kamiran.asia
-
Posts
306 -
Joined
-
Last visited
-
Days Won
1
Posts posted by kamiran.asia
-
-
51 minutes ago, Marcos said:
EOL products will stop receiving module updates in a few months. There are Windows updates for both Windows Server 2008 SP2 and Windows Server 2008 R2 SP1 that add SHA-2 code signing support so with these updates you should be able to install EFSW 7.2 and EFSW 7.3 respectively.
Please contact your local ESET distributor for information about extended update support for EOLed products as well as for information how to hide the notification. The distributor should be able to help, at least they can contact ESET HQ for further information and assistance. Should they be unable to help you, let me know and provide me with the ticket ID so that we can inquire them about the case.
Last but not least, we strongly recommend upgrading the OS to a version fully supported by its manufacturer. While I understand that it may be not acceptable by the user to pay for the latest Windows Server version, the user can consider migration to Linux. The point is to receive security updates for the OS and thus keep it secure, otherwise even installing an AV won't make it secure enough.
Thank you very much dear @Marcos. Our Customer again create a ticket ,mentioned your help and they are waiting for ESET response. I will inform you if they can not help them.
Case #501795 - "Extended update support for EOLed products" has been created for you.
ESET North America Technical Support. -
Any update dear @Marcos about this topic ?
-
Hi Dears,
As You know in this week we have this vulnerability :
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
and ESET did not detect IOC :
- b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
- 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
- 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
- 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
- 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
- 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
- 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
- 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944
For Example this one special :
What is ESET reaction about this kind of hack ?
is there any IDS detection included these days or not ? And we think that ESET must Detect Mentioned IOC.
Best Regards. -
ESET file Security 6.5 is currently supported for XP.
Why it is become yellow and alert users to upgrade on Server 2008? While it will work on windows Xp after April 15th 2021.
It seems that this alert in windows 2008 is not correct because it will not facing problem after April 15th 2021.
Am i right or not ?
-
19 hours ago, Marcos said:
Please contact your local ESET distributor regarding this.
Thank you dear , We contact Distributor, They Said there is noway to support non updated WinServer2008 !
right now ESET support winXP with ver 6.5 , Why 2008Server will not support with FS 6.5 ?
What can we do right now ?
-
Hi Dears.
Many of our customers have Windows Server 2008 or 2008R2 that Sha2 Updates can not be installed. ( because of Technically problem or Rollback SHA2 updates)
Version 6.5.12018.0 just became yellow this week !
While support-eol.eset.com show that FS 6.5.12018 wil not have SHA2 problem on Server 2008 (Not Updated)
What can we do ?
-
12 hours ago, MartinK said:
Could you please check whether there are any custom blocking rules for HIPS used on problematic machines where upgrade fails with mentioned error? We have recently discovered issue where invalid HIPS rules might result in a state when self-defense is preventing upgrade of AGENT. If I recall correctly, issue is triggered by providing path to executable in quoted format. If this is the issue, correcting HIPS rules should resolve the issue remotely - also there should be an update of HIPS module rolled out soon that targets this issue.
just AntiRansomeware Rulles is setup in HIPS Rules as mentioned in ESET website.
No other HIPS rules .
you mean if we disable Endpoint Self Defense it will solve this problem ?
-
Hi dear ESET Admins.
In some endpoint we are facing this problem : ( Upgrading 7.0.579.0 to 8.0.1238.0 )
MSI (s) (40:9C) [11:01:33:439]: Product: ESET Management Agent -- Error 1921. Service 'ESET Management Agent' (EraAgentSvc) could not be stopped. Verify that you have sufficient privileges to stop system services.
Error 1921. Service 'ESET Management Agent' (EraAgentSvc) could not be stopped. Verify that you have sufficient privileges to stop system services.
Full Log is Attached.
What can we do remotely for this problem ( except safemode and uninstaller tool ) ?
For more info : Upgrade task did not work in this network because of this problem in below link so we are using a deployment software to install new MSI, this solution success at 98% of endpoint but about 5 system has proble.
https://forum.eset.com/topic/26914-agent-v7-show-as-updated-in-eset-protect-v8/
-
Ok , Yes we use Run Command . But it was a special problem . Thank You.
-
11 hours ago, MartinK said:
In short, problem is, that this version of AGENT (7.0.579.0) was to be used only with ESMC that was distributed on Japan market and thus it has a specific versioning and compatibility settings. In case it is used with non-Japan ESET PROTECT, it won't upgrade automatically and only possibility is to upgrade it manually -> and once it will be upgraded to globally available version (= compatible with your ESET PROTECT), it will have no issue in upgrading next time.
Could you please confirm machine was previously managed by Japan ESMC installation?
No All Version was Enu.
-
Hi Dears.
We have a problem in upgrading agent 7.0.579 to V8 in one of our customers network.
ESET Protect V8 show Agent v7.0.579 as Updated ! So Upgrade task will finish successfully without any changes !! Repository in Online.
We install a New Server and transfer Database to new server , Problem is persist.
Upgrading with GPO will work ! but Upgrade Task will not work because ESET says it is up-to-date !
-
6 minutes ago, Marcos said:
You received a communication error for servers 38.90.226.21-38.90.226.25, e.g.:
Sending requests to host h5-ars05-v.eset.com (38.90.226.25).
