facingthesea

Same problem here😑

If ESET's HIPS can terminate the process that triggers a specific rule, we can also set the decoy files ourselves.

These "bait" files can use special file names to make them the first to be encrypted. Remind users not to open them or set hidden attributes for them. This technique used by many AVs effectively prevents ransomware and rarely causes unnecessary user requests. At least, it can be used in personal products. As for the legal issue you mentioned, the "bait" files does not need to appear in the form of a "protected folder" function, but only as a means of detection.

It is late at night in Beijing time, so I may not reply to you afterwards.

The bat is included in the attachment to my post. It is very simple: sc create c29275bfe6 binpath= %~dp0\c29275bfe6.sys type= kernel start= demand error= ignore regedit /s %~dp0\data.reg sc start c29275bfe6 pause The registry that it imports is only rootkit data and does not modify other settings. It is also included in the attachment. You should turn to the first post on this topic and take a look. Or, attachments are only visible to uploaders and administrators?

Let me explain the test environment I use again, please don't ask repeated questions: a Hyper-V virtual machine with Secure Boot enabled Windows LTSC 2019 17763.2028 set Computer Configuration\Administrative Templates\System\Early Launch Antimalware to Good only in gpedit.msc or use the default settings ESET Internet Security 14.2.19 with pre-release update enabled

This VM is running and I enabled secure boot. https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot The driver is loaded by the operating system and it follows the Driver Signing Policy. https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-

I have provided the driver through this topic and mail.

I made it clear in the previous post that I enabled secure boot. This is a screenshot at the time, but you may not understand Chinese.

In addition to this situation, there are other reasons that may cause rootkits to be installed. Imagine the following two situations: 1. A rookit is installed before the AV. 2. The anti-virus software did not detect a rootkit at the beginning, so the rootkit was installed, and then the AV updated the database to detect the rootkit, but because of the rootkit’s self-protection, the AV could not clean it, or even scan its files.

I had done a system restart. In fact, this rootkit will only be fully installed after restarting, and many anti-virus softwares can easily remove it before restarting.Unfortunately, I did not test ESET in this situation. Sorry I forgot to mention this before, it may be helpful to your analysis. @Marcos

No, this is a rootkit spread in China, known for its technology to anti antivirus software. It has been in existence for many years, and it has stopped updating. This is a relatively late version. There is also a cheating software that seems to be written by the same author and uses a lot of similar techniques.

This driver has a certificate that is valid from 2012/11/6 to 2013/11/7 and has been revoked.

If the driver starts, WD won't be able to detect it either. This group policy prevented the driver from starting. In the subsequent manual scan, WD detected it as Trojan:Vamson.A!rfn and successfully cleared it.

I can provide the source, but only if you can read Chinese.🙂

4. According to a test conducted by a netizen, on Windows 10 21H1, when Windows Defender is enabled, after setting Computer Configuration\Administrative Templates\System\Early Launch Antimalware in Group Policy to Good only , this rootkit is prevented from starting.

1. I tested it on a Hyper-V virtual machine with Secure Boot enabled. 2. For this rootkit, ESET can't even scan it (can't open its files), not just can't clean it. 3. Can you provide an authoritative source for this? The Microsoft documentation says this: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware

Thank you for your quick replies. My previous questions may not be very clear. 1. I know that the ELAM driver starts before other third-party components (including drivers), so does ekrn also start before other third-party components? For example, the rootkit in this post. After the rootkit starts, erkn won't be able to scan it, so will ekrn scan it before the rootkit starts? 2. Will ekrn send the scan results to the operating system to prevent malicious drivers from starting according to the Computer Configuration\Administrative Templates\System\Early Launch Antimalware in the group policy? Or does ESET have another similar setting? All in all, does ESET have some mechanism to prevent rootkits from starting at boot time?

Will ekrn scan the drivers before they are loaded?

So it does not check whether other drivers are malicious before they are loaded?

There is another question. Under what circumstances does ESET's ELAM driver work?

The driver and registry are extracted from the infected computer, so I don’t have the executable that installs the driver. The compressed package contains a bat file for importing the registry and installing the driver. This driver is the main body of the malware. Is this OK? （Excuse me, I'm not good at English, and I don’t know if this tone is offensive.)

Hi Dear ESET Admins. Sorry,I'm not good at English, so I may make some grammatical mistakes. Some netizens shared a Rootkit that locks the browser start page and invites everyone to test whether anti-virus softwares can clear it after it is installed. I tested ESET and ESET couldn't even open its files. Mini Filter After I set Computer Configuration\Administrative Templates\System\Early Launch Antimalware to Good only in gpedit.msc and restarted, the rootkit will be still loaded. Under what circumstances does ESET's ELAM driver work? run_bat.zip Password: infected When the rootkit is not installed, ESET detects it as Generik.MVDZQHX. ESET cannot detect it after it is installed.

I want to change my display name to Latin to comply with the forum rules. Thank you.