Jump to content

itman

Most Valued Members
  • Posts

    12,082
  • Joined

  • Last visited

  • Days Won

    319

itman last won the day on March 8

itman had the most liked content!

About itman

  • Rank
    Newbie
    Newbie

Profile Information

  • Gender
    Male
  • Location
    USA

Recent Profile Visitors

25,894 profile views
  1. I would open a support request with your in-country Eset vendor and ask them to verify if the Suspicious Application detection is correct.
  2. Refer to this article: https://winaero.com/enable-dns-over-https-in-microsoft-edge/ to determine if DNS over HTTPS is enabled in Edge and what DNS provider it is using.
  3. This also is very informative and might be what is going on here: https://www.securityweek.com/cloudflare-users-exposed-to-attacks-launched-from-within-cloudflare-researchers/ .
  4. Same setting in Firefox. Of note is I am also using Cloudflare as my Win 10 DNS servers;
  5. I did more research on this issue yesterday with a number of interesting results. The first find is that Firefox is unique in how it handles DNS over HTTPS; https://support.sophos.com/support/s/article/KB-000043686?language=en_US The next find is how this web site: https://crackingpatching.com/ is bypassing Eset blacklist detection. It yielded how the bypass occurs but not how it is being done w/DoH enabled. Firefox has developer network tools that can be accesses via about:networking. One of these tools is DNS which will log all DNS name servers used by a web site. Access to https://crackingpatching.com/ yielded the same results as shown by Sucuri: https://forum.eset.com/topic/40209-eset-web-protection-doesnt-block-websites-on-firefox/?do=findComment&comment=181351 . Of note is this name server IP address,172.67.219.95. This IP address is also listed as the IP address in the VirusTotal detection: https://www.virustotal.com/gui/url/5583ee6d3fa820c9c851f37746d9b5a896da37bc7ce93329d6dcc02e4b7d9daa/detection . This IP address is not shown as a DNS name server associated with this web site: https://forum.eset.com/topic/40209-eset-web-protection-doesnt-block-websites-on-firefox/?do=findComment&comment=181211 . Finally, a lookup of this IP address shows it is no way associated with https://crackingpatching.com/ ; per Robtex lookup; https://www.robtex.com/ip-lookup/172.67.219.95 -EDIT- I almost missed this. Notice the IP addresses highlighted; Those are the DNS name servers associated with https://crackingpatching.com/ . It really appears that someone has figured out a way to manipulate Cloudflare DNS server connection when DNS over HTTPS is being used.
  6. It's the same DNS over HTTPS Eset bypass discussed at length in this thread: https://forum.eset.com/topic/40209-eset-web-protection-doesnt-block-websites-on-firefox/ . With DoH disabled, Eset blocks access to web site via blacklist detection. With DoH enabled, web site access is granted w/o issue. The only difference in this case when using Firefox, no Eset Filtered Web site log block entries are created. Perhaps with Browser Security & Privacy enabled - I have it disabled - the search result malicious icon display factored into Eset block log entries not being created as has been previously documented.
  7. Just a clarification here. If you look at the video carefully, you will observe that Win HVCI - Memory Integrity is disabled. Also confirmed by this malwaretips.com comment: With Win HVCI - Memory Integrity enabled, this bypass won't work. BTW - Win HVCI - Memory Integrity is by far the most important Win 10/11 security protection. It prevents kernel mode access from user mode as was done in this test. It should never be purposely disabled.
  8. Submit parsifal.dll to VirusTotal and see if anyone else has issues with the file.
  9. Refer to this thread: https://forum.eset.com/topic/29087-club-pogo-and-selective-games-blocked-by-eset/ . Appears to be related to games with Pogo being the main culprit.
  10. The point to note here is if a downgrade from DoH to DNS is occurring, it is being done on the browser server. As such, it is physically impossible for Eset to inspect that DNS traffic.
  11. Scholarly article on why you don't want to use DoH; https://www.usenix.org/system/files/foci20-paper-huang.pdf
  12. As far if DoH should be used at all, this article is worth a read: https://flashstart.com/dns-over-https/ . I again reiterate, both Win and browser based DoH are now removed from my PC.
  13. Another interesting observation. Excluding the browser DoH factor, the TLD is not detected by Eset blacklist used by Sucuri: https://sitecheck.sucuri.net/results/crackingpatching.com . Could it be that since the site is using a trusted cert., scanning of it is being ignored?
  14. Eset supports older Intel processors. The initial list is shown in this Eset KB article: https://support.eset.com/en/kb8336-intel-threat-detection-technology-tdt-supported-processors . This list dates to 2022 and additional later dated processors have been added.
×
×
  • Create New...