Jump to content

itman

Most Valued Members
  • Posts

    12,102
  • Joined

  • Last visited

  • Days Won

    319

Everything posted by itman

  1. Did you enable the AdGuard WinTun driver as instructed and perform the AMTSO Desktop tests? Did Eset block these tests as expected?
  2. Turn on WinTun option. Reboot PC. Retest at AMTSO Phishing test site. Ref: https://adguard-vpn.com/en/blog/adguard-vpn-v2-2-for-mac-and-windows.html . Note that AdGuard documentation does not specifically state that WFP use is disabled when WinTun driver is used. But, the implication is the tunnel driver is bypassing WFP use.
  3. Again ...... https://adguard-vpn.com/kb/adguard-vpn-for-windows/overview/ Eset also uses Windows Filtering Platform and this is where the conflict exists. Unlike AdGuard Adblocker product, I don't see an option to disable WFP in AdGuard VPN. As such, you can't use AdGuard VPN if Eset is installed.
  4. https://www.file.net/process/mspydll.dll.html Since Eset's Browser Privacy & Security feature is alerting about this .dll, I assume its attempting to perform one or more of the above activities against your browser.
  5. It might be related to the QUIC issue affecting browsers as posted in recent forum threads. Disable this setting; https://adguard.com/kb/adguard-for-windows/solving-problems/low-level-settings/#filter-http3 and see if this resolves the issue. Another known Adguard incompatibility with ESET is Adguard's default use of Windows Filtering Platform. It needs to be disabled as shown here: https://adguard.com/kb/adguard-for-windows/solving-problems/wfp-driver/ .
  6. Ahh .............. You poor soul! That is also my ISP. First, you can't change any DNS server info on AT&T gateways/routers. They have locked the settings from modification. Do as I did. Remove any third party DNS server settings from your IPv4/IPv6 connections. Now you are using AT&T DNS servers assigned via DHCP. Reboot Windows. Retest with http.http3.enable set to false in Firefox.
  7. Are you using the browser extension or stand-alone version of AdGuard VPN? The browser extension version doesn't work with Eset: https://forum.eset.com/topic/34409-eset-not-working-with-vpn-extensions/ .
  8. In my case, the key element was switching back to my ISP DNS servers as my Win DNS servers. I had tried using both Cloudflare and Quad9 as my Win DNS servers previously with http.http3.enable set to false, and Eset failed to alert/block crackingpatch site. My suspicion it's the 6rd tunneling my ISP uses on their network.
  9. Just retested. Eset nows blocks the domain with network.http.http3.enable set to false. DoH set to maximum level using default Cloudflare servers. I am also now using my ISP DNS servers as Win DNS servers.
  10. Well, I'll be damned. I got Firefox to detect https://crackingpatching.com/2017/03/avast-pro-antivirus-internet-security-premier-17-2-3419-0-keys.html with DNS over HTTPS enabled. The problem turns out to be HTTP/3 ; i.e. QUIC, as discussed in the other recent thread on this issue. Set network.http.http3.enable setting via about:config option to false and Eset now detects every time. I will also add that disabling HTTP/3 in Firefox does not disable it as far as Firefox DNS over HTTPS server processing goes. Using Cloudflare check: https://www.cloudflare.com/ssl/encrypted-sni/ shows HTTP/3 is enabled.
  11. Another issue with Firefox DNS over HTTPS or not if you're using a VPN. It will leak your ISP DNS servers: https://connect.mozilla.org/t5/discussions/firefox-has-dns-leak-security-issue/td-p/50582 .
  12. I found it. It's located here, C:\Windows\System32\DriverStore\FileRepository\nv_dispig.inf_amd64_866484083fc526af\Display.NvContainer Also due to Nvidia's aggressive telemetry processing. it may be being re-created in System32 directory and then deleted after system startup. In any case, good luck on trying to allow it via Eset firewall rule for process detection. There are other forum postings on this and none succeeded. Since it can be blocked by a firewall rule for IP address, 152.199.20.80, a rule can be created to allow the IP address which is risky.
