-
Posts
12,082 -
Joined
-
Last visited
-
Days Won
319
itman last won the day on March 8
itman had the most liked content!
About itman
-
Rank
Newbie
Profile Information
-
Gender
Male
-
Location
USA
-
Multiples detections JS/Packed.Agent.H
itman replied to Andres96's topic in Malware Finding and Cleaning
I would open a support request with your in-country Eset vendor and ask them to verify if the Suspicious Application detection is correct. -
I did more research on this issue yesterday with a number of interesting results. The first find is that Firefox is unique in how it handles DNS over HTTPS; https://support.sophos.com/support/s/article/KB-000043686?language=en_US The next find is how this web site: https://crackingpatching.com/ is bypassing Eset blacklist detection. It yielded how the bypass occurs but not how it is being done w/DoH enabled. Firefox has developer network tools that can be accesses via about:networking. One of these tools is DNS which will log all DNS name servers used by a web site. Access to https://crackingpatching.com/ yielded the same results as shown by Sucuri: https://forum.eset.com/topic/40209-eset-web-protection-doesnt-block-websites-on-firefox/?do=findComment&comment=181351 . Of note is this name server IP address,172.67.219.95. This IP address is also listed as the IP address in the VirusTotal detection: https://www.virustotal.com/gui/url/5583ee6d3fa820c9c851f37746d9b5a896da37bc7ce93329d6dcc02e4b7d9daa/detection . This IP address is not shown as a DNS name server associated with this web site: https://forum.eset.com/topic/40209-eset-web-protection-doesnt-block-websites-on-firefox/?do=findComment&comment=181211 . Finally, a lookup of this IP address shows it is no way associated with https://crackingpatching.com/ ; per Robtex lookup; https://www.robtex.com/ip-lookup/172.67.219.95 -EDIT- I almost missed this. Notice the IP addresses highlighted; Those are the DNS name servers associated with https://crackingpatching.com/ . It really appears that someone has figured out a way to manipulate Cloudflare DNS server connection when DNS over HTTPS is being used.
-
It's the same DNS over HTTPS Eset bypass discussed at length in this thread: https://forum.eset.com/topic/40209-eset-web-protection-doesnt-block-websites-on-firefox/ . With DoH disabled, Eset blocks access to web site via blacklist detection. With DoH enabled, web site access is granted w/o issue. The only difference in this case when using Firefox, no Eset Filtered Web site log block entries are created. Perhaps with Browser Security & Privacy enabled - I have it disabled - the search result malicious icon display factored into Eset block log entries not being created as has been previously documented.
-
Just a clarification here. If you look at the video carefully, you will observe that Win HVCI - Memory Integrity is disabled. Also confirmed by this malwaretips.com comment: With Win HVCI - Memory Integrity enabled, this bypass won't work. BTW - Win HVCI - Memory Integrity is by far the most important Win 10/11 security protection. It prevents kernel mode access from user mode as was done in this test. It should never be purposely disabled.
-
Multiples detections JS/Packed.Agent.H
itman replied to Andres96's topic in Malware Finding and Cleaning
Refer to this thread: https://forum.eset.com/topic/29087-club-pogo-and-selective-games-blocked-by-eset/ . Appears to be related to games with Pogo being the main culprit.