itman

Kaspersky has a "System Watcher" feature that monitors for ransomware and exploit activities. It additionally does auto file backup to directories ransomware attacks. Believe its only available in the Endpoint ver. and is not enabled by default due to the alerts it generates. I do believe "you're beating a dead horse" in regards to Eset ever deploying like feature. They just don't buy into the concept of user decision via alert. Eset allows the user to create manual HIPS rules to do the same if the user so desires. They also have recommended rules for their endpoint users for ransomware protection and the like. I use them but have added additional processes to them in regards to child process startup and the like as ransomware attacks evolve.

Would be helpful if Eset published an article on recommended mitigation to anyone affected this. Cisco already publically stated restore prior to Aug. 15 or reinstall. I agree. Avast in my opinion is spreading FUD by their statement that the second stage of the backdoor never activated therefore no actual malware payload was downloaded. My statement is a backdoor is a backdoor. Once activated not only can the original hacker use it but so can anyone else. Case in point was the EternalBlue set backdoor and later delivered malware that used that backdoor and closed it so no one else could use it. There are currently a lot of users, based on posted comments in the security forums, who believe they are now safe since security solutions are detecting and removing the original backdoor. The reality of the situation is no one knows for sure what system modification occurred through use of the backdoor in the month or more it was resident on one's device.

For starters the "offending party" in this case, Avast, is the one responsible to developing a mitigation to this issue. Since the malware remained resident and undetected for a month, the likelihood that a backdoor was installed is high. The "bugger" is trying to find the backdoor if it remains in a dormant state. It could remain that way for days, weeks, months, or in some documented cases - years.

FYI - The Cisco article recommends this action which I agree with:

@TomFace are you running 32 bit Windows? This hack is only supposed to affect 32 bit ver. of CCleaner.

Based on the following, it could have "mapped" your device/network. https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

You also have another more pressing issue. You are using Win 7. The bulk of malware today is coded for commercial targets. As such, it is specifically targeted at Win 7 which many corps. still use. Note that most of the NSA exploits being employed today were designed and work on Win 7. If your a "fan" of Microsoft security protections, at least upgrade to Win 10 since they are most effective on that OS version.

Adware poses a problem to AV vendors. They are more than capable of detecting malicious versions of it as this example shows. Since adware is browser based and is either inadvertently or intentionally installed by a user in the form of an add-in, extension, or plugin, removing same poses issues. AdwCleaner is a specialized product that was designed to detect adware and provide for selectively removing it from the browser. Additionally, most adware is not malicious but more it the category of "nuisance-ware" that can hijack and redirect to the ad creators web site and the like. In this status, it is akin to a PUA but browser based. If AV vendors started removing adware in this category, they will be bombarded with false positive complaints from both users and ad vendors. I will state that using IE or Edge will greatly reduce your chances for adware since both use add-ons that are limited in number and have to be manually installed by the user from restricted sources.

Normally I dismiss uTube video security software reviews "out of hand" since most a done by wannabee security testers that are clueless on how to perform malware testing of security products. This one was posted on one of the security forums I frequent. So I decided to check it out. Author appears to know what he is doing. His malware database was 280+ in-the-wild plus 500+ plus known malware. The video is quite long 13+ mins. and that is at sped up speed. Notable was the testing of three browsers; Chrome, Firefox and Edge. Of note was WD's significantly lower protection scores outside of Edge. What was unique in this testing was the author tested WD with default settings. He then used Group Policy to configure SRP for max. WD protection, plus "tweaked" a few hidden registry settings in regards to enable PUA and the like protection. He then retested WD with those "max" protections. Notable was that these settings only increased WD's detection rate to 79% from the 78% rate scored with default settings. Bottom line - WD is definitely not ready for "prime time" security protection. https://youtu.be/lOpIrdQix4I

That firewall hasn't been supported for years; ever since Symantec bought PC Tools and "killed off" the software. It is definitely not up to protecting against current network threats.

True. The biggest factor in not getting infected is a user's security "awareness." Safe browsing habits including only downloading software from legit known vendor web sites and the like. Ditto for e-mail settings and handling of attachments and the like, etc. etc. Add to that absolute diligence in applying all system and app software patches immediately when available. Unfortunately and in spite of the ever increasing malware epidemic, the average PC user does none of the above. For a security aware user, using MSE or WD most likely is adequate since both only concentrate on the most prevalent malware. Additionally, WD/MSE protection for Chrome or Firefox browsers are definitely sub-par to that provided by IE or Edge due to their use of browser based SmartScreen. Also when using either of Microsoft AV home solutions, you are relying on the Win firewall for network protection. Protection capability is conditioned upon using a NAT/SPI router with its own firewall protection and ensuring it is properly configure for security. Although the Win firewall provides adequate inbound protection it lacks the advanced network features Eset's IDS provides or the ability to easily configure outbound firewall rules.

My suspicions also.

Looks legit to me. What browser are you using - Chrome?

Eset still not detecting it by signature. But as discussed previously, Eset takes a while to develop a sig.. Hopefully, it is now being blocked via LiveGrid blacklist which wouldn't show on a VT scan. Test again and see if LiveGrid alerts on it.

Ok. I will go along will the PUA classification but appears this was just added to sig. database. My question is the "startup" detection. Does it just do a cursory scan of program directories at startup time since the program in question was not active.