Jump to content

PuterCare

Members
  • Posts

    69
  • Joined

  • Last visited

Kudos

  1. Upvote
    PuterCare gave kudos to itman in High severity HIPS event detected - how to work out cause?   
    To begin, dismhost.exe running from the user temp folder is OK.
    I monitor dism.exe execution via Eset HIPS and the only thing that starts it on my Win 10 20H2 installation is cleanmgr.exe running from a Microsoft set up scheduled task.
    The above said, PowerShell usage is "baked into" Windows and is used internally for many OS functions. As such, it is entirely possible Windows internally is initiating the above activity you posted. As I posted previously, I monitor all Powershell.exe startup via Eset HIPS. I also monitor my Windows Powershell event logs and I have multiple daily event log entries showing PowerShell running to perform required system maintenance activities. Also, I have never once received an alert from my Eset HIPS Powershell start up rule in regards to this activity. So however Windows is running Powershell in the background, the Eset HIPS doesn't detect this activity.
    Bottom line is I have seen enough to state that the recommended Eset HIPS rule to monitor child process startup from Powershell wasn't thoroughly tested and should not be used.
  2. Upvote
    PuterCare gave kudos to itman in High severity HIPS event detected - how to work out cause?   
    I erred in my original posting in this thread.
    I didn't implement Eset's recommended anti-ransomware HIPS rules per se. Rather, I made them more secure which suits me personally. One of the revisions for example is I monitor all Windows script executable's startup via a HIPS ask rule. This includes PowerShell.exe startup. As such, there was no need to use the recommended rule of monitoring all child process startup from PowerShell.exe.
    To use PowerShell legitimately, it must be allowed to start conhost.exe since it is the graphical interface element for PowerShell.
  3. Upvote
    PuterCare gave kudos to Marcos in High severity HIPS event detected - how to work out cause?   
    You could create a permissive rule based on the rule "Deny child processes for powershell.exe" and add the path to conhost when specifying the path to target applications which would be safer than disabling the rule completely.
  4. Upvote
    PuterCare gave kudos to itman in High severity HIPS event detected - how to work out cause?   
    First, what is conhost.exe:
    https://softwarekeep.com/what-is-conhost-exe
    I have had this Eset Powershell HIPS rule in place for ages and never received "a peep" from it.
    One example of conhost.exe starting from PowerShell.exe is when it is deployed by PowerShell Empire used maliciously:
    https://www.trustedsec.com/blog/who-left-the-backdoor-open-using-startupinfo-for-the-win/
  5. Upvote
    PuterCare gave kudos to itman in CVE-2021-40444 are ESET user protected?   
    Based on this .docx sample: https://www.joesandbox.com/analysis/476188/1/html , Eset and most other AVs are detecting the dropper file now.
  6. Upvote
    PuterCare gave kudos to Marcos in CVE-2021-40444 are ESET user protected?   
    It's custom HIPS rules: https://support.eset.com/en/kb6119
    They are not there by default since they may generate false positives especially in networks where scripting is used. After creating the rules we recommend monitoring the network for potential script-related issues and disable or adjust the appropriate rule(s), if necessary.
  7. Upvote
    PuterCare gave kudos to Tsoden in Microsoft Teams issues   
    I'll add that I've added these rules, and Teams seems to be functioning properly now.

     

  8. Upvote
    PuterCare received kudos from Peter Randziak in Eset blocking encrypted network traffic with a trusted certificate?   
    Thanks @Peter Randziak @TomasP, I have PM'd you the link to logs.
  9. Upvote
    PuterCare gave kudos to GregA in Dynamic group for outdated Agents in ESMC?   
    This is my Dynamic Group rule.

  10. Upvote
    PuterCare gave kudos to Miami in Dynamic group for outdated Agents in ESMC?   
    Using "not regex (7.3).*"  could work.
  11. Upvote
    PuterCare gave kudos to Miami in Dynamic group for outdated Agents in ESMC?   
    Hello, 
    we use dynamic group with following template configuration to show us all V6 Agents. I am sure you can adjust that to ver 7.

    Of course the group is populated on next connection of the client (agent).
  12. Upvote
    PuterCare gave kudos to conorc in Microsoft Teams issues   
    They added a new app pathway in the latest update and it also needs allowed on the firewall, it is (Renderer)
    /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft Teams Helper (Renderer).app/Contents/MacOS/Microsoft Teams Helper (Renderer)  
  13. Upvote
    PuterCare received kudos from MartinK in Office 365 SMTP not working in ESMC 7.1 (or 7.0)   
    Finally got this working, it looks like the issue was Microsoft blocking the SMTP AUTH as it was deemed "Risky". I had to log into Azure portal and manually mark it as safe, then after about an hour it started to work with Automatic authentication selected. 
  14. Upvote
    PuterCare received kudos from MichalJ in ESMC VA - how to update FQDN?   
    This is now resolved, in case it helps anyone I logged into the VA and enabled Webmin, I then accessed Webmin using a web browser, Servers section, ESMC then there was an option to repair ESMC Agent Connection. I entered "localhost" for the Hostname and the ESMC port then clicked the repair button and it fixed it and updated to 7.1 as I had this task queued from last year.  
×
×
  • Create New...