Jump to content

itman

Most Valued Members
  • Content Count

    6,945
  • Joined

  • Last visited

  • Days Won

    183

Posts posted by itman

  1. 1 hour ago, pipes said:

    I would see Windscribe was trying to use QUIC UDP-443,

    Creating an Eset firewall rule for WindscribeService.exe to block any inbound/outbound traffic for UDP port 443 should do the trick.

    On the other hand, I believe Eset's SSL/TLS protocol scanning is monitoring all inbound TCP/UDP traffic regardless of port used. Assumed here is QUIC traffic has to pass through the Windows Filtering Platform. The point to be determined is if Eset can decrypt QUIC packets.

  2. 12 minutes ago, itman said:

    https://blog.apnic.net/2019/03/04/a-quick-look-at-quic/

    As I see it a malware app would have to be installed on a device that uses the QUIC protocol. So in reality it is no different from a malware app using TCP. Bottom line - if no malware app is installed in the first place, their is nothing to be worried about. As you mentioned I believe browser-wise, Chrome is the only one using QUIC and its an experimental feature there that can be disabled.

    I also believe older routers with firewalls will have an issue with this protocol since they will block external incoming UDP traffic on port 443.  

    Of note is the following:

    Quote

    For those clients and servers that do not support QUIC, or for network paths where UDP port 443 is not supported, the common fallback is TCP.

    This implies that the router must also support incoming QUIC traffic.

  3. Quote

    An application that uses the QUIC protocol sends and receives packets using UDP port 443.

    https://blog.apnic.net/2019/03/04/a-quick-look-at-quic/

    As I see it a malware app would have to be installed on a device that uses the QUIC protocol. So in reality it is no different from a malware app using TCP. Bottom line - if no malware app is installed in the first place, their is nothing to be worried about. As you mentioned I believe browser-wise, Chrome is the only one using QUIC and its an experimental feature there that can be disabled.

    I also believe older routers with firewalls will have an issue with this protocol since they will block external UDP traffic on port 443.  

  4. 10 hours ago, Ken_Suen_STKF said:

    isn't "*drjart.com*" already covered "*.drjart.com/*" ?

    the syntax you quote should be just safety purpose, am i correct?

    Per Eset online help:

    Quote

    A leading "*." sequence is treated specially if used at the beginning of domain name. First, the * wildcard does not match the slash character ('/') in this case. This is to avoid circumventing the mask, for example the mask *.domain.com will not match http://anydomain.com/anypath#.domain.com (such suffix can be appended to any URL without affecting the download). And second, the "*." also matches an empty string in this special case. This is to allow matching whole domain including any subdomains using a single mask. For example the mask *.domain.com also matches http://domain.com. Using *domain.com would be incorrect, as that would also match http://anotherdomain.com.

    https://help.eset.com/eis/13/en-US/idh_config_epfw_scan_http_address_list.html?idh_dialog_epfw_add_url_addr_mask.html

  5. To supplement @peteyt reply, no commercial concern with pay up front for a "supposed" bypass. First the concern must have a policy in place that they will pay a bug bounty. Eset does not.

    Next, this policy will state what conditions under which a bounty will be paid and what the bug submission requirements are; i.e. P.O.C. format, findings, and the like. All bounty payments are further made at the full discretion of the vendor as to whether the bug submission meets the bypass criteria established by the vendor.

    I will further add that public disclosure of security flaws is not illegal but certainly unethical w/o private disclosure to the vendor first. However, active deployment of any like bypasses are illegal.

  6. The problem with uPCU concept is many commercial concerns have policies in place that dictate all software updates be tested for operational issues prior to being deployed en mass to the corporate network.

    30 minutes ago, tmuster2k said:

    Is there any technical explanation as to why reboots are needed to finalize upgrade of ESET products from older version to new?  

    The OS might have locks on system areas Eset updates.

  7. Here are the system requirements for Eset Linux Server: https://help.eset.com/efs/7/en-US/system_requirements.html . Although Fedora is not specifically listed, the KB articles states:

    Quote

    ESET File Security for Linux should also work on the most recent and frequently used open-source Linux distributions if:

    the hardware requirements criteria above are met,

    and software dependencies are not missing in the Linux distribution used.

     

  8. 1 hour ago, DennyP said:

    Even if it remains where I move it, I have 4 windows open on my monitor and don't need to cover any of them with a popup.

    You might "want to play around" with the below Eset e-mail setting:

    Quote

    Action to be performed on infected email

    No action – If enabled, the program will identify infected attachments, but will leave emails without taking any action.

