AlSky
-
Posts
142 -
Joined
-
Last visited
Posts posted by AlSky
-
-
1 minute ago, itman said:
Eset blocked the download as evidenced by the alert received.
Next, the Let's Encrypt URL involved appears appears to download only its cert. revocation list. It is periodically re-downloaded during the day. As such, the next download after the incident was mitigated would have replaced the prior download.
Thank you very much, @itman My settings on Firefox were different, now I changed them for more safety. So I understand that the certificates like the one I donwloaded couldn't not be affected by any kind of malware, ¿right?
Thanks in advance.
-
3 hours ago, itman said:
Based on @Marcos prior comments on this incident, here's what I believe happened.
An Akamai backbone server/s got hacked. It just happened to be hosting Let's Encrypt cert. downloads. Akamai responded quickly and mitigated the issue.
Bottom line - the issue is not directly related to Let's Encrypt but rather to Akamai.
Thanks a lot, @itman. How do you have Firefox configured? My file downloads don't give me options to choose from except when, like May 22, it was detected as malicious or if the web tries to automatically download a file. Under normal conditions, if I click on download file, it's downloaded without asking if I want to continue with the download or not. That's why on May 23rd Firefox no longer gave me a choice, just downloaded it.
English is not my mother tongue, so I have some difficulties in expressing myself or understanding technical issues in this language. Should I understand that the hacking of an Akamai server hosting Let's Encrypt certificates did not affect the certificates themselves and there is no danger even if these certificates could be downloaded to computers?
Thank you in advance.
-
1 hour ago, itman said:
Refer to the Comments section in the VT analysis; specifically the three Joe's Sandbox scans performed 22 hours ago. Only one scan received a suspicious verdict. Finally, note that the scans referenced not just x2.c.lencr.org but also google.com. If you're going to be obsessive over this, you should be worried about google.com based stuff.
You can't pick up an infostealer by just being redirected to a web site hosting one. Something has to be downloaded and installed on the device.
Hello @itman, thank you so much for answering.
That is exactly what worries me, that the first time Firefox blocked the download of a file, giving me the options to continue the download or delete the file without completing the download (I chosed this last option), but the second time neither Firefox nor ESET blocked it and a 299 bites file ended up in my "My Downloads" folder, as I showed in a screenshot. In short, something was downloaded to my computer and I don't know if that something was harmless or not. That's what worries me.
What do you think? Thanks in advance.
-
Hello. Virustotal.com today it keeps on marking x2.c.lencr.org like suspect of loading StealC and Lumma Infostealers https://www.virustotal.com/gui/url/d85ffc694e555ad7935df30fb361c401f747ebdf194596327df3e5e12b521fe0/detection
Yesterday they considered it safe (CLEAN), today no longer as seen in the screenshot.
Is that something we should worry about?
You don't feel safe without knowing if there is any malware capable of stealing information (passwords, etc.) on your computer.
-
3 hours ago, itman said:
The file being downloaded is the current Let's Encrypt certificate revocation list; hence the small file size;
The file is safe.
Thank you very much, @itman Best regards.
-
3 hours ago, itman said:
You shouldn't be attempting to access the URL via a browser.
The URL is accessed via Windows svchost - crypto service to download Let's Encrypt certs., cert. statuses, etc.. on a periodic basis.
It was a mistake. I wanted to copy the link and accidentally clicked on it, it was not my intention to open it. Can that file contain malware or is it harmless? Please, answer what do you think. Thanks in advance.
-
1 hour ago, itman said:
I wonder if this issue has something to do with Let's Encrypt updating of its "Chain of Trust" processing which appears to be in-progress and to be completed by June, 2024: https://letsencrypt.org/certificates/ ?
Depending on which Let's Encrypt CA relay server you're being directed to, Eset will throw an alert?
Second time neither Firefox nor ESET stopped the download of the file from x2.c.lencr.org I mentioneed above. It is a 299 bites file. Is it safe or should I'll be worry about?
-
8 hours ago, itman said:
Firefox starts most downloads in a temp file to speed up downloading. The temp file is auto deleted when the actual download completes. If you cancel the download in progress, you might see a 0-byte temp file in you downloads folder.
It happened. This time Firefox did not detect the file as malicious and downloaded it, a white file of 299 bites named qURnoJU9. What the hell is this? How can download something to the computer that url? Is this dangerous?
-
7 hours ago, virus-checking said:
I am getting the same alert via Anydesk being flagged as the issue. Eset is blocking x2.c.lencr.org on the machine. I went to it earlier and it downloads a cert to your machine.
That's what happened to me, I accidentally clicked on the link and tried to download something, although Firefox apparently stopped it by detecting it as malicious.
