Jump to content


  • Posts

  • Joined

  • Last visited

About facingthesea

  • Rank

Profile Information

  • Location

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. If ESET's HIPS can terminate the process that triggers a specific rule, we can also set the decoy files ourselves.
  2. These "bait" files can use special file names to make them the first to be encrypted. Remind users not to open them or set hidden attributes for them. This technique used by many AVs effectively prevents ransomware and rarely causes unnecessary user requests. At least, it can be used in personal products. As for the legal issue you mentioned, the "bait" files does not need to appear in the form of a "protected folder" function, but only as a means of detection.
  3. It is late at night in Beijing time, so I may not reply to you afterwards.
  4. The bat is included in the attachment to my post. It is very simple: sc create c29275bfe6 binpath= %~dp0\c29275bfe6.sys type= kernel start= demand error= ignore regedit /s %~dp0\data.reg sc start c29275bfe6 pause The registry that it imports is only rootkit data and does not modify other settings. It is also included in the attachment. You should turn to the first post on this topic and take a look. Or, attachments are only visible to uploaders and administrators?
  5. Let me explain the test environment I use again, please don't ask repeated questions: a Hyper-V virtual machine with Secure Boot enabled Windows LTSC 2019 17763.2028 set Computer Configuration\Administrative Templates\System\Early Launch Antimalware to Good only in gpedit.msc or use the default settings ESET Internet Security 14.2.19 with pre-release update enabled
  6. This VM is running and I enabled secure boot. https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot The driver is loaded by the operating system and it follows the Driver Signing Policy. https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-
  7. I have provided the driver through this topic and mail.
  8. I made it clear in the previous post that I enabled secure boot. This is a screenshot at the time, but you may not understand Chinese.
  9. In addition to this situation, there are other reasons that may cause rootkits to be installed. Imagine the following two situations: 1. A rookit is installed before the AV. 2. The anti-virus software did not detect a rootkit at the beginning, so the rootkit was installed, and then the AV updated the database to detect the rootkit, but because of the rootkit’s self-protection, the AV could not clean it, or even scan its files.
  10. I had done a system restart. In fact, this rootkit will only be fully installed after restarting, and many anti-virus softwares can easily remove it before restarting.Unfortunately, I did not test ESET in this situation. Sorry I forgot to mention this before, it may be helpful to your analysis. @Marcos
  11. No, this is a rootkit spread in China, known for its technology to anti antivirus software. It has been in existence for many years, and it has stopped updating. This is a relatively late version. There is also a cheating software that seems to be written by the same author and uses a lot of similar techniques.
  12. This driver has a certificate that is valid from 2012/11/6 to 2013/11/7 and has been revoked.
  13. If the driver starts, WD won't be able to detect it either. This group policy prevented the driver from starting. In the subsequent manual scan, WD detected it as Trojan:Vamson.A!rfn and successfully cleared it.
  14. I can provide the source, but only if you can read Chinese.🙂
  • Create New...