Jump to content

itman

Most Valued Members
  • Posts

    13,710
  • Joined

  • Last visited

  • Days Won

    373

itman last won the day on July 9

itman had the most liked content!

About itman

  • Rank
    Newbie
    Newbie

Profile Information

  • Gender
    Male
  • Location
    USA

Recent Profile Visitors

37,458 profile views
  1. As I previously posted, the activity that started the ugly blue screen chain of events was; Assumed is the offending service was ekrn.exe which has kernel mode privileges. Thankfully, this capability to soon be removed by Microsoft.
  2. Another important disclosure. After I disabled Secured browser Enhanced data protection, I noticed this .txt file in my User\Temp directory; I don't have Chrome installed nor has it ever been installed. The registry key references an Adobe software icon.
  3. Leave it to Eset "to muck up your PC works." Again, I disabled Secure browser Enhance data protection yesterday. Today after Win 10 first fast startup of the day, I opened Firefox. Immediately received Win 10 blue screen noting service-exception was the cause. After Win 10 recovery processing from the blue screen and subsequent restart, system appeared OK operationally. Checking what would happen upon next fast startup, shutdown PC for a few minutes. Restarted PC and was immediately greeted with blue screen noting kernel memory violation. Now at this point, things get very weird. Upon system restart after Win recovery processing, I am greeted with a black screen with white letters that appears to originate from my BIOS stating my memory settings were overclocked beyond system allowances with option to enter BIOS and reset memory settings. Err.......... I have never seen this screen before in the 10 years this PC has been used. Next, I entered BIOS and set settings to fail-safe defaults which also disabled Virtualization. After system startup and everything running OK, rebooted and entered BIOS and reset to optimized-default settings I had been using again, for 10 years and also enabled Virtualization. Upon system restart, everything running as prior to this mess with Win 10 Core Isolation and Memory Integrity enabled. Final test was latter to shutdown PC for an hour and then restart it in Fast Startup mode. Whew! Everything back to normal. I don't know what modifications Eset made to Secure Browser Enhanced Data Protection, but this 18.2 release should be pulled from distribution immediately.
  4. This is using an ARM processor. As @Marcos previously posted, did you download and install this version, essp_arm64.exe version 18.2.14, of Eset?
  5. The correct way to monitor Firefox profile for unauthorized access is to use Eset HIPS to do so using this Win Event log creation as a guideline: https://research.splunk.com/endpoint/e6fc13b0-1609-11ec-b533-acde48001122/ Note that due to the Eset Safe Banking feature, a second Firefox profile is created here, C\Users\xxxxxxxx\AppData\Local\Mozilla\Firefox\Profiles\*, that also needs to be monitored. The problem is the HIPS doesn't support read only access monitoring. This begs the question of how Eset is performing this activity w/o use of the HIPS?
  6. Getting back to Browser data protection feature blocking of svchost.exe at system restart time. If this was suspect access to browser profile, access should also be blocked at Win fast startup time which is not being done. I am disabling the feature.
  7. What does the activity I posted have to do with the browser profile?
  8. Just noticed this log entry which was created when I had Firefox open and was modifying the Win Event log entry screen shot I posted previously. Screen shot had been previous created to the Win 10 desktop; 7/11/2025 11:40:23 AM;Blocked;C:\Windows\System32\mspaint.exe;;Conflicting file;xxxxxxxxxx As far as I am concerned, this Eset Browser Protection data protection feature is not ready for "prime time" use.
  9. These Eset log entries appear to be Group Policy related. Win Event log entries sync with Eset log entries. Will check this out latter;
  10. The log entry is created every time I restart my PC and I am not using a VM. Obviously, Firefox is not even running when these log entries are created;
  11. When I checked last night, 10 vendors at VT were detecting it ........ finally. I also analyzed its behavior using its posting at VT. It's definitely an infostealer; setting a keylogger and other nasties plus accessing Firefox profile. I also saw ransomware code traces reinforced by forced system shutdown code present. Finally, it creates a scheduled task for persistence. As far as Kaspersky detecting, they originally created one of their on-the-fly sigs. from an Opentips submission. They since created a permanent sig. detecting it as a Shelter compromised .exe; most likely using the YARA rules for leaked Shelter ver. detection Elastic originally created. This would offer max. protection against future malware created using the leaked penetration test tool. BTW - why Elastic doesn't detect it at VT is the assumption they originally blacklisted it. Like Eset, their blacklist detections are not included in its version used by VT.
×
×
  • Create New...