Jump to content


Most Valued Members
  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by itman

  1. In regards to the original posting reference to disabling early launch anti-malware driver via boot startup option, a quick review on what it does: https://www.top-password.com/blog/disable-early-launch-anti-malware-protection-in-windows/ Since the majority of Eset ver. 13.1.16 upgraded devices have no issues in this regard, it would appear that on a few select Eset installations its ELAM driver is detecting an existing driver as malicious. The key to resolution is to find out which driver is being detected as malicious. One way to do this is to enable Win 10 boot logging as follows: https://www.windowscentral.com/how-enable-boot-log-windows-10. Reboot. Then using Notepad, print the ntbtlog.txt file located in C:\Windows. Now install Eset ver. 13.1.16. Reboot. PC should blue screen at boot time. At this time, you can either boot into Win 10 recovery environment and disable ELAM, or boot into safe boot. Then again uninstall Eset. When you do get Win 10 successfully rebooted, again print out ntbtlog.txt. Now compare the two printouts. From the bottom of the printout, work upward till you find the boot log section with entries associated with the blue screen. The last driver shown in that section will be the last driver successfully loaded. Now find that driver on the earlier ntbtlog.txt printout. The next driver listed on the earlier printout should be the driver Eset ELAM processing refused to load and aborted the Win 10 boot.
  2. Beginning to wonder if these are Win 10 Secure Boot enabled devices and the boot process is "hiccuping" on the reappearance in ver. 13.1.16 of hash error for Eset's AMSI .dll:
  3. As I suspected. This forum's purpose is to assist in installation or operational issues in regards to Eset products. Not to assist in malware removal when an Eset licensed product is not installed. @Marcos , time to lock this thread.
  4. Actually, WatchGuard has a separate help article dedicated to configuring TDR when Eset Endpoint is installed: https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/TDR/eset_tdr.html . But as you posted, you don't have TDR installed. Have you contacted WatchGuard about your issues with Eset Endpoint installed w/o TDR use? They already may have a solution.
  5. Did you follow the procedure here: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_exclusions_c.html?Highlight=exclusions to configure exclusion for Eset in TDR and in Eset to exclude WatchGuard directories?
  6. As far as your bootable USB media issues, assume those are all infected. Ditto for your SD card media. Worse if those media are connected outside of the boot environment, they could reinfect your PC Windows installation. All these devices need to be thoroughly scanned by Eset the minute they connected to your device. Personally, I would just do a full reformat of each; preferably outside of the Windows environment.
  7. You have entrenched malware that by your own admission dates from 3+ years. Go to malwaretips.com or bleepingcomputer.com. Both these sites have forum sections staffed my malware removal experts that can assist you.
  8. Microsoft Releases KB4551762 Security Update for SMBv3 Vulnerability https://www.bleepingcomputer.com/news/security/microsoft-releases-kb4551762-security-update-for-smbv3-vulnerability/
  9. Microsoft was supposed to include a fix in last Tues. Win 10 cumulative update for 1903 and 1909 versions. They pulled it at the last moment; assume they found a bug in it. However, news of the patch had already been "leaked" to reporting services. Hence, we now have a "perfect hacker storm" in place.
  10. That error code appears to be related to Win Update processing. Possible that DISM tried to connect to Win Update servers and couldn't because your network connection is hosed. You could try to repeat the procedure again but first run this command: Dism /Online /Cleanup-Image /StartComponentCleanup No guaranty that will allow the other DISM command to run successfully along with SFC. I personally believe your Win 10 installation is borked from running all the bootable scanners you used, some from questionable sources, to the point that you have two choices left. 1. Run a Win 10 Repair install. This will keep all your personal files in place but require you to reinstall all your apps again. 2. Backup all your personal files to external media or another non-boot drive if one is installed. Then reformat the boot drive and install Win 10 1909 from scratch. (Recommended) Also note that this forum is about helping with Eset installation and/or operational issues. Not for assistance in resolving Windows OS issues. Therefore, I am exiting myself from this thread - again.
