
NewbyUser
-
Content Count
91 -
Joined
-
Last visited
-
Days Won
1
Kudos
-
NewbyUser received kudos from CEO888 in Future changes to ESET Internet Security and ESET Smart Security Premium
Thanks, I thought of suggesting customization lol. But it would be somewhat complicated and obviously not something worth the overall effort and not worth making it a priority. And yes, it probably is designed that way for ease of use. I've read a number of reviews complaining about the "myriad of settings" available. Seems most people just want a "protect me" button lol.
-
NewbyUser gave kudos to itman in "pyrate", Behavior Blocker Bypass POC
Nothing.
To begin, most Python ransomware attacks are targeted ones. So unless your a corp., your chances of being targeted are about zip. Bundled Python runtime component attacks are very "noisy" and usually leave a lot of residual artifacts on the device. As such, they aren't suitable for RaaS concerns that are selling their ransomware to the hacker masses.
I don't have Python installed and have no intention to doing so. I am not a gamer that might be using software containing bundled Python runtime comments. Neither am I part of the scientific or research community that might be sharing Python software so bundled. What I am doing will unconditional block any python script from running legit or malicious.
-
NewbyUser gave kudos to itman in "pyrate", Behavior Blocker Bypass POC
It's been a slow forum posting weekend and it appears this thread has run its course. We have all had the opportunity to "rant and rave" about Eset Home version protection features we all wished we had and in reality, probably never will have. So it is time to expose this Python POC for what it is - fake ransonware. Err ..... what, you say? The POC encrypted files. Well so does a lot of legit encryption and other apps including user created ones. So lets get into this.
A few years back, the NextGen security software vendors were trying "to get traction" against the established AV vendors with their supposed superior behavior detection methods. Corresponding to this was the appearance a proliferation of ransomware "simulators" where one was encouraged to test their existing AV solution with. The most infamous of these was RanSim produced by KnowBe4: https://www.knowbe4.com/ransomware-simulator . I wrote a thread about the methodology used by this product and similar ones here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ . Eset subsequently commented upon Ransim tactics in their own publish article on Eset ransomware protection:
https://cdn1.esetstatic.com/ESET/INT/Docs/Others/eset-vs-crypto-ransomware.PDF
So let's get into some details on the POC. First, note this from the POC's author posting about it at malwaretips.com:
Next is why no vendor on Virus Total detected the POC initially and I believe presently. That one is pretty straightforward. The ransomware portion of the POC never ran. The POC pauses program execution waiting for user input to continue. VT's automated sandbox analysis timed out waiting for input it does not respond to.
In summary, I am not 100% ruling out that techniques used in the POC could bypass existing Eset ransomware detection methods. However, a POC must be developed deploying real world ransomware deployment and execution methods with the most important being the program runs uninterrupted and encryption activities performed against all existing files in C:\Users\xxxx\Documents\*, etc. directories.
-
NewbyUser received kudos from peteyt in blocking government level spyware
A philosophical issue way beyond the scope of this forum here, but governments are made up of people, and are neither good or evil. It is the nature of the people that brings the problem. Typically greed or fear are the greatest driving forces of what a government or it's society becomes when they turn negative.
-
NewbyUser gave kudos to SeriousHoax in "pyrate", Behavior Blocker Bypass POC
All the ASR are available for Windows Defender too.
-
NewbyUser gave kudos to itman in HIPS Alert for Host process
At this point, you will have to tract down what service is causing this and find out if its legit.
-
NewbyUser gave kudos to Posolsvetla in Certificate Issues for Firefox 74.0 64bit
The issue is fixed in the Internet protection module version 1396; currently it is available on pre-release update servers.
-
NewbyUser gave kudos to Marcos in Filecoder Stop
I've found it submitted. Actually the problem is that on the website the ransomware note was inserted in a raw form without any html formatting (after <pre> and <code> tags) which triggered the detection.
-
NewbyUser gave kudos to mourad in vrius txt et qewe
think you a lot off.
I will try your solutions and afterwards we will discuss
-
NewbyUser gave kudos to Marcos in PiHole & ESET Smart Security
While Windows is not officially supported, perhaps it runs on Windows as well according to this statement:
It was originally designed to run on Raspberry Pis. So, unless you had a Raspberry Pi, or a computer running Linux, you were out of luck. However, it's now available for Docker. This means it can be installed on any device which will run Docker, such as Windows PCs or Macs.
Anyways, ignoring the fact that it's Pi-hole, the DNS requests might have originated from antispam. Do you use MS Outlook or any of the supported email clients that ESET can integrate with?
-
NewbyUser received kudos from Super_Spartan in Dell Security Advisory Update?
Yeaa, Hard to say what they actually did lol. Did they update the image itself to apply patches in the image? Iol or did they update the actual restore process itself? That seems unlikely as restoring typically occurs outside windows and is a bit by bit overwrite so I doubt permissions are needed. It's not a very informative update summary, so it's hard to say what they actually changed.
-
NewbyUser received kudos from Super_Spartan in Dell Security Advisory Update?
https://www.dell.com/support/article/en-us/sln321036/dsa-2020-059-dell-os-recovery-image-insecure-inherited-permissions-vulnerability?lang=en
Seems to be addressing this https://www.dell.com/support/article/en-us/sln315190/dell-emc-idrac-multiple-vulnerabilities-cve-2018-15774-and-cve-2018-15776?lang=en
Either they're slow to patch it or it wasn't fully addressed in prior patching
Or, likely adding the patch to the restore image, so it would be one less thing to have to address should restore be needed.
Summary:
Dell Windows 10 recovery images require an update to address an insecure inherited permissions vulnerability.