Jump to content

JamesR

ESET Staff
  • Posts

    48
  • Joined

  • Last visited

  • Days Won

    3

Kudos

  1. Upvote
    JamesR received kudos from Aryeh Goretsky in Win64/CoinMiner.ZF   
    I agree with Marcos, this looks like a WMI persistent threat.  Manually telling ESET to update its detection engine, should correct the issue of the threat continually being detected.  Although, there is a good chance you may already have the update (ESET checks for these updates once per hour).
    If this does not fix the issue, definitely generate an Autoruns log.
    Lastly, its not uncommon for Servers to have been infected due to unexpected ports being exposed to the internet.  I highly recommend you audit your public IP Addresses with some simple nmap scans to verify what ports are exposed to the internet.
    nmap -sV -Pn -F %PublicIPAddress%
  2. Upvote
    JamesR gave kudos to Marcos in Win64/CoinMiner.ZF   
    Could you please manually run update and then reboot the machine? I assume that PowerShell/Agent.QR will be detected and cleaned by the startup scan in WMI.
    Should the problem persist, please provide a log generated by Autoruns.
  3. Upvote
    JamesR gave kudos to Marcos in Getting address blocked messages too frequently from the same site   
    For instructions how to collect logs with ELC, read How do I use ESET Log Collector?
    You can upload the generated archive here.
  4. Upvote
    JamesR gave kudos to Marcos in Understanding EEI Dashboard   
    The higher a circle is on the Y axis, the more machines in your LAN have particular files. The further a circle is on the X axis, the more ESET users have the file (ie. the more popular it is worldwide).  The bigger a circle is, the more such files you have.
    To illustrate it on a concrete example:
    The red-marked circle means that you have quite many files that exist only on 1 computer in your LAN but are quite popular among ESET users since the LG popularity is 7 (1-10 mil. of users):

  5. Upvote
  6. Upvote
    JamesR gave kudos to Marcos in Ransomware SDEN   
    Files were encrypted by Filecoder.LockedFile. According to the logs, there were about 170,000 failed attempts to log in via RDP as "administrator" and alike in approx. one day when the encryption occurred. Also an older version of EFSW 6.5 without Ransomware shield was installed.
    The OP was informed and improvements in protection were suggested.
  7. Upvote
    JamesR gave kudos to Marcos in False Positive in MiniTool Partition Wizard Free 11.0   
    FusionCore is a PUA which is typically bundled with installers as a dll. The detection is correct. PUA detection is optional.
×
×
  • Create New...