vanroy
Members-
Posts
116 -
Joined
About vanroy
-
Rank
Newbie
Profile Information
-
Gender
Not Telling
-
Location
Costa Rica
Recent Profile Visitors
2,105 profile views
-
vanroy started following ECOS SLOW - BIG TENANT O365 , HASH on the Inspect , Search URL or IP and 2 others
-
Hi, 1.How does inspect generate the hash of an executable? 2. Why in some case the executable have is an unknown hash? best.
-
ok thanks, This is limitation of EIC should release and improve the Relationship graph
-
Hello, It is possible to see the URL or IP from site not listed as malicious and the endpoint downloaded malware from this site. ESET Inspect only see the executions. With other XDR this is possible. thank you.
-
Hi, James thanks for your time.\ Best
-
@JamesR can you help me please?
-
Hello, what is bad? <definition> <parentprocess> <operator type="AND"> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="php-cgi.exe" /> <condition component="FileItem" property="FileName" condition="is" value="php.exe" /> </operator> <condition component="FileItem" property="Path" condition="starts" value="c:\php\" /> </operator> </parentprocess> <process> <operator type="AND"> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90" /> <operator type="OR"> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe" /> <condition component="FileItem" property="FileName" condition="is" value="conhost.exe" /> </operator> <operator type="OR"> <condition component="FileItem" property="Path" condition="starts" value="%SYSTEM%" /> <condition component="FileItem" property="Path" condition="starts" value="%WINDIR%\syswow64\" /> </operator> <condition component="Module" property="SignerName" condition="is" value="Microsoft Windows" /> </operator> </process> <operations> <operation type="CreateProcess"> <operator type="and"> <condition component="FileItem" property="FullPath" condition="is" value="c:\php\php.exe" /> <condition component="FileItem" property="FullPath" condition="is" value="c:\php\php-cgi.exe" /> </operator> </operation> </operations> </definition>
-
False positives of Windows system file detection
vanroy replied to pedoc's topic in Malware Finding and Cleaning
Resolutions not use developer version of Windows 11. -
False positives of Windows system file detection
vanroy replied to pedoc's topic in Malware Finding and Cleaning
-
Hi, Slow loading pages, user's module, This causes the browser example message (see attach) when work assigning a policy to users. Firefox, Chrome same in mode incognito regards.
-
Hello, Why ECOS load slow on tenant with 100k of users? Datacenter on USA, some else present this issues?
-
Detection by Endpoint Security alerts
vanroy replied to vanroy's topic in ESET Inspect On-prem (Detection and Response)
Hello @Lockbits@JamesR Thanks, Some other tips for optimization or make exclusion and rules. it's very appreciated. Best -
Detection by Endpoint Security alerts
vanroy replied to vanroy's topic in ESET Inspect On-prem (Detection and Response)
hello @JamesR -
Hello, Have issue w/ ESET Enterprise Inspector to login result "Login failed: UserInfoProvider: ESET Protect Server not available" it was working fine and the user password is correct. after 1 day the issue persist! All services ESET protect and ESET Enterprise Inspector working! ESET protect and ESET Enterprise Inspector Installation is on the same server! On the log EEI see! 2022-03-31 14:29:33 02e0c Info: 2022-03-31 09:49:27 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator]) 2022-03-31 14:29:33 02e0c Info: 2022-03-31 10:24:04 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator]) 2022-03-31 14:29:33 02e0c Info: 2022-03-31 10:24:27 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator]) 2022-03-31 14:29:33 02e0c Info: 2022-03-31 10:25:08 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator]) 2022-03-31 14:29:33 02e0c Info: 2022-03-31 10:25:36 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator]) 2022-03-31 14:29:33 02e0c Info: 2022-03-31 14:21:23 - audit(00000000-0000-0000-0000-000000000000 Login attempt Forbidden [User=Administrator]) 2022-03-31 14:29:33 03654 Info: ESET Protect: there was a problem while connecting to ESET Protect Server. User was blocked. Please try again later. 2022-03-31 14:29:33 0352c Info: ESMCMachinesMetadataSyncTask: Failed requesting static groups/machines metadata/alerts. User was blocked. Please try again later. 2022-03-31 14:29:33 03654 Info: ESET Protect: there was a problem while connecting to ESET Protect Server. User was blocked. Please try again later. 2022-03-31 14:29:33 02e0c Error: ESMCAuditExportTask: Error occurred while exporting audit to ESMC. User was blocked. Please try again later. 2022-03-31 14:29:33 00410 Error: ESMC: failure to authenticate during alarm export. User was blocked. Please try again later. 2022-03-31 14:29:33 03654 Error: ERADetectionEventsSyncTask: Failed to export alarms. User was blocked. Please try again later. On the ESET protect trace log see 2022-03-31 19:01:33 Error: ConsoleApiModule [Thread 36bc]: 1383 Error while sending AuthenticateUser request [UserName=Administrator] CUserAccessLimiter::CheckAccess(): User Administrator from ipserver was blocked. 2022-03-31 19:01:40 Error: CServerSecurityModule [Thread b4]: CUserAccessLimiter::CheckAccess(): User Administrator from ipserver was blocked. 2022-03-31 19:01:40 Error: ConsoleApiModule [Thread 36bc]: 1383 Error while sending AuthenticateUser request [UserName=Administrator] CUserAccessLimiter::CheckAccess(): User Administrator from ipserver was blocked. 2022-03-31 19:01:40 Error: CServerSecurityModule [Thread b4]: CUserAccessLimiter::CheckAccess(): User Administrator from ipserver was blocked. 2022-03-31 19:01:40 Error: ConsoleApiModule [Thread 36bc]: 1384 Error while sending AuthenticateUser request [UserName=Administrator] CUserAccessLimiter::CheckAccess(): User Administrator from ipserver was blocked. Any ideas for check?