murko
-
Posts
18 -
Joined
-
Last visited
Posts posted by murko
-
-
3 minutes ago, itman said:
Referring to the command line string associate with conhost.exe, it looks like packed code to me. If that's the case, no code injection occurred to conhost.exe. When conhost.exe loaded, the packed code loaded into its memory space. Then the attacker unpacked it in memory and executed it.
In such case, would the firewall/ids rules be still effective?
-
1 minute ago, itman said:
LoL! I can only dream of such capability.
Ha, maybe in future. It would be really handy to have such tool.
-
1 minute ago, itman said:
My best guess at this point is it arrived as part of another app installer.
Most probably. Btw, is there some kind of scan option in Eset Endpoint, which could find all files containing such malware, based on some kind of its fingerprint? (layman speaking)
-
2 minutes ago, itman said:
This puppy has been flying under the radar for some time. The Reddit article is 10 months old.
Out of curiosity, check Win add/remove programs and see if there is an entry for WindowsMalwareProtection or MicrosoftMalwareProtection
Already checked, nothin there. Also scanned all drives for such files/folders, nothing except the mentioned before.
-
8 minutes ago, itman said:
Another important detail from the Reddit article I forgot to post. It is conhost.exe that is performing the remote communication;
Makes sense since conhost is what contains the malware code. So I will add an Eset firewall rule to block conhost.exe communication.
Nice summary. As a preventive measure, its good to block that conhost.exe, but it doesnt solve the root of the issue - where does it came from/what causes exactly/how to detect it beforehand imho.
-
After removing the task schedule entries + WindowsMalwareProtection folder, it seems its finally resolved, at least for now - almost 45min without issue.
-
12 minutes ago, Marcos said:
Please provide the content of the C:\Program Files\WindowsMalwareProtection folder. Move the folder to c:\esetvir for instance and reboot the machine.
You can then select the 2 scheduled tasks and delete them.
C:\Program Files\WindowsMalwareProtection : WindowsMalwareProtection.rar
-
1 hour ago, itman said:
As far as Autoruns goes of note is this from the Malwarebytes posting;
Run Autoruns64.exe. Once it fully initializes, search for MicrosoftMalwareProtection and systemreset. Take a screenshot of the section where they are located. Don't modify anything yet.
This is for systemreset:
For MicrosoftMalwareProtection there is nothing, only remotely similiar is: WindowsMalwareProtection
-
Well, the joy was only temporary. After around 13min, the issue is back. Also see the attached screen, apart from explorer.exe, cmd.exe is being also listed.
-
24 minutes ago, itman said:
Prior incidents of PowerShell/Agent.AEW trojan in the forum usually involved the creation of a Win service: https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150342 ; the service running SyncAppvPublishingServer.vbs; with the service being started via scheduled task.
This current instance is different. It appears explorer.exe connects to the domain in question to either download the PowerShell malware or to run it remotely. In a remote PowerShell attack, the script being deployed must exist on the target device. So it is possible what is attempting to download from this domain is the script.
SysInternal's Autoruns migh be of assistance here looking for suspect explorer.exe task running at system startup time.
Hi, what would you need from the Autoruns?
-
18 minutes ago, Marcos said:
Please delete systemreset.exe. It's a 1,4 GB Themida malware, specifically CoinMiner. Will be detected as Win64/Packed.Themida.QI trojan.
Hi, seems it fixed the issue, so far no connection attempts to that IP.
-
6 hours ago, Marcos said:
Does deleting HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{26D015BE-52F8-423E-B5A2-512B57B991A1} in safe mode make a difference?
Also please provide me with the file c:\program files\windowsmalwareprotection\config\systemreset.exe.
Hi, I dont have that regedit entry anymore (I ran MalwareBytes in meanwhile, there were some entries which were deleted
, cant remember now). In attachment is the req file.systemreset.rarEDIT: MalwareBytes log:mb-results.txt
EDIT2: It does not make any difference, the issue still persists.
-
1 hour ago, Marcos said:
PowerShell/Agent.AEW trojan is being continually detected, we'll need a registry dump for perusal. Please collect fresh ECL logs with "Threat detection" template selected in the ESET Log Collector menu.
-
Hi, I have exactly the same issue. Attached screen + logs (per instruction in the eset log collector).
-
3 hours ago, Marcos said:
We are aware of an issue that could explain your situation (in short, the pool of NetBufferLists that belongs to a network card might get corrupted when we block something - i.e. that RDP in your case). We can confirm it if you send us a kernel memory dump. In the meantime, unchecking "block unsafe address after attack detection" (and reboot) should help you to mitigate the problem (although it is not 100% workaround). Or please try turning IDS off (and reboot), that should help as well.
Hi,
thanks for the reply. As for the kernel dump, I`ll send it when I will do the next instalation/testing of EFS - also which one you need ? Complete or small dump?
Btw, do you have some ETA when that mentioned issue would be resolved?
Thanks.
-
UPDATE: I spent another hours tinkering with ESF and WS2016 network/firewall/policies settings, without any success. So, I uninstalled ESF and everthing is working silky smooth as before. This experience with ESF is very sad tbh, as only reason to buy ESF for our server was, that we were highly satisfied with Eset Smart Security / Internet Security.
-
Hello,
we recently installed for the very first time latest EFS on our WS2016 server (simple domain server with AD services, DNS, RRaS VPN ... ) and it resulted in completely blocked network on the server side:
- local clients cant connect to shared drives nor authenitcate on logon to domain
- on server any attempt to test internet connection, or to ping even local clients machines fails
- strangely enough - EFS is happily reporting that it sucessfully blocked possible RDP attack from outside (dozens of public IP addresses)
- network utility in EFS reports blocking live IP adresses trying to connect via svchost.exe in RDP/Host role
- none of blocked IP addresses in ESF are from our local IP addresses
- complete disabling ESF wont change anything
- complete disabling ESF and also Windows Firewall wont change anything
- with or without exception in IDS for our local IP range ( starting IP/255.255.255.0 ) nothing changes
- every test was made with complete server reboot
At this point, Im really clueless what is causing such behaviour. I am completely sure that the problem is cause by EFS, since before EFS, the server was happily working for years without any hiccup.
Only thing I am probably left with, is to uninstall EFS, but that is not solution for paying customer, right? (/sarcasm off).
So, at least any meaningfull help would be nice to have.
Thanks.
Address has been blocked
in Malware Finding and Cleaning
Posted
Thanks for clarification. About the ver. 16.2 - I am bit confused, as our ESET Endpoint Security shows latest ver. 10.1.2050.0.