-
Posts
12,172 -
Joined
-
Last visited
-
Days Won
319
Posts posted by itman
-
-
4 hours ago, Chas4 said:
Would be nice if I had access to the folder
You should be able to access files in the directory via Mac Safe mode: https://support.apple.com/guide/mac-help/start-up-your-mac-in-safe-mode-mh21245/mac .
-
Following up on @Peter Randziak above posting, VT analysis shows the .exe was signed using a stolen Micro-Star root certificate that had been subsequently revoked;
Assumed is the Digicert cert. assigned to the .exe was an EV one. Appears Eset Reputation scanning, like Win SmartScreen, will auto trust an executable signed with an EV cert.. However, SmartScreen does validate the cert. chain path. SmartScreen will also block the process from executing in the instance of cert. chain validation failure. I have not seen Eset Reputation scanning having like capability. Finally with Eset HTTP/HTTPS scanning enabled, Eset fails the EV cert. validation test at badssl.com;
The Eset Reputation issue aside, it does not explain why Eset could not detect this malware when 40+ vendors at VT did. It appears most of the detection's at VT were behavior based. One malicious behavior observed was an AMSI bypass deployed by this malware.
It has been repeated stated in the forum that a process's signing status does not factor into Eset's scanning "at-first-sight" upon creation/startup/etc.. It would be "revealing" if this is not done for EV signed processes.
-
1 hour ago, Chas4 said:
Can't do that as there are false positives that need to be restored.
Just delete the 1 byte file in the quarantine directory.
-
4 hours ago, Bryszak said:
I bought it legally in Poland on Allegro.pl. Everything was fine for over 2.5 years and suddenly there was such a problem?
It appears Eset has tightened its license validation processing and now performing locality checks on previously installed installations.
-
11 hours ago, jon3s115 said:
Just now, for about 2 minutes ESET Services was running at 100% CPU
What occurred just prior to this activity? Was a Win OS or Office update running?
-
56 minutes ago, AnthonyQ said:
It is not true.
QuoteReputation—In most cases, ESET Internet Security and ESET LiveGrid® technology assign risk levels to objects (files, processes, registry keys, etc.) by using a series of heuristic rules that examine the characteristics of each object and then weigh their potential for malicious activity. Based on these heuristics, objects are assigned a risk level from 1 – Fine (green) to 9 – Risky (red).
The ranking color is based on prior Eset "first sight" status of the .exe.
For example after a Win OS cumulative update resulting in many OS files being changed, LiveGrid will show many of these files with a yellow color; i.e. low reputation. You will observe that as time elapses, the color of these files will change to green.
Likewise, a red color would be indicative of an unknown process; i.e. never seen by Eset previously.
I will also add that the above Reputation description is deceptive in that it means a cumulative ranking of the number of times the process has been scanned on devices with Eset installed.
Again, LiveGrid does not perform any cloud malware scanning other than for blacklist status.
-
Using a password to access Eset GUI settings is an optional setting and is not enabled by default. Therefore it is assumed you manually set password use.
Using a password to access Eset GUI settings makes the product cumbersome to use where a feature such as Interactive firewall requires frequent access to the GUI. It is your choice here as to whether password use should be disabled or not.
-
-
33 minutes ago, AnthonyQ said:
Look at the first pic the OP shared. Before the detection was created, this malware sample had been whitelisted (indicated by the green color) in the LiveGrid.
All that LiveGrid Reputation status display indicates is how many Eset installations the .exe has been installed on. Reputation status has nothing to do with whether the process has been white/blacklisted or the like.
As such, I have always viewed LiveGrid Reputation display status as a useless feature.
-
As far as the AV-C Malware Protection test series goes, the only thing I pay attention to is the On-line versus Off-Line detection scores. It is not uncommon for malware to tamper with or disable a device's network connection. Hence, a high score in Off-line detection capability is a must.
-
9 minutes ago, Damjan said:
In an AV lab test where all but three vendor products scored 99.9% or above, one needs to ask themselves if such a test reflects current real world malware detection capability.
-
3 hours ago, SeriousHoax said:
BTW, for Firefox one may have to manually set "network.dns.echconfig.enabled" to True.
Still a no-go. All three tests show ECH not enabled.
If I disable Eset HTTPS scanning, all three tests show ECH enabled.