Direct DNS request, UDP protocol, port 53, A record: response 127.0.4.210, TTL 120
Direct DNS request, UDP protocol, port 53, TXT record: response s:2130707666, TTL 120
Direct DNS request, TCP protocol, port 53, A record: DirectComm: Timeout occurred after (12000)ms on fd(476) reading(0) B
DirectComm: Failed to receive direct response: -1
Sending direct DNS request has failed.Direct DNS request, UDP protocol, port 53535, A record: DirectComm: Timeout occurred during socket read after (6000)ms on fd(476)
DirectComm: Failed to receive direct response: -1
Sending direct DNS request has failed.If you run the tool multiple times at different times, are you repeatedly getting the errors only for these servers ?
It seems that there is a problem in ISP , We will work on this problem , Thank You Very Much.
-
-
Hi Dear ESET Support.
We have problem in our Mail Security For Exchange. As You can see in Screen Shot of Mail Security , Anti-Spam Connection is limited.
We have ping connection to all these servers :
h1-ars01-v.eset.com 91.228.166.61
h1-ars02-v.eset.com 91.228.166.62
h1-ars03-v.eset.com 91.228.166.63
h1-ars04-v.eset.com 91.228.166.64
h1-ars05-v.eset.com 91.228.166.65
h3-ars01-v.eset.com 91.228.167.36
h3-ars02-v.eset.com 91.228.167.67
h3-ars03-v.eset.com 91.228.167.68
h3-ars04-v.eset.com 91.228.167.74
h3-ars05-v.eset.com 91.228.167.116
h5-ars01-v.eset.com 38.90.226.21
h5-ars02-v.eset.com 38.90.226.22
h5-ars03-v.eset.com 38.90.226.23
h5-ars04-v.eset.com 38.90.226.24
h5-ars05-v.eset.com 38.90.226.25What can cause this problem ? ( As you see the problem is temporary in some hours of a day )
-
6 hours ago, itman said:
I am assuming that you have not purchased an ESU for the 2008R2 server? This is why it has not been patched?
Personally, I wouldn't rely 100% on Eset IDS protection for this vulnerability. You might want to check this out: https://blog.0patch.com/2020/09/micropatch-for-zerologon-perfect.html
As our test in our company ESET IDS can block Zerologon as this detection and block attacker IP for 1 hour :
-
10 minutes ago, itman said:
I assume what you mean here is your pinging activity from the source client device was blocked to all servers other than the 2008 R2 one?
Did you try to connect to the 2008 R2 server other than using ping?
No Dear , Problem is Why IDS in 2008R2 did not block communication from attacker ip . attack will block but communication will not block for 1 hour for attacker IP. So hacker can attack over and over again.
As you know when IDS block an IP address , All communications is block for 1 hour ( Ping , ... )
It seems that it is a bug or may be a lake of security in 2008 R2.
-
3 minutes ago, itman said:
Did you verify that Network Protection is enabled?
Yes Dear , As you can see in the picture we have Network section and attack is detected and Attacker Ip is listed in Black list of IDS.
-
2 minutes ago, itman said:
About CVE-2020-1472:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
My best guess is Eset IDS is not currently capable of blocking the attacker IP address for this type of attack. Appears most of those are set up for SMB related vulnerabilities. So it instead blocked access to the targeted IP address.
Dear ITMan , This problem is just in 2008 R2 ,
In 2012 , 2016 , 2019 , ESET IDS Detect CVE-2020-1472 , and The Attacker ip Blocked ! while other Security vendors like kaspersky , bitdefender and mcaffe ( As we tested ) did not detect this attack.
we use picuslabs tool for this attack test . https://github.com/picussecurity/picuslabs/tree/master/CVE-2020-1472 Zerologon
Also we test Other CVE-2020-1472 scripts and the result was the same as picuslabs tools.
the Question is why at 2008 R2 Attack is blocked but attacker IP not blocked even when it is listed in Blacklist IP list ?
-
5 minutes ago, MartinK said:
Is this device cloned or AGENT was reinstalled? Or was hardware changed on this device recently (during time AGENT was installed?). Also could you please check whether there are no "Questions" regarding this device - in status overview dashboard? I have suspicion there might be administrator input required in order to enable device to connect, due to possible conflict or HW changes.
No Fresh Windows installation and then ESET installed with all in one installer.
No items in questions .
-
Full Screen Shot ...
Attacker Pc : 192.168.235.1
Server : 192.168.235.132
-
25 minutes ago, Marcos said:
Not sure if I understand. According to the screen shot the IP address 192.168.235.1 was blocked. However, the second screen shot where you ran ping seems unrelated because you pinged 192.168.235.132. If you tried to ping this machine from 192.168.235.1 you should get no response to ping.
192.168.235.1 is the attacker and CMD is from attacker PC. Attacker PC is my PC and Server is a VM. these two windows mix in one screen. 😊
-
Hi Dears.
We find s.th in file security v7 - 7.2 .
If attacker blocked by IDS ( for Example Zerologon attack ) Ip will not block for 1 hour !
is this a bug or a problem in 2008R2 ?
Best regards.
-
4 minutes ago, Marcos said:
Did you migrate ESMC from VA to a Windows server or vice-versa?
No this ESMC was always at a Windows Server. Other Clients are Connected , This new installation did not connect. 😟
-
Hi Dears.
We have Client with agent 7.2.1266.0 could not connect to ESMC.
The Logs is attached . The error is : AUTHENTICATION_FAILED (Error description: unable to authenticate entity)
Best Regards.
Exchange vulnerability and ESET Detections
in Malware Finding and Cleaning
Posted
Does ESET protect me from the Hafnium zero-day exploit in Microsoft Exchange?
https://support.eset.com/en/kb7855-does-eset-protect-me-from-hafnium
Exchange servers under siege from at least 10 APT groups
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/