itman

Most Valued Members
  • Content count

    1,083
  • Joined

  • Last visited

  • Days Won

    33

itman last won the day on April 9

itman had the most liked content!

1 Follower

About itman

  • Rank
    N/A

Profile Information

  • Gender
    Male

Recent Profile Visitors

1,090 profile views
  1. Check out this thread at bleepingcomputer.com : https://www.bleepingcomputer.com/forums/t/636865/nemesis-ransomware-support-help-topic/page-3?hl= onion Looks like a new version of Nemesis ransomware. Bleepingcomputer folks might be able to come up with a decrypter for it soon. If the ransomware encrypted .exe files is the system useable at all? -EDIT- You can also try to use the existing decryptor which might or might not work on the variant that nailed you. You can get instructions on use and download it from here: https://decrypter.emsisoft.com/cry9
  2. No. For the most part, Eset is doing fine in regards to cert. validations in IE11; mode used is irrelevant. Only present issue is Eset is not performing the cert. common name validation properly; e.g. https://tv.eurosport.com/ i.e. invalid common name.
  3. What ver. of Eset Internet Security are you using; 10.0.390 or 10.1.204?
  4. Only took Google over a decade to fix the bug Anyway, one more article that shows Chrome and Firefox are not as secure as people think.
  5. Yes, only IPv4. My point on this regard was Eset does not detect the bad cert.. IE11 does thankfully but zip alert from Eset. As far as Eset's IPv6 cert. validation, appears that it is indeed working OK. I do see ekrn.exe TCPv6 connections which I assume are to Eset designated servers to perform the cert. validation. Hard to tell for sure since Eset does not publish a listing of IPv6 address it uses as done for IPv4 addresses. As far as the lack of a ekrn.exe UDPv6 connection, additional research yielded that my ISP uses RD6 tunneling for IPv6 connections. That is, it is actually sending tunneled IPv4 packets to/from the router to its IPv6 DNS server and routing via IPv6 to the destination.
  6. You have to do some detective work. Open up the Win Event log and look under the Audit Failure sections. I am assuming you are blocking the connections presently. You will find the source IP address there. Also if you are getting alerts from the Eset firewall, the blocked connections should be logged there and will contain the source IP address. I recently upgraded my DSL service and had a new 1000 mbps fiber line installed. As a result I received a new Pace/2Wire router from ATT. I also switched over to an Ethernet connection for my PC. Afterwards, I was getting a lot of blocked inbound IPv6 connections in the Win event log. I extracted the source IP address and did a lookup on it at www.robtex.com. It indicated the IP address was indeed from an ATT server. Next, I observed from the event log that the IPv6 transaction being blocked was protocol 58 destination port 128. This translates to IPv6 Echo Request. OK, so far so good since my ISP is pinging me but why? Next, I opened up Eset's Network Protection section. Then, opened Personal Firewall configuration. Then, Advanced -> Zones -> Edit. I looked at the IP addresses there and noticed the IP address assigned for a IPv6 DNS server was indeed the prior identified ATT server IPv6 address being blocked. So at this point, I knew it was safe to allow inbound traffic from that IPv6 address. Finally, I returned back to Eset's Network Protection section. Observed that under the Troubleshooting area, it showed a non-zero count for "Recently block applications or devices." So I opened that section and sure enough, there was my 2Wire router shown as being blocked for the Win System process. FYI - the System process generates the ICMP requests. I selected the "Unblock" button for that entry and let Eset generate the necessary allow firewall rules for inbound IPv6 ICMP from the DNS server address to the associated local subnet FE80 .... address.
  7. I am pretty sure Eset Endpoint same as Smart Security when it comes to use of Win 10 AMSI interface. To verify if Eset's AMSI interface is functional, open up Process Explorer as Admin. Click on the "Find" tab and enter "eamsi" less the quote marks. Your output from PE should look similar to the below screen shot:
  8. Appears Microsoft is attempting to "piggyback" on the "Next Gen" security software craze by referring to the machine learning capability employed in Windows Defender when running on Win 10. MS just published a report on this: https://blogs.technet.microsoft.com/mmpc/2017/04/20/combating-a-wave-of-java-malware-with-machine-learning-in-real-time/ on TechNet in reference to some Java based malware that arrives as a Word document .jar attachment. Throughout the article, the author makes multiple references to "machine learning" and advanced detection capability. Of note is he was careful not to mention anything in regards to "artificial intelligence" capability. So let's analyze this .jar malware. For starters and clarification, you cannot run executable code directly from a .jar file as for example, can be done from a .hta file. You have to create the executable code outside of JAVA RTE and run it from the .jar file as done below: •Get InputStream for the file with ClassLoader.getResourceAsStream() •Write this InputStream to tmp dir File.createTempFile("prefix", "suffix") File.deleteOnExit(); •Execute it with Runtime.getRuntime().execute(..) Ref.: http://stackoverflow.com/questions/11339979/how-to-execute-script-from-jar-file The Microsoft article shows the execution of .vbs script malware. If you're on Win 10 and using an AV product such as Eset that uses the AMSI interface which Windows Defender also uses, the script would be intercepted and scanned for malware signature prior to execution. As far as this "radical" new machine learning capability of Windows Defender, what we are talking about here is pattern matching machine learning; something AV vendors like Eset have been doing for years. I guess Microsoft is taking queues from a Next Gen vendor who makes a ruckus wherever it goes. That is if you create enough noise, people will listen regardless if you are saying anything of substance.
  9. He's using NanoCore. It's a RAT that is usually delivered via e-mail and employs an exploit. As such, a vulnerability must exist for starters. I really couldn't tell from the video how the malware was deployed if indeed it was. Didn't help that their was no audio. He was also running in a VM and malware plus AV software for that matter, do not always run as expected in a VM. Also if this was a test of Eset's Advanced Memory Protection, it wasn't done right. AMS has nothing to do with Eset's AV manual scanning. AMS purpose is to detect post-execution after the malware has been loaded into memory. Advanced Memory Scanner works in combination with Exploit Blocker to strengthen protection against malware that has been designed to evade detection by antimalware products through the use of obfuscation and/or encryption. In cases where ordinary emulation or heuristics might not detect a threat, the Advanced memory Scanner is able to identify suspicious behavior and scan threats when they reveal themselves in system memory. This solution is effective against even heavily obfuscated malware.
  10. Still looking for an IPv6 web site with a bad cert.. Wiil report that Eset doesn't detect a cert. issue on this rather well known bad cert. web site: https://tv.eurosport.com/ i.e. invalid common name.
  11. I need an IPv6 web site with an invalid cert.. Hard to find. Do you know of any such URLs?
  12. https://www.bleepingcomputer.com/news/security/smartservice-acts-like-an-adware-bodyguard-by-blocking-antivirus-software/
  13. Win 10 x64 1607, Smart Security 10.0.390. This is a weird one. I use IE11 private mode as my primary Internet access mode. What I have observed is that in IE11 PM, ekrn.exe never establishes a separate UDPv6 connection. This indicate to me that certificate validations for HTTPS IPv6 web sites are not being performed. When running IE11 in normal mode, ekrn.exe does establish an UDPv6 connection with counts being incremented indicating certificate validations are being performed.
  14. It was better today; connected right away. Also ekrn.exe connections were less but numbered around 20. Why all the ekrn.exe connections? That is what is strange to me.
  15. I have been on ver. 10.0.390 running on Win 10 x64 1607 for some time and have zip issues with the Eset GUI or anything else for that matter. On the other hand, I had numerous issues using ver. 9 releases.