-
Posts
306 -
Joined
-
Last visited
-
Days Won
1
Posts posted by kamiran.asia
-
-
1 hour ago, Marcos said:
No ESET Log Collector logs were attached.
I send it via PM dear macros.
-
Hi dears
We Have problem with one of our servers.
We have an offline server that Real Time module suddenly change to not functional status ,
Re-installation in clean mode with ESET Uninstall tool from safe mode not solve the Issue.
Upgrading to latest version not solve the issue.
* ESET Log collector file is created from that server.
-
Ok we will send pair file to samples,
Thank you.
-
Hi All , Wish u Nice Time .
Here is 3 Files that are Printer Drivers that infected with Win32/Parite.B virus :
Log
D:\Inprogress\Cleaning\Software\Software\BT101_SR4_2961_UL_Honeywell.exe - Win32/Parite.B virus - cleanedBT101_SR4_2961_UL_Honeywell.exe Size is 180 Mb , After Cleaning 1.41 MB 😐
Same for 3 other infected exe files , We Try cleaning by Other Vendor and the result is Clean file with 180 MB Size.
It seems that there is a problem in cleaner module.
-
thank you @itman
I forward your useful post to our support team.
-
2 minutes ago, itman said:
Appears to me, the clients got nailed by a true 0-day malware. Also, it appears Eset created a new signature for this bugger, Win64/Vools.P.
It is encouraging that Eset was still able to detect it via AMS using a prior variant DNA signature.
BTW - what was the source of the svchost.exe injection?
Yes a 0-Day malware !
A Service with a Dll injector "FunctionRPCHelper.dll" that inject svchost.exe
😎
-
It seems that our company support team detect the source injector of this infection and by Fast detection of ESET Lab the problem is solved now.
Detection rate at This time is 2/69
-
We are working on these infection cases.
in This Case EFS V7.0 is installed and no network attach is detected after upgrading to V7. MS17-010 Patched are installed.
@itman is right we also think that an autorun or script is infecting svchost.exe .
-
4 hours ago, itman said:
Are you referring to MS17-010: https://support.microsoft.com/en-us/help/4012598/title which was patch for SMBv1 on Win Server 2008 OS?
Yes we patched the servers and clients but problem is still persist,
Even we block all incoming 445 and 139 ports to prevent trojan spreading .
after startup eset detect vools trojan in svchost.exe in operating memory and ask for restart for cleaning, after restart again this loop will happen over and over.
-
Hi dears,
Many Of our customers are infected by Win64.Vools.L today !!!
We know that Patch MS1701 is not installed and it will spread via this security hole. But in this situation that Servers and Clients are infected what is the best solution ?
We find these problems in Endpoint Antivirus and File Security versions.
-
10 minutes ago, Marcos said:
As of v6.6, security products create a mirror for both old (< 6.5) and new versions (=> 6.6). You can use the command line mirror tool to create a mirror for v6.6+ versions only.
Ok but in thease 3 days V6.6 mirror and V7 mirror size is not the same !
V7 mirror with Mirror tools or AV is 1.2 GB
V6.6 is 890 MB !
is it normal ? -
Hi dears,
In last 3 days mirror update Size of V7 increase to 1.2 GB but in 6.6 Version it is about 800 MB, Both of them have DLL and NUP
Is it a technical problem or a changes in v7 Mirror system ?
And is there any option in future to disable NUP Mirroring , When all versions are 7+. (I mean in large network that we do not use apache http)
-
Hi dears.
One of our Servers's Agent could not obtain HW fingerprint with this error and it can not connect to ESMC :
2019-03-05 08:08:55 Error: AuthenticationModule [Thread 1114]: DeviceEnrollmentCommand execution failed with: HW fingerprint could not be obtained.
