Jump to content

itman

Most Valued Members
  • Content Count

    8,270
  • Joined

  • Last visited

  • Days Won

    201

Posts posted by itman

  1. 23 hours ago, kamiran.asia said:

    it means that C:\ProgramFiles\MicrosoftSQLServer\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe  are downloading hxxp://dl.love-network.cc/SqlBase.exe
    and ESET will block it.

    You might want to refer to this article:

    Quote

    The Mrbminer investigation begins with the Microsoft SQL Server (sqlservr.exe) process launching a file called assm.exe, a downloader Trojan. The assm.exe program downloads the cryptominer payload from a web server, then connects to its command-and-control server to report the successful download and execution of the miner.

    Also of note:

    Quote

    While our records don’t reveal exactly how the malware gained a foothold on the database servers, it stands to reason the attackers may have used similar techniques as the MyKings, Lemon_Duck, or Kingminer miners, whose attack methods we have documented in previous articles.

    https://www.sophos.com/en-us/press-office/press-releases/2021/01/sophos-identifies-source-of-mrbminer-attacks-targeting-database-servers.aspx

    -EDIT- In regards to the above "similar techniques" referenced is all employed some form of brute force attack element against the server and/or exploiting of system vulnerabilities.

    Since it appears sqlserver.exe in your situation is directly initiating the Trojan download attempt, I assume some type of code injection is being performed against it. Again, this assumes that sqlserver.exe is a legit Windows file.

    Or if the server has been compromised and accessible to the attacker, any method he chooses to initiate further malicious download activities.

  2. What about sqlbase.exe since this is the malicious parent process? Does that show in SysInspector?

    BTW - I believe a malicious sqlbase engine was installed.

    Also it appears you found the malicious versions sqlbase.exe and sqlconn.exe since they are sitting on your desktop. Is the issue these keep reappearing on the infected devices?

    Also submit sqlservr.exe on one of these devices with issues to VirusTotal for a scan.

  3. As far as desktop notifications go, refer to the following per Eset on-line help:

    Quote

    Minimum verbosity of events to display From the drop-down menu, you can select the starting severity level of notifications to be displayed:

    Diagnostic – Logs information needed to fine-tune the program and all records above.

    Informative – Records informative messages such as non-standard network events, including successful update messages, plus all records above.

    Warnings – Records critical errors and warning messages (Antistealth is not running properly or update failed).

    Errors – Errors (document protection not started) and critical errors will be recorded.

    Critical – Logs only critical errors error starting antivirus protection or infected system.

    I have mine set to "Diagnostic" and have no issue with Eset HIPS rule desktop notifications appearing.

  4. Eset's System Cleaner feature primary function is to reset Windows settings back to default values. The "Cleaner" reference in my opinion is misleading.

    Also as the Help for this feature states, it should not be run w/o Eset tech support instruction to do so. System Cleaner's primary purpose is to remove system modifications made by malware. However, many also perform custom modifications to Windows system settings and those will be removed when System Cleaner is run.

  5. 34 minutes ago, peteyt said:

    I presume the only difference with secure browser enabled is keylogging or is there some sandboxing involved 

    There is no sandboxing used since Eset doesn't have one in contrast to its major competitors. At least, a stand alone sandbox employing virtualization. 

    Eset employs an internal sandbox in regards to the hueristic scanning done by its real-time protection.

  6. OK. Eset really doesn't have a publication on Web Access processing. So I will post the following.

    Eset scans all incoming Internet traffic for malicious status that is HTTP/HTTPS based; not just browser based network traffic. It does this using the existing Windows Filtering Platform that allows for network packet analysis. In regards to encrypted HTTPS traffic, Eset decrypts it using its installed Win root CA certficate for inspection purposes.

    Additional Web Access protections include:

    1. A scanner to scan browser based JavaScript's.

    2. Anti-Phishing protection.

    3. An internal blacklist of malicious URLs.

    Additional Eset protections in this area are:

    1. Use of a "hardened" browser mode via its Banking and Payment Protection feature. Anti-keylogging protection is provided in this mode via key scrambling technique.

    2. A Parental Control feature.

  7. 4 hours ago, GCON said:

    However certain websites would not load. I checked for an updated version of Chrome, installed it. The when I logged him back into it Google couldn't sync. I had to disable HIPS and then it worked.

    Did you check Eset's HIPS log for entries that might shed some light on what issues the HIPS was having with Chrome?

  8. 2 hours ago, peteyt said:

    I booted my computer up, then went downstairs and turned the powerline adapter on.

    I assume these are Ethernet Powerline adapters? Make sure they are powered up and have completed self-syncing prior to booting any PC connected to them. I believe all the issues you described are a result of not having a fully functional Internet connection when Windows started up.

    FYI - my Ethernet powerline adapters are on 7/24. Additionally, properly syncing these devices is a "real bear." I was having all kinds of network connection issues until I found a posting on the manufacture's web site on how to force sync these devices. It involved plugging both adapters into a power strip and syncing them there. Since I did this and also keeping these devices on 7/24, I have never had any further networking issues in regards to these devices.

  9. The established procedure that pertains to running two security solutions with a real-time scanning component is at a minimum, only one real-time component be allowed to run. The other security solution real-time component must be disabled. This stated, there is no guaranty that running both solutions concurrently will not cause system conflicts.

    As far as Eset is concerned, permanently disabling its real-time protection will cause Win 10 to immediately enable Microsoft Defender as the active real-time protection. As such, you will have to contend with that issue.

    Finally, there is no way to fully disable all Eset protection mechanisms other than by uninstalling it.

×
×
  • Create New...