  13. File not found on my PC. I have a nVidia graphics card with nVidia drivers installed. The only like file on my PC running is NVContainer.exe located in C:\Windows\System32\DriverStore\FileRepository\nv_dispig.inf_amd64_866484083fc526af\Display.NvContainer directory. As a rule, I never install GeForce Experience. This System32 directory based NVDisplay.Container.exe file might be related to that. However, I know that NVContainer.exe "dials out' on my PC on every system startup to IP address, 152.199.20.80.
  14. First, as best as I can tell, Firefox isn't using HTTP/3. Next, the problem with Firefox is how it performs DNS resolution when DoH is enabled as noted in the other forum thread on this issue and repeated below; https://support.sophos.com/support/s/article/KB-000043686?language=en_US
  15. Eset doesn't state that the Online Scanner is officially supported on Win 11;
  16. According to Watchguard, you also need to also create a firewall rule to block UDP port 80 and 8080 network traffic: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Endpoint-Security/manage-settings/disable-http-3-protocol-for-web-access-control.html?TocPath=Troubleshooting|_____19 . Except for Firefox which uses its own DNS processing with DoH enabled. Also, Firefox has QUIC enabled by default.
  17. Your posted screen shot shows you have DNS over HTTPS enabled. Edge refers to DNS over HTTPS as "secure DNS." You also have "Use current service provider" enabled. You stated that you are using Cloudflare as your Windows DNS servers; i.e. current service provider. Therefore, you are using Cloudflare as your DNS over HTTPS provider. Disable the "Use secure DNS" setting; close and reopen Edge; and retest. Eset should alert and block access to this malicious web site every time
  18. I would open a support request with your in-country Eset vendor and ask them to verify if the Suspicious Application detection is correct.
  19. Refer to this article: https://winaero.com/enable-dns-over-https-in-microsoft-edge/ to determine if DNS over HTTPS is enabled in Edge and what DNS provider it is using.
  20. This also is very informative and might be what is going on here: https://www.securityweek.com/cloudflare-users-exposed-to-attacks-launched-from-within-cloudflare-researchers/ .
  21. Same setting in Firefox. Of note is I am also using Cloudflare as my Win 10 DNS servers;
  22. I did more research on this issue yesterday with a number of interesting results. The first find is that Firefox is unique in how it handles DNS over HTTPS; https://support.sophos.com/support/s/article/KB-000043686?language=en_US The next find is how this web site: https://crackingpatching.com/ is bypassing Eset blacklist detection. It yielded how the bypass occurs but not how it is being done w/DoH enabled. Firefox has developer network tools that can be accesses via about:networking. One of these tools is DNS which will log all DNS name servers used by a web site. Access to https://crackingpatching.com/ yielded the same results as shown by Sucuri: https://forum.eset.com/topic/40209-eset-web-protection-doesnt-block-websites-on-firefox/?do=findComment&comment=181351 . Of note is this name server IP address,172.67.219.95. This IP address is also listed as the IP address in the VirusTotal detection: https://www.virustotal.com/gui/url/5583ee6d3fa820c9c851f37746d9b5a896da37bc7ce93329d6dcc02e4b7d9daa/detection . This IP address is not shown as a DNS name server associated with this web site: https://forum.eset.com/topic/40209-eset-web-protection-doesnt-block-websites-on-firefox/?do=findComment&comment=181211 . Finally, a lookup of this IP address shows it is no way associated with https://crackingpatching.com/ ; per Robtex lookup; https://www.robtex.com/ip-lookup/172.67.219.95 -EDIT- I almost missed this. Notice the IP addresses highlighted; Those are the DNS name servers associated with https://crackingpatching.com/ . It really appears that someone has figured out a way to manipulate Cloudflare DNS server connection when DNS over HTTPS is being used.
×
×
  • Create New...