2019-03-05 08:08:55 Warning: CReplicationModule [Thread f5c]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet)
2019-03-05 08:08:55 Error: CReplicationModule [Thread f5c]: InitializeConnection: Initiating replication connection to 'host: "192.168.140.9" port: 2222' failed with: GetAuthenticationSessionToken: Failed to fetch device session token in time
2019-03-05 08:08:55 Warning: CReplicationModule [Thread f5c]: InitializeConnection: Not possible to establish any connection (Attempts: 1)
2019-03-05 08:08:55 Error: CReplicationModule [Thread f5c]: InitializeFailOverScenario: Skipping fail-over scenario (missing last success replication link data)
2019-03-05 08:08:55 Error: CReplicationModule [Thread f5c]: CAgentReplicationManager: Replication finished unsuccessfully with message: InitializeConnection: Initiating replication connection to 'host: "192.168.140.9" port: 2222' failed with: GetAuthenticationSessionToken: Failed to fetch device session token in timeReplication details: [Task: CReplicationConsistencyTask, Scenario: Automatic replication (REGULAR), Connection: 192.168.140.9:2222, Connection established: false, Replication inconsistency detected: false, Server busy state detected: false, Realm change detected: false, Realm uuid: 00000000-0000-0000-0000-000000000000, Sent logs: 0, Cached static objects: 0, Cached static object groups: 0, Static objects to save: 0, Static objects to delete: 0, Modified static objects: 0]
2019-03-05 08:08:55 Error: AuthenticationModule [Thread 1114]: DeviceEnrollmentCommand execution failed with: HW fingerprint could not be obtained.
2019-03-05 08:08:55 Warning: CReplicationModule [Thread f5c]: GetAuthenticationSessionToken: Received failure status response: TEMPORARILY_UNAVAILABLE (Error description: session token temporarily unavailable, device is not enrolled yet)
2019-03-05 08:09:00 Error: CSystemConnectorModule [Thread 1168]: CWbemServices: Could not connect. Error code = 0x80070422
2019-03-05 08:09:10 Error: CSystemConnectorModule [Thread 1168]: CWbemServices: Could not connect. Error code = 0x80070422What is the solution ?
-
16 hours ago, Marcos said:
I assume that excluding d:\platereader\camera1\remotelpr.exe from protocol filtering will do the trick.
If that works, stop the process remotelpr.exe, enable advanced network protection and protocol filtering logging in the advanced setup -> Tools -> Diagnostics and then run remotelpr.exe. Make sure it generates http traffic. After 20-30 seconds, disable advanced logging, gather fresh logs with ESET Log Collector and supply them to me for perusal.
Marcos , Perfect as Always
-
Hi dears,
We find that tmp files that is related to EKRN is generating in large size lacated C:\windows\temp
When realtime Protection is disabled , we can delete these files.
After one month we have over 800 GB of these files in Temp that we delete it manually. But These two tmp files deleted just when AV is paused.
ESET Log Collector Reprt :
What are these tmp files and how can we prevent them to busy storage ?
-
Any Idea dear ESET admins ?
-
We find these log from ESET Log Collector from Events :
"Entry" = "\??\C:\Users\INSTRU~1\AppData\Local\Temp\ehdrv.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver." 27/12/2018 06:57:29 ;
"Entry" = "Faulting application name: egui.exe, version: 10.4.318.2, time stamp: 0x5b489f1b
Faulting module name: ntdll.dll, version: 6.1.7601.19045, time stamp: 0x56259295
Exception code: 0xc0000374
Fault offset: 0x00000000000bffc2
Faulting process id: 0x12dc
Faulting application start time: 0x01d49db37faa6bac
Faulting application path: C:\Program Files\ESET\ESET Security\egui.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: c1d8a799-09a6-11e9-89b6-5435302b09e4" 27/12/2018 07:12:24 ; -
Hi Dears,
In one of our projects we have this problem that after installation Endpoint Security , EGUI crashed and closed on startup.
We check the System for malware with online scanner and it was clean.
The ESET Log Collector and Dump of EGUI.exe :
-
8 minutes ago, Marcos said:
Does the plug-in get disabled repeatedly even after you re-enable it?
We did not test this case, Our Customer want to enable it remotely because they have over 100 Seats and they can't enable it manually.
-
-
Any Idea ?
-
8 minutes ago, Marcos said:
Does the issue persist after reinstalling agent on the client?
Yes,The problem is same even by reinstalling agent.
-
2 minutes ago, zloyDi said:
Hello,
Try to change connection time to server in agent policy from 1 to 10 minutes.
Also reboot server with ERA.
Thank you.
It does not help. There is just one Server in network that has this problem all other 100 PCs work find.
-
Realtime module not functional
in ESET Products for Windows Servers
Posted
We are waiting for your update.