kudos to Nightowl in Infected? Undetected Script wscript.exe loading from startup folder   
    Just to note , Checkpoint uses Kaspersky engine hence why they both detect it.
  2. Upvote
    Tzatz gave kudos to itman in Infected? Undetected Script wscript.exe loading from startup folder   
    Also if anyone is wondering what the code following ws.exe that is posted above is doing, per the stackoverflow article:
  3. Upvote
    Tzatz gave kudos to itman in Infected? Undetected Script wscript.exe loading from startup folder   
    I will also note that it is common for an app to create a folder in C:\Users\xxxx\AppData\Roaming; e.g.  C:\Users\xxxxx\AppData\Roaming\WS\. What is not normal is for an app to drop an executable in this folder.
    -EDIT- Finally is creation of the above folder plus creation and use of ws.exe within indicative of malware activity? Appears not according to this write up: https://www.freefixer.com/library/file/ws.exe-306704/ . Ws.exe is one of a number of aliases seen for wscript.exe.
    Clever attack I must admit.
  4. Upvote
    Tzatz gave kudos to itman in Infected? Undetected Script wscript.exe loading from startup folder   
    One of the oldest malware methods in existance is to run something from C:\Users\xxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ directory. When a .lnk file is dropped there, Windows just refers to whatever the shortcut is pointing to and runs it automatically. The process is identically to what happens when you double mouse click on a desktop icon shortcut, but it is run immediately if located in a Windows startup location.
    I monitor anything created in C:\Users\xxxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ directory with Eset HIPS rules but creation of same is anything but straight forward. For example, there are hidden .ini OS files in that directory that are updated periodically by Windows. I also use another security product that auto blocks .exe, .lnk, etc. from running from this directory.
  5. Upvote
    Tzatz gave kudos to itman in Infected? Undetected Script wscript.exe loading from startup folder   
    As far as I am concerned, Eset should have been flagging creation of .lnk files in Win auto run startup locations eons ago; at least in the consumer product versions. Corps. might be manually creating such references, but I know of no commercial software that does so.
    See the problem here is Eset for the most part is a "one solution fits all" product. The only recent concession Eset made originally for the consumer versions was its ransomware protection. And recent postings have questioned its effectiveness against 0-day ransomware.
  6. Upvote
    Tzatz gave kudos to Marcos in Why does Eset connect to Undocumented Endpoint az29176.vo.msecnd.net   
    To avoid using CDN for program program updates and use only ESET's servers that are under ESET's control, you'd need to use repositorynocdn.eset.com. However, this is not configurable in consumer products, only in business products.
×
×
  • Create New...