Most Valued Members
  • Content count

  • Joined

  • Last visited

  • Days Won


itman last won the day on November 14

itman had the most liked content!


About itman

  • Rank

Profile Information

  • Gender

Recent Profile Visitors

3,392 profile views
  1. Is Not Over!! WannaCry??

    The WannaCry incident was as serious as it was because all that was needed was one endpoint in the network to be unpatched and it was "game over." And the unpatched device did not have to be a PC but any device that had a version of Windows that was vulnerable to the EternalBlue and DoublePulsar exploits WannaCry used. I believe in the U.K. NHS incident, the WannaCry targets were traced to lab devices that were running unpatched Win XP. Additonally, latter examination of the incident showed that WannaCry was "in the wild" for a while prior to Microsoft offering the patches to it for Win 7 and subsequently Win XP. Bottom line - your best protection against incidents like this is to apply all Windows patches immediately as soon as they are offered.
  2. I can see problems here. Tampermonkey is browser script filter monitoring software. Adsbypasser also is monitoring web page scripts for ads. If you are using Win 10, Eset is using AMSI to filter browser script pre-execution activity. Finally, Eset's Javacript web filter is monitoring the actual script execution. With all this script monitoring activity going on, something is bound to get screwed up.
  3. Threatsense parameters

    I will say this about Eset's quarantine. I have been using Eset for some time. During that time, Eset only placed one file in quarantine. It was a legit software license key cracker that I used. So if you're seeing a lot of files in quarantine, it is indicative of "iffy" download activity; most likely occurring prior to Eset being installed. Eset will as rule block files prior or during the download activity. As such, quarantine activity will be next to nil.
  4. Threatsense parameters

    Disinfecting can have an adverse effect on the process. The malware might be removed but the process is no longer fully function as a result of the procedure. If it is later determined the detection was a false positive, the process can then be restored from quarantine.
  5. When you created the outbound allow rule for FireFox did you allow all outbound connections or for only specific ports; e.g. 80, 443, etc.? Check your firewall log to determine if a port you haven't allowed is causing the ask activity.
  6. I will note this in regards to web site server based coin mining. Eset has a Web Filtering option that has an option to inspect javascript code which is enabled by default. It is this filter that allows it to detect attempted coin miner installation in the browser. Since this filter exists, Eset could w/o much difficulty add a GUI option to detect attempted web server based coin mining. This option would be disabled by default which would absolve Eset from complaints by coin miner developers that Eset is blocking their software. Two options could be provided in regards to this option; block or ask. The ask option would throw an alert and the user could allow or block the coin mining activity. Inclusion of the ask option would further protect Eset from coin miner developers since again, it is the user who is deciding to allow the coin mining activity. Optionally and desired, Eset will provide a built-in coin miner URL block and allow lists to facilitate ask mode processing . When a coin miner is allowed, it is added to the coin miner URL allow list. When a coin miner is blocked, it is added to the coin miner URL block list. Use of these lists will prevent any further alerts when operating in coin miner ask mode and a previous detected web site is subsequently used .
  7. Threatsense parameters

    I believe the confusion here is some AV solutions will delete in certain circumstances w/o quarantine, etc.. As such, some provide a separate GUI setting to specify quarantine action. Since this option is not provided in Eset, I assumed and @Marcos confirmed that Eset will always quarantine prior to further remediation activity.
  8. Threatsense parameters

    The difference between normal and strict cleaning is normal mode an alert will be displayed if the threat can't be removed for some reason. Both modes will auto quarantine as far as I am aware of.
  9. I will add that you can't 100% rely on NoCoin to stop all web server based coin mining. Notably missing from the NoCoin URL list is the second most widely use coin miner - Crypto-Loot. -EDIT- Appears NoCoin list does include However, it is not stopping Crypto-Loot from running. Suspect because the URL is format as or as shown article with MBAM blocking these two URLs. Proof that adblocker list blocking has limited functionality. A good read on how that was recently used maliciously is here: . So one needs to keep up with coin miner development and add as I did for Crypto-Loot to an Eset coin miner URL block list I created. The article notes that the malicious Crypto-Loot coin miner was removed from the Cookie Consent web site but they left their own older one in place as noted below:
  10. Try Comodo's Cleaning Essentials: . Does not support Win 10.
  11. Also time again to review what Eset by default will and will not protect against in regards to coin miners. Eset via PUA detection will prevent a coin miner from being installed in the cache/temporary storage of the browser. If a coin miner can be installed in this way, it can mine on every web site you land on. Eset will not prevent a coin miner installed on a web server hosting the web page from mining. You need to either install an adblocker for your browser that uses Github's NoCoin list or EasyList's Privacy TPL if you're using IE to stop this type of activity. Alternatively, you can create you own Eset URL block list for coin miner URL's. However, you will be responsible for manually updating that list on periodic basis
  12. This might explain why Authedmine URL is not listed in the NoCoin block list.
  13. Yikes! I finally resolved why I was not getting an Eset URL block alert on the TechInferno web site when using IE's Fanboy Adblock TPLs; both the Easylist and the Easylist Privacy TPLs. The EasyList Privacy TPL contains all the Coin Miner URLs in the GitHub NoCoin List. Appears the TPL is updated with Coin Miner URLs every time the GitHub NoCoin list is updated. As such, there is no reason to separately add the Adblock Plus toolbar extension in IE. Also if you are using the Fanboy AdBlock EasyList Privacy TPL in IE, there is no reason to add the GitHub NoCoin list URL's in a corresponding Eset URL block list. -EDIT- What caused my confusion on this is when I viewed both the EasyList TPL details in IE via manage add-ons, I could find no ref. to any of the NoCoin list of coin miner URLs. Appears what AdBlock who now maintains the Fanboy IE TPL lists does is reformat the NoCoin URLs into a compatible IE TPL format and then merge them into the daily EasyList Privacy TPL update download. Lesson learned - always refer to the .tpl files stored in %AppData%/Roaming/ directory.
  14. Are you happy with ESET?

    And this is because the RDP network connection was insecurely configured.
  15. The problem is the longer malware is installed, the more entrenched and damaging it can become. For example, you might have one or more backdoors installed. It is almost impossible to detect a backdoor unless a formal signature has been developed. The only way to detect hidden backdoors is via strict outbound network connection monitoring.