itman
-
Posts
12,198 -
Joined
-
Last visited
-
Days Won
321
Posts posted by itman
-
-
3 hours ago, LesRMed said:
The funny thing is, I'm no longer receiving the "Missing support for Azure code signing" warning in the console for any of these servers
Pondering and then theorizing, it appears Windows installed KB5006728 and subsequently uninstalled it when it realized the device didn't have ESU support.
Eset upon recognizing KB5006728 was installed, deactivated the ACS warning and very possibly now believes all is well in regards to this issue. Appears Eset is cluelesss as to the subsequent uninstall of KB5006728 .
The "clear and present danger" is if Eset will attempt to update these servers assuming ACS support is installed and what might be the impact of this on the OS and the existing Eset installation.
-
1 hour ago, offbyone said:
We have few customers with 2008 R2 servers in offline environment which are target to update ESET on. I will setup a test environment before.
Bad ending for out friend trying to update his Win 2008 R2 servers. He didn't realize he had to be on ESU support for this KB fix to work.
More the reason for everyone to get on this pronto; lest you have to purchase and install new Win OS licenses.
-
19 minutes ago, LesRMed said:
So, unless you paid for ESU support AND installed KB5006728 prior to 1/10/23 (when ESU support ended for 2008R2), you're pretty much screwed.
I assumed you had a LTSC license.
-
One thing to be pointed out is the detection's posted in this thread are originating from explorer.exe. This is highly suspect and "smells" of malware activity.
-
I will also add that people "better get cracking" on applying these KB updates. Based on this recent posting: https://forum.eset.com/topic/38212-install-failing-on-2008r2-servers-with-acs-support/ , updating is far from smooth.
-
18 minutes ago, offbyone said:
What about Windows 10 LTSC?
Obviously, you will be able to apply the applicable KB for the referenced OS version.
The problem is there is no reference to Win 10 1903 in https://support.microsoft.com/en-au/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4 . As such, it can be assumed it can't be updated via KB method.
-
The IP address is associated with Zemlyaniy Dmitro Leonidovich;
QuoteWe consider Zemlyaniy Dmitro Leonidovich to be a potentially high fraud risk ISP, by which we mean that web traffic from this ISP potentially poses a high risk of being fraudulent. Other types of traffic may pose a different risk or no risk. They operate 18,407 IP addresses, some of which are running servers and anonymizing VPNs. They manage IP addresses for organisations including Zemlyaniy Dmitro Leonidovich, DeltaHost, and NetProtect LLC. Scamalytics see low levels of web traffic from this ISP across our global network, most of which is, in our view, fraudulent. We apply a risk score of 75/100 to Zemlyaniy Dmitro Leonidovich, meaning that of the web traffic where we have visibility, approximately 75% is suspected to be potentially fraudulent.
https://scamalytics.com/ip/isp/zemlyaniy-dmitro-leonidovich
-EDIT- Although Zemlyaniy Dmitro Leonidovich overall is suspect, this particular IP address looks OK: https://scamalytics.com/ip/139.28.38.154
-
Did you verify this Win root CA cert. is installed?
QuoteNOTE To correctly verify modules signed by Azure Code Signing, computers are required to have the "Microsoft Identity Verification Root Certificate Authority 2020" certificate authority (CA) installed. By default, root certificates are installed automatically if the computer is connected to the Internet. If the "automatic root certificates update" setting is disabled or the computer is offline, you must install this root certificate into the certificate store of "Local Computer" under "Trusted Root Certification Authorities". To download the certificate, see PKI Repository - Microsoft PKI Services.
-
2 hours ago, LesRMed said:
I have verified that KB4474419 and KB4490628 have been installed. Any help would be greatly appreciated.
Per Microsoft: https://support.microsoft.com/en-us/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4 , KB5006728 must be installed on Win Server 2008 R2.
Also refer to this Eset article: https://support-eol.eset.com/en/trending_weol2023_10_2022.html .
-
2 hours ago, Jsin said:
They are being used by default, but I refuse to put any confidence in Microsoft antivirus or firewall.
The important point is this. If your VPN works w/o issue using the Win firewall exclusively, we have definitive proof that Eset ver. 16.2 network processing is the issue.
Also after installing Private Internet Access VPN, closely exam Win Firewall inbound/outbound rules for any new rules created in regards to it. Those rules can be used later for reference when Eset is reinstalled.
-
11 minutes ago, Jsin said:
I've reached out twice to support and contact us feature and haven't heard anything all weekend.
If you tired to contact Eset North America support, their business hours are Mon. - Fri. between 6AM and 5PM PST.
You should be able to contact them now via LiveChat: https://helpus.eset.com/?chat=support&intcmp=btn-chat-home
-
9 hours ago, esetuser22222 said:
I assume it is not against rules to buy 3x 10 package ( = 3x different Key for 10 devices)
Also, refer to this recent comment from Eset N.A. in regards to use of Eset consumer products in commercial environments: https://forum.eset.com/topic/1169-future-changes-to-eset-nod32-antivirus/?do=findComment&comment=173136 .