-
7 hours ago, itman said:
Firefox starts most downloads in a temp file to speed up downloading. The temp file is auto deleted when the actual download completes. If you cancel the download in progress, you might see a 0-byte temp file in you downloads folder.
Thank you so much for answering, @itman. I clicked on "delete the file without ending the download" since Firefox had warned me that it was a malicious file. The 0-bit file in the "My downloads" folder disappeared. Does that mean it couldn't download anything to my computer?
In any case, how can a url that supposedly no longer works attempt to download something to the computer? And how is it possible that yesterday our computers tried to connect to that url without our active participation and we received ESET alert messages blocking the connection? This is how some malware works.
-
8 hours ago, itman said:
You shouldn't still be receiving Eset alerts. As @Marcos posted, the malicious URL redirect link has been removed from the offending CA web site. Post your most recent Eset Filtered web sites log entry related to the alert.
Error, it wasn't the message I wanted to quote.
-
12 minutes ago, Marcos said:
I don't know the exact purpose of the redirector that was there and pointing to a domain blocked by several other AV vendors. Unfortunately the url doesn't work any more so it's not possible to find out what was there in the past.
Interesting what happened to me. I tried to edit my previous post so that the url was not visible as a link and, accidentally, I clicked on it. ESET didn't detect anything, but Firefox did, blocked the attempt to download a file from that link and gave me two options, complete the download or delete the file without ending the download (in the folder "My downloads" a 0-bit file had appeared). How is that possible? Did it really download something to my computer from that link?
-
6 minutes ago, Marcos said:
You don't need to be concerned. C.lencr.org domain is used by Let's Encrypt certification authority that provides certificate revocation lists.
Good evening. I have the same problem, but I didn't even open Firefox, I just started the computer, I opened Telegram desktop and... voilà! Two messages saying that process C :\Windows\System32\svchost.exe; and the user NT AUTHORITY\Network service were attempting to access hxxp://x2.c.lencr.org and had been blocked. I closed everything, restarted the computer, without opening any program a new warning that ESET had blocked the process C :\Windows\System32\svchost.exe; and user NT AUTHORITY\Network service attempt and the user from accessing http ://x2.c.lencr.org. I don't know whether to worry or not. Why is my computer trying to connect to that web site? Is infected by any malware? According to virustotal.com this web site is used to load StealC and Lumma Infostealers.
-
7 minutes ago, Marcos said:
Hard to say what happened on their server and if it was intentional or not but they had a loader there that loaded a JS from a site blacklisted also by some other vendors (we block only specific urls): https://www.virustotal.com/gui/url/f86c70c97124114df3e40736c366af117537cfbab490e81fe7e7c68ee08574ad
Good evening. I have the same problem, but I didn't even open Firefox, I just started the computer, I opened Telegram desktop and... voilà! Two messages saying that process C :\Windows\System32\svchost.exe; and the user NT AUTHORITY\Network service were attempting to access hxxp://x2.c.lencr.org and had been blocked. I closed everything, restarted the computer, without opening any program a new warning that ESET had blocked the process C :\Windows\System32\svchost.exe; and user NT AUTHORITY\Network service attempt and the user from accessing http ://x2.c.lencr.org. I don't know whether to worry or not. Why is my computer trying to connect to that web site? Is infected by any malware? According to virustotal.com this web site is used to load StealC and Lumma Infostealers.
-
I have exactly the same problem since this night. I hope someone of the staff may explain this because I'm concerned about it.
-
5 hours ago, Marcos said:
Hard to say, probably smart optimization, the number of CPU cores and the type of scanned files has an effect on that.
Does it happen if you disable also archives and SFX archives?
Hi, Marcos. Thank you so much for answering.
What are the archives and SFX archives? English isn't my mother language. Can you post a screenshot of which I must disable in the scan to do the it?
Thanks.
-
9 hours ago, Marcos said:
1, Regarding scanning of the files in the root of the C drive while scanning the c:\users folder, I assume this is due to multi-thread scanning introduced in v17.1.
2, As an administrator, many more objects are scanned compared to a scan under a normal user.
3, "when the number of files it says are scanned just stops, although you can see that it is still scanning files. "
This is a normal behavior when scanning objects like the registry, WMI or larger archives.Adding information, I couldn't edit the previous message.
Thank you so much for answering, Marcos.
Two questions.
Why in the result of smart scan do the files hiberfil.sys, pagefile.sys and swapfile.sys continue to be showed at the end, but in the result of deep scan are shown in the middle of it?