    Delete email – The program will notify the user about infiltration(s) and delete the message.

    Move email to the Deleted items folder – Infected emails will be moved automatically to the Deleted items folder.

    Move email to folder (default action) – Infected emails will be moved automatically to the specified folder.

    https://help.eset.com/eis/13/en-US/idh_config_emon_clients.html

    If taken literally, only the "No action" and "Delete email" options will generate an alert.

  9. 38 minutes ago, DennyP said:

    That suggestion might work when there is just one window on the monitor. My window with Outlook running is only 1/4 of the monitor so the alert window takes up a lot of real-estate and has to be closed before I can read the email screen.

    As far as I am aware of, Eset alerts always display on the desktop. When one appears again in the Outlook window, drag the alert window to where I suggested and see if future alerts remain there.

  10. 4 hours ago, DennyP said:

    It is multiple threats that get detected. The issue is not that the threats are detected, the issue is that each time one is, I get a popup in the middle of what I'm doing. I have the display time set to the minimum 10 seconds.

    These are "opaque" alerts. In other words, the alerts fade away and disappear on their own. You can move the alert window to the lower desktop area such as right edge above the toolbar. This way you will receive a visual display of malware activity being detected and mitigated but it should not interfere with whatever you have currently displayed on the desktop.

  11. First some details on Nanacore:

    Quote

    The NanoCore remote access Trojan (RAT) was first discovered in 2013 when it was being sold in underground forums. The malware has a variety of functions such as keylogger, a password stealer which can remotely pass along data to the malware operator. It also has the ability to tamper and view footage from webcams, screen locking, downloading and theft of files, and more.

    The current NanoCore RAT is now being spread through malspam campaign which utilizes social engineering in which the email contains fake bank payment receipt and request for quotation. The emails also contain malicious attachments with .img or .iso extension. The .img and .iso files are used by disk image files to store raw dumps of either magnetic disk or optical disc. Another version of NanoCore is also distributed in phishing campaigns leveraging specially-crafted ZIP file which is designed to bypass secure email gateways. The malicious ZIP file can be extracted by certain versions of PowerArchiver, WinRar, and older 7-Zip. The stolen information is sent to the command and control (C&C) servers of the malware attacker.

    https://success.trendmicro.com/solution/1122912-nanocore-malware-information

    If you were using Eset Internet or Smart Security and accessing your bank's web site via Banking & Payment Protection option, your keystrokes would have been scrambled rendering keystroke capture ineffective against any installed keylogger.

    Additionally both the above products scan incoming client-based e-mail for malware. Do note that when using web-based e-mail, caution should be exercised in how attachments are handled. Many will auto open attachments and show those inline with the body of the e-mail.

    I would also recommend to use a bank that employs full two-factor authorization. That is when you logon to the bank's web site, it sends a code to a designated phone number you previously setup with the bank. The code has a one time use and must be entered to complete the bank web site logon. This ensures that even if an attacker captured your bank site logon id and password, he still can't access your bank account data.

  12. Will add this MIME application/octet-stream string can be any of the following file types:

    Binary file                                    *

    binary disk image                      bin

    Java class file                              class

    Disk Masher image                   dms

    executable file                           exe

    LHARC compressed archive    lha

    LZH compressed filea              lzh

    https://www.lifewire.com/file-extensions-and-mime-types-3469109

  13. 15 hours ago, peteyt said:

    I had a look around and got this

    Your browser cannot display the file as “application/octet-stream”.

     

    File Info
     
    • MIME type: application/octet-stream

    FYI - https://kb.iu.edu/d/agtj

    Appears the best that can be done is to create an application.bin file. Which is basically worthless since it needs a specific app to read it.

    As noted in the linked Indiana Univ. article, this file is most likely an e-mail attachment and identity can be established via:

    Quote

    If the attachment has a filename extension associated with it, you may be able to tell what kind of file it is. A .exe extension, for example, indicates it is a Windows or DOS program (executable), while a file ending in .doc is probably meant to be opened in Microsoft Word.

     

  14. Also and important, note that Cisco Meraki network perimeter security appliances for example have Web content filtering granularity to the level where specific Torrent traffic can be blocked. However, they footnote this capability with the following statement:

    Quote

    Note: File sharing programs, such as BitTorrent, are now able to be configured to encrypt traffic as secure HTTPS, potentially bypassing P2P traffic shaping rules that have been configured. Cisco Meraki MX Security Appliances and Wireless APs are capable of detecting some of the encrypted P2P traffic on the network. When encrypted P2P traffic is detected, it will be matched to any configured P2P traffic shaping rules, and honor the limitations that have been configured.  However, if the traffic is encrypted, it may not be possible to accurately classify all of the offending traffic.

    https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Blocking_P2P_And_File_Sharing

  15. 9 hours ago, Martin25B93 said:

    Yes. But before you start torrent downloading you need to find that .torrent file for example.

