-
Posts
13,710 -
Joined
-
Last visited
-
Days Won
373
itman last won the day on July 9
itman had the most liked content!
About itman
-
Rank
Newbie
Profile Information
-
Gender
Male
-
Location
USA
Recent Profile Visitors
37,458 profile views
-
Leave it to Eset "to muck up your PC works." Again, I disabled Secure browser Enhance data protection yesterday. Today after Win 10 first fast startup of the day, I opened Firefox. Immediately received Win 10 blue screen noting service-exception was the cause. After Win 10 recovery processing from the blue screen and subsequent restart, system appeared OK operationally. Checking what would happen upon next fast startup, shutdown PC for a few minutes. Restarted PC and was immediately greeted with blue screen noting kernel memory violation. Now at this point, things get very weird. Upon system restart after Win recovery processing, I am greeted with a black screen with white letters that appears to originate from my BIOS stating my memory settings were overclocked beyond system allowances with option to enter BIOS and reset memory settings. Err.......... I have never seen this screen before in the 10 years this PC has been used. Next, I entered BIOS and set settings to fail-safe defaults which also disabled Virtualization. After system startup and everything running OK, rebooted and entered BIOS and reset to optimized-default settings I had been using again, for 10 years and also enabled Virtualization. Upon system restart, everything running as prior to this mess with Win 10 Core Isolation and Memory Integrity enabled. Final test was latter to shutdown PC for an hour and then restart it in Fast Startup mode. Whew! Everything back to normal. I don't know what modifications Eset made to Secure Browser Enhanced Data Protection, but this 18.2 release should be pulled from distribution immediately.
-
The correct way to monitor Firefox profile for unauthorized access is to use Eset HIPS to do so using this Win Event log creation as a guideline: https://research.splunk.com/endpoint/e6fc13b0-1609-11ec-b533-acde48001122/ Note that due to the Eset Safe Banking feature, a second Firefox profile is created here, C\Users\xxxxxxxx\AppData\Local\Mozilla\Firefox\Profiles\*, that also needs to be monitored. The problem is the HIPS doesn't support read only access monitoring. This begs the question of how Eset is performing this activity w/o use of the HIPS?
-
Just noticed this log entry which was created when I had Firefox open and was modifying the Win Event log entry screen shot I posted previously. Screen shot had been previous created to the Win 10 desktop; 7/11/2025 11:40:23 AM;Blocked;C:\Windows\System32\mspaint.exe;;Conflicting file;xxxxxxxxxx As far as I am concerned, this Eset Browser Protection data protection feature is not ready for "prime time" use.
-
Two Month Old Malware No One Detects At VirusTotal
itman replied to itman's topic in Malware Finding and Cleaning
When I checked last night, 10 vendors at VT were detecting it ........ finally. I also analyzed its behavior using its posting at VT. It's definitely an infostealer; setting a keylogger and other nasties plus accessing Firefox profile. I also saw ransomware code traces reinforced by forced system shutdown code present. Finally, it creates a scheduled task for persistence. As far as Kaspersky detecting, they originally created one of their on-the-fly sigs. from an Opentips submission. They since created a permanent sig. detecting it as a Shelter compromised .exe; most likely using the YARA rules for leaked Shelter ver. detection Elastic originally created. This would offer max. protection against future malware created using the leaked penetration test tool. BTW - why Elastic doesn't detect it at VT is the assumption they originally blacklisted it. Like Eset, their blacklist detections are not included in its version used by VT.