-EDIT- According to Mozilla, ECH in Firefox 118+ is based on existing DoH; DNS over HTTPS, processing. So assume Eset HTTPS scanning is also busting that.
-
I will also add that I am no fan of anything Cloudfare based; especially their DNS servers. DNS security tests I have run show my ISP(AT&T) DNS servers are far superior to Cloudfare's.
As such, I could care less about this Firefox feature.
-
1 hour ago, SeriousHoax said:
Sites to test if ECH is working or not:
https://tls-ech.dev/
https://defo.ie/ech-check.php
https://crypto.cloudflare.com/cdn-cgi/trace/Max Protection in Firefox doesn't appear to work.
First, verified that Cloudflare DNS servers were being used;
However, above ECH test sites all show it is not enabled. So @SeriousHoax is correct; Eset's SSL/TLS protocol scanning busts it.
-
On 10/14/2023 at 11:51 AM, mtellefson said:
Found out when he hooked up the new modem, he plugged his computer directly into the modem instead of the router.
That explains why ISP address was being displayed in Eset log entries. Also, he must be using a cable-based ISP since they usually only issue modems versus modem/router combo units issued by DSL/fiber providers.
-
Assuming that Eset Smart Security 10.1.245.0 is being referenced, Eset has terminated all support for it. That means also signature updating of it;
https://support-eol.eset.com/en/policy_home/product_tables.html
-
-
1 hour ago, Marcos said:
since ESET LiveGuard was supposed to prevent the detection and we would like to investigate if it failed on your machine for some reason.
Only applicable to ESSP since it is the only consumer version that has LiveGuard. Did you mean LiveGrid instead?
-
17 minutes ago, Tio said:
Thank you very much for the reply, how often do you suggest an in depth scan should be performed if nothing suspicious happened ?
Eset recommends once a month in-depth scan at the minimum. A weekly default Smart scan otherwise should be sufficient;
QuoteWe recommend that you perform regular (for example once a month) in-depth scans of your system to detect viruses not detected by Real-time file system protection.
https://help.eset.com/ees/10.1/en-US/?idh_page_scan.html
The above stated, Eset's real-time scanning will detect the vast majority of malware upon creation on the local device. Also of note is Eset performs default scheduled scans of known system areas where malware resides at system startup and after Eset update activities.
-
It appears the Eset scan cache was not cleared when the second on-demand scan was run. This resulted in results from the first scan influencing the detection's from the second scan. Running back to back full on-demand scans is not expected normal scan behavior.
7 hours ago, Tio said:5. Why the pot. unsafe app was off by default ?
This option detects exactly as stated. These apps are not malware per se, but exhibit undesirable behavior such as scams to purchase unneeded services and the like. Due to the fact users might be using such apps as you are, the option is not enabled by default at installation time.
-
This posting about Facebook use in Vietnam is informative: https://www.washingtonpost.com/world/2023/06/19/facebook-meta-vietnam-government-censorship/ . It also might explain the different home web page. Also, assume Internet communication is being actively being monitored there.
Since Eset appears to function properly in browsers with a Private mode, that is the mode that should be used for social media access.
-
-
2 hours ago, eornate said:
if i access facebook on Private web it was blocked, however on normal web, it was not block.
Looks like you're using Edge as your browser.
ESSP blocked facebook.com in Edge both in normal and InPrivate mode on my Win 10 22H2 Pro installation.
-
Whitelisted Malware
in Malware Finding and Cleaning
Posted · Edited by itman
Appears "the message is not getting across."
Again. LiveGrid Reputation status has nothing to do with Eset whitelist status of the process. With a few exceptions I will get to later, LiveGrid reputation is based on number of Eset users of the process.
I will use an HP monitor driver installer as an example. Most people never install a driver for their monitor; using the Win default driver instead. Also, this installer is specific to one HP monitor model. I have used this installer previously and its been sitting in my Downloads folder for a few years. Finally, this installer is validity code signed by HP. Let's see what LiveGrid's Reputation ranking is for this installer;
Now for those LiveGrid process Reputation usage exceptions. One is anything Microsoft code signed has high reputation status. Also as this malware example shows, anything code signed with an EV cert. is given high reputation status. This assignment parallels that done by Win SmartScreen processing.
As far as what Eset uses process whitelisting for is given below;
https://help.eset.com/glossary/en-US/technology_livegrid.html