  11. Let's try to get your Win 10 installation in some semblance of working order. Perform the following steps: 1. Enter the following keyboard sequence: Ctrl + Alt + Delete. A blue screen should appear with a list of selections including Task Manager. If it doesn't, skip the remaining steps. 2. Select "Task Manager." 3. Click on "File" on the top toolbar. Click on "Run new task." 4. In the "Open" window, type cmd.exe. Also check mark the "Create this task to run with administrative privileges" option. Click on the "OK" button. At this point, the black command prompt window should be displayed. 5. Enter "DISM /Online /Cleanup-Image /RestoreHealth" less the quote marks. Press the Enter key. This will run for some time. When it finishes, 6. Enter "sfc /scannow" again, less the quote marks. Press the Enter key. This will run for some time. SFC will inform you if corrupted Windows files have been replaced. Hopefully, you will not receive the message it could not replace all files. Print the above instructions for reference prior to performing them. Now reboot your PC. Hopefully at this point, all/most of Win 10 functionality has been restored.
  12. Per above bleepingcomputer.com posted link. Update: Microsoft published a security advisory with details on how to disable SMBv3 compression to protect servers against exploitation attempts. You can disable compression on SMBv3 servers with this PowerShell command (no reboot required, does not prevent the exploitation of SMB clients😞 Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force What steps can I take to protect my network? 1. Block TCP port 445 at the enterprise perimeter firewall TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter. 2. Follow Microsoft guidelines to prevent SMB traffic leaving the corporate environment Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment
  13. Try one of these solutions to access Win 10 system settings: https://www.softwareok.com/?seite=faq-Windows-10&faq=10
  14. https://www.bleepingcomputer.com/news/security/microsoft-leaks-info-on-wormable-windows-smbv3-cve-2020-0796-flaw/
  15. NSA Warns About Microsoft Exchange Flaw as Attacks Start https://www.bleepingcomputer.com/news/security/nsa-warns-about-microsoft-exchange-flaw-as-attacks-start/
  16. Assuming you are using Win 10, type "network reset" into the desktop search bar. Then select Network reset as shown in the below screen shot: The following screen will be displayed. Click on the "Reset now" button. Windows will inform you that your PC will shutdown in a few minutes to completely reset your network settings to default values. When your PC restarts, hopefully you will be able to connect to the Internet using your Wi-Fi connection.
  17. Actually, that is not true. Most of the victims were running Win 7: https://www.theverge.com/2017/5/19/15665488/wannacry-windows-7-version-xp-patched-victim-statistics -EDIT- Where the confusion started in regards to the Wannacry episode was that it used the NSA developed SMBv1 exploits; primarily EternalBlue. Win XP and earlier versions only support SMBv1 protocol. So it was initially assumed those were the vulnerable OS versions. Wrong! SMBv1 protocol is installed on all Win OS versions including the latest Win 10 1909. For Win 10 versions 1803+, SMBv1 is supposed to be automatically removed 10 days after OS installation if it is not used by any app software. Well, I have found out that really doesn't happen.
  18. https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/
  19. This report is dated 2/26/2020: https://fortiguard.com/threat-signal-report/3403/attacks-observed-in-the-wild-exploiting-cve-2020-0688-microsoft-exchange-validation-key-remote-code-execution-vulnerability
  20. You haven't applied the patch yet. You were exploited prior to the patch being released or applied.
  21. Government-backed groups are exploiting CVE-2020-0688 to take over Exchange email servers. https://www.zdnet.com/article/multiple-nation-state-groups-are-hacking-microsoft-exchange-servers/ This blog posting details how you can determine if you have already been exploited by this vulnerability: https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
  22. Eset still supports Win 7 and states it will continue to do so for the foreseeable future. Also, Microsoft will continue to provide signature updates to WD on Win 7. You still might be able to upgrade to Win 10: https://www.theverge.com/2020/1/14/21065140/how-to-upgrade-microsoft-windows-7-10-free-os . I have seen nothing published that Microsoft has officially shut that down.
  23. He's complaining about Eset causing problems on a Win 10 preview build. Further he's stating that somehow Eset is affected his running of his various CD/USB AV rescue disks which is rubbish. I already stated that Eset does not support Win 10 preview builds.
  • Create New...