    -EDIT- Try what is shown in this Eset online help article first: https://help.eset.com/ees/7/en-US/how_block_file_dwnl.html. That is enter, *.*.torrent and */*.torrent in URL blocked address list.

    However, read this article: https://www.techworm.net/2020/04/download-torrent-site.html. By blocking .torrent downloads, you are only blocking the "seeding" file and not the actual downloaded files. Also note:

    Quote

    On the other hand, a magnet link will offer a direct line and connect the downloader to each file.

    -END EDIT-

    The only way to do this would be to block access to torrent web sites by domain name filtering via URL address management. Here's a list of approx. 30 of them and I am sure more exist: https://www.alltorrentsites.com/ .

    Note that to download torrent files, Torrent software must be installed. I really don't know why any commercial concern would allow users to install like software or any software for that matter: https://security.stackexchange.com/questions/122617/how-to-block-torrent-sites .

    If we are referring to BitTorrent, it's inbound traffic can be blocked by creating an Eset firewall to do so: https://imacify.com/2013/07/what-is-torrents-and-how-to-block-torrent-downloads/ although torrents can use any port.

    Or:

    Quote

    Another approach would be to block the types of connections that Bittorrent requires. As a peer-to-peer protocol, peers outside your network need to connect in. A firewall could prohibit incoming connections to your user subnet, while permitting them to your intended outward-facing services. An IPS could put a threshold on the number of incoming and outgoing connections, since Bittorrent clients need to connect to multiple peers (and have multiple peers connect to them) in order to function.

    https://security.stackexchange.com/questions/33983/what-are-the-tcp-udp-ports-used-by-torrent-applications

    The problem here I believe is the torrent client/s are initiating the download by performing an outbound connection. As such, the Eset firewall will allow that inbound traffic.

  16. 1 hour ago, Martin25B93 said:

    I created rule for decline downloading all torrents -> **.torrent

    Per Eset online help:

    Quote

    Block or allow specific file extensions

    URL address management also allows you to block or allow the opening of specific file types during internet browsing. For example, if you do not want executable files to be opened, select the list where you want to block these files from the drop-down menu and then enter the mask "**.exe".

    https://help.eset.com/ees/7/en-US/idh_config_parental_rule_edit_dlg.html?idh_config_epfw_scan_http_address_list.html

    The problem here as I see it is torrent files are download outside of a browser. I believe URL management only controls access to files opened in a browser.

  17. 1 hour ago, Martin25B93 said:

    For example If I turn this feature on and fill List of blocked addresses  and I noticed almost everything is blocked via ESET :( I

    Did you create an entry in the "List of blocked addresses" and place an "*" there? If so, all URLs will be blocked except those specified in the "List of allowed addresses."

    By default, the "List of blocked addresses" is empty. As such, nothing is blocked by Eset other than its real-time detections. If you only want to absolutely block 20 specific URLs, just add those to the "List of blocked addresses."

     

     

  18. One solution here is to create a firewall rule to allow all outbound traffic. Set its logging severity level to Warning. Move the rule to the bottom of the existing rule set. This will create a Network protection log entry for every outbound request the rule is triggered for.

    Create the rule just prior to shutting down the PC for the night. When you do a cold boot the next morning and the desktop appears and the system settles down, review the Network protection log for entries generated by the above rule. You can then create permanent firewall rules for the processes associated with these log entries as you see fit.

    Note that monitoring all Win 10 outbound system and Store network activity is pretty an effort in futility.  System package and Store app directory and/or file names change with each app update.

     

  19. 3 hours ago, DennyP said:

    I don't see how to turn off displaying threat alerts completely either.

    Refer to this Eset on-line help article: https://help.eset.com/eis/13/en-US/idh_config_alert.html . Disabling "Interactive alerts" however is not recommend since Eset will become completely silent in regards to the following:

    Quote

    • Threat found

    • Address has been blocked

    • Product not activated

    • Update is available

    • Update information is not consistent

    • Troubleshooting for "Modules update failed" message

    • 'File corrupt' or 'Failed to rename file'

    • Website certificate revoked

    • Network threat blocked

     

×
×
  • Create New...