It appears Eset considers a single consumer product license for 10 seats or less not a consumer EULA violation. However, subsequent consumer license purchases and product installation on the same commercial network would be a EULA violation. This is also why it is critical to contact your Eset distributor in Germany to fully clarify what is allowed in regards to this issue.
-
43 minutes ago, Jsin said:
But I'm now having issues with reinstalling and using the license because ESET seems to now be trying to force using ESET Home for license management and renewals.
I never had an issue using my existing Eset license key to activate Eset.
Last year, my boot drive crashed causing a full install of Win 10 on the replacement drive. I installed Eset on the replacement drive using my existing license key w/o issue. Of note was this was a single seat license. Also, my Eset license was purchased from the Eset U.S. eStore web site.
Appears you will have to resolve this existing license issue with the third party reseller from where you purchased the license from.
-
2 hours ago, Jsin said:
So I'm going to have to unplug my computer from the internet now otherwise I'll just sit here completely unprotected OR buy ANOTHER license.
Microsoft Defender/Win firewall will be your real-time protection until Eset is installed again.
BTW - what do you mean by Eset OEM license key? Was Eset installed by the computer manufacturer?
-
1 hour ago, Baldrick said:
1. how does one enroll in the beta program
1 hour ago, Baldrick said:2. how does one access pre-release channel
Open Eset GUI. Select Settings -> Advanced setup -> Update.
Select Profiles. Under My Profiles, select Updates. Change Update type to Pre-release update. Save your change.
At this point, Eset will download the latest available pre-release update and will continue to download any new pre-release update until Update type is changed back to regular updates.
-
Just now, eornate said:
So if don't create a HIPS rule for PowerShell to allow startup of conhost.exe, what will happend with OS windows ?
The script won't run obviously. I don't know what is the impact.
For me allowing this conhost.exe exception isn't of concern since I monitor all PowerShell.exe startup. This might be unusable for you. Also and interesting, I get no HIPS alerts as a result of this rule when these internal PowerShell scheduled tasks run.
-
I assume you are using Eset recommended HIPS anti-ransomware rules?
On my Win 10 22H2 build, I discovered Windows runs internal scheduled PowerShell maintenance tasks. When PowerShell is used in those tasks, the first thing it does is spawn a child conhost.exe task. I had to create a HIPS rule for PowerShell to allow startup of conhost.exe.
-
Continuing my suspicions, I did a bit of research on the Private Internet Access VPN web site.
It uses a TAP adapter: https://www.techradar.com/vpn/what-is-a-tap-adapter . That is a virtual network adapter.
Next and interesting is the way to reset this adapter is via this command;
C:\Program Files\Private Internet Access\pia-service.exe" tap reinstall
All this leads me believe that the issue in Eset ver. 16.2 lies with its network connection processing not properly identifying and setting up the virtual network adapter connection.
-
17 hours ago, Jsin said:
Since the upgrade I can't connect to my personal VPN unless I set the firewall to Learning mode. When I do and connect to my VPN I get a dozen pop ups saying new rules have been created by the firewall
I am beginning to believe the issue with VPN usage in ver. 16.2 is not the firewall but network connection creation and processing.
In ver. 16.2, firewall profile and the network connection created are synonymous. For example in ver. 16.2, you can't modify settings for any Eset generated network connection other than to specify if it is Public, Private, or Automatic determined.
What I suspect is happening with VPN usage is every tine the VPN is started, Eset is creating a new network connection for it resulting in a new firewall rule being created.
Open Eset Network Connections and see if many connections exist there.
-
3 hours ago, fredd said:
I want to add another license to my account.
Do you want to add an additional seat to an existing license instead so Eset can be installed on another device on your home network?
-
The problem here is watchseries.id/home is redirecting to coldvain.com which is a malicious domain: https://www.virustotal.com/gui/url/f2c6635077070164272e1bb87eda93042adf453ff6fb094e20c99a8281289202 .
You need to contact the web site admin of watchseries.id and info them of this situation.
-
21 minutes ago, Daisy1986 said:
when I go through Google, everything is ok, not blocked. When i go through saving bookmark, alert!
Your bookmark is most likely for hxxps://watchseries.id/home.
-
3 minutes ago, nabeelmansoor said:
Is there a link to the beta version?
No. Only users enrolled in Eset Beta Tester program are allowed access to Beta versions.
You will have to wait until it's released to the pre-release channel.
- nabeelmansoor and micasayyo
-
2
-
Address has been blocked
in Malware Finding and Cleaning
Posted
Prior incidents of PowerShell/Agent.AEW trojan in the forum usually involved the creation of a Win service: https://forum.eset.com/topic/32255-powershellagentaew-trojan-keeps-coming-back-after-cleaning-and-reboot/?do=findComment&comment=150342 ; the service running SyncAppvPublishingServer.vbs; with the service being started via scheduled task.
This current instance is different. It appears explorer.exe connects to the domain in question to either download the PowerShell malware or to run it remotely. In a remote PowerShell attack, the script being deployed must exist on the target device. So it is possible what is attempting to download from this domain is the script.
SysInternal's Autoruns migh be of assistance here looking for suspect explorer.exe task running at system startup time.