Jump to content

rememberSiberia

Members
  • Posts

    16
  • Joined

  • Last visited

About rememberSiberia

  • Rank
    Newbie
    Newbie

Profile Information

  • Location
    Hungary
  1. Sorry what I said above is wrong. You can have both HVCI and Credential Guard enabled, as shown here in the middle of the page (screenshot from someone's MSINFO32): https://docs.microsoft.com/en-gb/windows/security/identity-protection/credential-guard/credential-guard-manage#enable-windows-defender-credential-guard
  2. I think this is the explanation (I might be wrong): "So even if you had Credential Guard running and had LSA configured as a protected process, an attacker could manipulate process execution from within the kernel. That’s not strictly true anymore with the introduction of Hypervisor-protected code integrity (HVCI), which is specifically designed to protect the kernel against tampering. HVCI works by adding a degree of separation and moving control of the system’s memory to a secure runtime environment created by the hypervisor." It seems that HVCI supersedes Credential Guard, which is why I see "Hypervisor enforced Code Integrity" in MSINFO32 instead of "Credential Guard" (as detailed in the guide via the link that you provided - huge thanks again).
  3. Wow amazing thanks for sharing this. I think that's exactly my situation. Further down it also describes the Core Isolation functionality, which I have turned on. Perhaps that's ultimately the reason why LsaIso's details are blank. Do you have Core Isolation turned on? Also, since I have Core Isolation turned on and LsaIso details are blank (as explained this is evidence of VM being turned on, at least one of the two methods to check), then do I need to turn on Virtualisation Based Security in the Group Policy editor?
  4. Will give it a try thanks. Forgive me, if I am slow to comprehend, but since you are not using Win 10 Enterprise and have WD Credential Guard disabled (I assume this, since you said that you are running the Home version) and neither am I, then why do you suppose that you can see the full description of the process (name, path etc.) and I cannot, assuming that this is in fact a legitimate process on my end (in Live Grid / PE)? My premise is that for the purpose of WD Credential Guard, as you explained very thoroughly, our two systems are alike, so if in my case LsaIso were virtualised (which it isn't), that would be the reason why I would not be able to see the path (and any other details), right?
  5. Alright thanks... still a mystery. I noticed that you linked Virus Total to your Process Explorer. I haven't yet. Would you suggest me to link it and submit the results to Virus Total?
  6. Thanks so much for your continuous help. May I ask if you are on Win10 Entperprise, in which case that is why you can see the path and I cannot? Otherwise, do you have any clue as to why I cannot see the path (nor any other details)?
  7. Thanks for your responsiveness! Could you please tell me whether in Process Explorer you can see the path of LsaIso? As mentioned above, mine says [Invalid access to memory location.], and that's the only one for which I can't see a path, even with Admin rights. The PID in Process Explorer matches with that in Live Grid, and I can see the path from Live Grid (even though the name is uncapitalised), so I just want to close the loop on this issue and move on (hopefully), if that's not just in my case.
  8. Yes, in my case the PID in Live Grid and Process Explorer match (both 640 in my case). The difference I see is that in Process Explorer the name is capitalised, i.e. LsaIso, whereas in Live Grid it is not, i.e. lsaiso. Is that then the same process? So my question is... can malware hijack the PID number and pose as the same process, or would malware have a different PID (even though the name would be the same)?
  9. I just ran it as Administrator, and now all paths are showing properly. Thank you! Just one item that I do have a question on. LsaIso.exe’s path is [Invalid access to memory location] and there is no description or company name. I checked online and this is part core isolation if I am not mistaken (I have this enabled in the security settings). Is my understanding correct that this is not an issue, as it is purposely isolated from Process Explorer given the isolation, i.e. not even the explorer can recognise it even with Admin rights?
  10. Sorry one more question while we are on Process Explorer. I noticed that similarly to this process where no Application Name is shown when I check these processes some of them say “Error: Path not available”. Do you also have these occurences in your Process Explorer? All of these are sub processes of what seem to be legitimate Windows processes, but I’m not sure. Thank you!
  11. It looks exactly the same in my Live Grid (blank Application Name, 6 months ago, the same number of users and reputation), however I also do not see any Details, which is hidden on your screenshot. I also ran Process Explorer and it looks just like on your screenshot, except for the PID (it matches with my Live Grid PID). Is it safe to assume that this is not an issue/malware?
  12. I am not sure how I can provide this file, as I cannot locate it. There is no path, and I do not see it in the running processes or services list. What would you suggest to do?
  13. Hi all, I noticed that the following application: startmenuexperiencehost.exe although with a high reputation and user count does not have an Application Name in ESET Live Grid (all other running processes have one and have high reputations and user counts). Also, the "Show Details" section for it is completely blank, i.e. no Path, Size, Description etc. I cannot find the process in either the Processes or Services tabs in Task Manager, even if I search by the PID from Live Grid or by the process name. Is this normal or should I be concerned that this is not in fact a legitimate process? Thank you!
  14. Thank you, Marcos! Could you please tell me where I would see an update on this specific issue? Would it be posted in the topic that you linked?
×
×
  • Create New...