itman

Most Valued Members
  • Content count

    1,147
  • Joined

  • Last visited

  • Days Won

    35

itman last won the day on May 20

itman had the most liked content!

1 Follower

Profile Information

  • Gender
    Male

Recent Profile Visitors

1,354 profile views
  1. Ditto here also since I never had any issues accessing the web site in IE11 using ver. 10.1.210.
  2. SmartScreen is showing the link as malicious so you should de-link it e.g. hxxp:\\ etc. notation.
  3. Most APT's delivery is a well researched targeted phishing e-mail with links or containing macros to malicious attachments with trick wording to get the recipient to run the macro. As in the case with APT29, I strongly suspect your WMI malware installed a backdoor and is using that for remote access into the server or targeted PC. Once a backdoor is installed, the malware can bypass most firewalls. Your safest thing do for remediation is to reformat and reinstall the OS on the targeted device. As far as Eset detecting the WMI malicious activity in memory, it is somewhat an academic exercise at this point. The WMI malware has established persistence and will reoccur at next boot most likely. Also suspect that Kaspersky's memory detection is similar to Eset's advanced memory scanning detection. That is, it is a post execution detection. As such, it is highly likely that malicious activity has occurred prior to detection.
  4. To begin with, WMI based malware requires a degree of sophistication not seen in your "run of the mill" malware. As such, it is usually reserved for advanced persistent threats. Below is an excerpt from a FireEye article about APT29 that I will refer to. Notable are the following: 1. To perform the WMI class registrations you referred to requires administrator privileges. If malware has acquired those, it can do much more than just manipulate WMI. 2. In the case of APT29, it used WMI to create a backdoor. Creating the backdoor itself was useless until it was utilized to execute a malicious PowerShell script/commands. On Win 10, Eset monitors Powershell script execution utilizing the AMSI interface. Something you might consider is to set PowerShell to only run in "Constrained Language" mode as described in this TechNet article: https://blogs.technet.microsoft.com/kfalde/2017/01/20/pslockdownpolicy-and-powershell-constrained-language-mode/ . Doing so not only will "lockdown" WMI command use of PowerShell but also .Net likewise use of the same. I also additionally monitor any Powershell startup execution with user created Eset HIPS rules. WMI permanent event subscriptions can be used to trigger actions when specified conditions are met. Attackers often use this functionality to persist the execution of backdoors at system start up. Subscriptions consist of three core WMI classes: a Filter, a Consumer, and a FilterToConsumerBinding. WMI Consumers specify an action to be performed, including executing a command, running a script, adding an entry to a log, or sending an email. WMI Filters define conditions that will trigger a Consumer, including system startup, the execution of a program, the passing of a specified time and many others. A FilterToConsumerBinding associates Consumers to Filters. Creating a WMI permanent event subscription requires administrative privileges on a system. We have observed APT29 use WMI to persist a backdoor and also store the PowerShell backdoor code. To store the code, APT29 created a new WMI class and added a text property to it in order to store a string value. APT29 wrote the encrypted and base64-encoded PowerShell backdoor code into that property. APT29 then created a WMI event subscription in order to execute the backdoor. The subscription was configured to run a PowerShell command that read, decrypted, and executed the backdoor code directly from the new WMI property. This allowed them to install a persistent backdoor without leaving any artifacts on the system’s hard drive, outside of the WMI repository. This “fileless” backdoor methodology made the identification of the backdoor much more difficult using standard host analysis techniques. Ref.: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
  5. Couldn't duplicate it. As such, I assume the original firewall popup I described was due to the Eset equi.exe outbound firewall rule being disabled. Although, I know I did not previously disable it. If it reappears, I will post back with a screen shot.
  6. Win 10 1607, Eset SS ver. 10.1.210 As the title states, this is a weird one. I was in the process of creating a user HIPS rule. I accessed Eset on-line help through the rule interface as I had done many times previously. An Eset firewall alert pops up about an insecure firewall being created with an option to revert back to secure default rules? What the .........? I was creating a HIPS rule, not a firewall rule! I clicked on the alert button option to restore default secure firewall rules. Exited the HIPS setup w/o creating the rule and opened the Eset Firewall section to see what "default" rules changed. Only thing that I noticed was the default rule to allow all Eset egui.exe outbound access had been unchecked? Again, what the ..........? I re-enabled that rule since obviously it was required. Note: I have enabled the Eset GUI password option. I have also been getting inexplicable occasional IE11 browser lockups since upgrading to ver. 10.1.210. When this occurs, it also affects any subsequent process start up that requires a UAC elevated prompt, locking up that processes for a delayed period of time. Might be reverting back to ver. 10.1.390 which I had none of the above issues.
  7. Another possibility is there is something amiss with one of the numerous https:// links contained in his home page. Post a screen shot of the cert. error Eset is displaying in IE11. Note: I use tracking protection in IE11 which might be blocking the "offending" https:// trigger.
  8. In IE11, select Tools -> Internet options -> Content -> Trusted Root Certificates. Then look for DST Root CA X3 certificate and validate expiration date not less than current date. Might also like you stated an insider ver. issue.
  9. Here's the Quals SSL Server test report for the site: https://www.ssllabs.com/ssltest/analyze.html?d=scotthelme.co.uk&s=107.170.218.42&hideResults=on . He received an A+ - highest rating. Only thing I found that was he uses a Let's Encrypt certificate. Do you have the DST Root CA X3 certificate in your Window's root CA certificate store? If so, make sure it hasn't expired. IE11 uses Window's root CA certificate store.
  10. I can connect to the web site OK using SS 10.1.210 and IE11.
  11. The AMTSO Cloudcar test is a test to valid a security solutions' web filtering capability. The whole purpose of the test is to determine the malware detection effectiveness prior to file being created on the hard disk. Note that Eset's web filtering does not employ LiveGrid as its first detection method but rather uses is signature database to check the download at the network level for a malware match.
  12. I updated to 10.1.210 yesterday using the internal Eset updater. The process was a bit strange to say the least. After clicking on the allow update to occur, it appeared nothing happened. No Eset popups or anything from the Eset update section I was in. Afterwards, exited that section and can't for sure what section of the section of the Eset GUI I was in but there was a popup screen showing. It showed an "Install" button on it which I clicked on which immediately started the Eset upgrade process. Weird to say the lest.
  13. Just manually updated from 10.0.390 to 10.1.204. Noticed that Eset browser hook to scan javascript's is missing in IE11. It was there in ver. 10.0.390. Was this intentionally done? -EDIT- Never mind. Just upgraded to 10.1.210. IE Eset plugin back. Good to go on this issue.
  14. You're safe from all current malware attacks. Doubt there is any malware developed in the early 1980s still in use.
  15. Both Google and Mozilla want AV vendors out of their browsers; both are on record for that. Doubt Google will allow AV software to be whitelisted. Main issues are pertaining to Eset is the recently implemented browser script protection that uses a hook and more importantly, Online Banking/Payment Protection. Regarding OPP, Eset best to get busy developing their own locked down browser or just restrict its use to IE and Edge.