Why do ESET spend almost three more hours scanning files even if it does not show an increase in the number of scanned files? As you can see in screenshots 5 and 6. 40 minutes and the number of files scanned was the same. So three hours like that, apparently analyzing something without showing an increase in the number of files analyzed. It's never happened to me before something like this. It could stop a few minutes (three, four minutes), but never three hours in which it apparently is scanning something but shows no increase in scanned files. This happens too if I disable the Home Sectors/UEFI and WMI Database sectors so they can't be scanned.
Thanks a lot. Best regards.
-
Hello to you all. I am writing here on the occasion of new problems with the on demand deep scan. Updated the ESET product to version 17.1.9.0 and then to version 17.1.11.0, the deep scan mode shows the hiberfil.sys, pagefile.sys and swapfile.sys sectors in the middle of the analysis result (see screenshot 1), when previously it was normal to show them at the end (see screenshot 2). In Smart Mode Analysis keeps displaying them at the end (see screenshot 3).
Since last fall there was also a problem with in-depth analysis affecting the Home Sectors/UEFI and WMI Database sectors, I proceeded to delete Cache enable and Pre-Release Update to force update again from there. I did a deep scan as an administrator excluding those sectors. I watched several things. First, the ESET product has scanned more than three million files, when in normal mode (not as an administrator) it usually does not exceed one million. I expected some difference, but not so bulky. And let’s remember that has not also analyzed the Start Sectors/UEFI and WMI Database.
Second, the analysis shows, once again, that hiberfil.sys, pagefile.sys and swapfile.sys keep appearing in the middle of the analysis result, while it seems to start again to scan. You can also see in the capture the number of objects analyzed, more than three million, almost triple the usual under normal scan (not as administrator) and is not finished (Screenshot 4).
There comes a time (more or less around 30 minutes after the start of the scan) when the number of files it says are scanned just stops, although you can see that it is still scanning files. At 20:06, 3,026,327 files analyzed (screenshot 5). At 20:46, 3,026,327 files analyzed (screenshot 6). That is, the same number as before, but you can see that the name of the file it’s scanning in each screenshot is different, that still runs as if you was actually scanning files. And it seems that it’s doing so because in Open Scan Window you see that some files are still being added to the scan list, files that cannot be opened [4] because they are in use. I mean, analyzing, it looks like it's analyzing. If the ESET product is repeating the scan of one or more sectors or if it is doing it now messy or both, I do not know. Only at the end of the scan, more than three hours after, shows the total number of files scanned: 3,172,570 (screenshot 7). It took three hours to scan from 3,026,327 to 3,172,570 files. I did the same enabling scan of Start Sectors/UEFI and WMI Database and it’s the same.
Is there a problem with deep scan again?
-
It seems the problem is finally solved.
-
On 11/21/2023 at 3:53 PM, Marcos said:
Cleaner 1245 is currently on the pre-release update channel. We'll continue with the release once the Antivirus and antispyware module 1605.2 with a workaround for the issue has been received by all users.
Hi, Marcos. I regret to report that after having automatically updated my ESET product to version 1245 of the disinfection module today, the problem with the depth-scan seems to have disappeared, but a new problem appears with the smart scan: it lasts now the same as the depth-scan (about three hours) and analyzes basically the same number of files (more than a million). I know because after testing if the problem had been fixed with the depth-scan I also performed a smart analysis. Before, the smart scan lasted just over fifty minutes and analyzed about half a million files. It is as if when selecting the smart scan the ESET product performs a depth-scan instead of the requested. And yes, I'm sure that first selected a depth-scan and after it a smart scan.
Best regards.
-
On 11/24/2023 at 7:58 PM, peteyt said:
I believe this is available if you enable pre release updates for now
Thanks, I got it finally.
-
7 hours ago, simplicissimus said:
You are right.
Thanks for the clarification and let's hope the issue will be fixed soon.
-
5 hours ago, simplicissimus said:
My mistake ... sorry ... I meant to say:
Much more important than the release of version 17 is that the problem with the deep scan will finally be solved after more than a month!
... I was probably already asleep when I wrote that the issue has been solved.
Ah, so you talk in future, you mean it will be fixed, but it hasn't been solved yet, right?
-
3 minutes ago, Marcos said:
Cleaner 1245 is currently on the pre-release update channel. We'll continue with the release once the Antivirus and antispyware module 1605.2 with a workaround for the issue has been received by all users.
Thanks. So it means that the users that we still have the version 1244 we need the version 1245 to the depth-scan problem gets fixed, right? The user who says in this thread that the problem is fixed must have installed version 1245 from the pre-release channel. Right?
Best regards.
False Positive?
in Malware Finding and Cleaning
Posted
Thank you very much for the answer, @itman
Best regards.