[Eset AMSI DLL Issue on Win 10 x(64) 1903]

6 hours ago, Marcos said:

No. The said certificate is intended to sign ELAM drivers only. Microsoft doesn't sign 3rd party dlls.

My take on this is this cert. can be used to sign .dlls. As you noted previously, Windows is attempting to load the AV amsi.dll into a PPL process. It wouldn't  attempt it unless it assumed the .dll was properly signed.

Quote

Signing levels allow Microsoft to open up protected processes to third-parties, although at the current time the only type of protected process that a third party can create is an Anti-Malware PPL. The Anti-Malware level is special as it allows the third party to add additional permitted signing keys by registering an Early Launch Anti-Malware (ELAM) certificate.

https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-protected.html

Or alternatively, just use one of the PPL bypasses noted in the article.🙄

[Eset AMSI DLL Issue on Win 10 x(64) 1903]

6 hours ago, Marcos said:

We do not inject eamsi.dll whatsoever. If a particular process utilizes AMSI, the OS is responsible for loading the said dll into it.

OK. Let's assume eamsi.dll has been added to the list of knowndlls, etc.. In any case, it will not be loaded into any PPL process because it is not properly signed to do so. Since Microsoft is increasingly using PPL to protect its processes, Eset's monitoring capability is increasingly being diminished.

As any pen-tester "worth his salt" will attest, PPL is somewhat of a joke and multiple bypass POCs exist showing this.

 

 

[Eset AMSI DLL Issue on Win 10 x(64) 1903]

Figured out why Eset attempts to inject its AMSI .dl into svchost.exe PPL instances is failing. Had to dive into my reference materials.

To inject code into a PPL process, the code must be signed at WindowsTCB authentication level. This is the highest signing level available. Eset signed the eamsi.dll with its regular driver certificate which is authorized for PP - Authenticode level only. Microsoft only issues one type of WindowsTCB level certificate. That is the certificate Eset used to sign its ELAM driver. Therefore it appears to me, Eset needs to sign the eamsi.dll with this certificate:

 

 

 

[Ransomeware Adage]

Also, beware of the type of attacker you are dealing with if you decide to pay the ransom:

Quote

They gave just all the keys just for my particular infection. Thing is, for my infection, there are more than 1 keys. Promised me for everything. Then gave only one key. Then asked me for more $ because there are a total of 7 more keys to unlock all files. In the end, gave me 2 keys, where only one key worked to unlock everything

https://www.bleepingcomputer.com/forums/t/688649/phobos-ransomware-help-topic-phobos-phoboshta/?p=4823841

[Eset AMSI DLL Issue on Win 10 x(64) 1903]

Also should not this registry key now be set to 0x2 since Eset's .dll is Microsoft Authenticode signed? It is still set to 0x1 on my ver. 12.2. 23 device:

Quote

As of Windows 10, version 1903, Windows has added a way to enable Authenticode signing checks for providers. The feature is disabled by default, for both 32-bit and 64-bit processes. If you are creating a provider for test purposes, then you can enable or disable sign checks by setting the following Windows Registry value appropriately. The value is a DWORD.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\FeatureBits

Value	Behavior
0x1	The Authenticode-signed check is disabled. This is the default behavior. You can also use this value, temporarily, while testing.
0x2	The Authenticode-signed check is enabled.

 

https://docs.microsoft.com/en-us/windows/win32/api/amsi/nn-amsi-iantimalwareprovider

[Ransomeware Adage]

This appears to be Phobos ransomware. Check out this thread: https://www.bleepingcomputer.com/forums/t/699816/ive-attacked-by-ransomware-file-extension-adage/ . There appear to be a few versions that may be decryptable. Otherwise, you're out of luck.

[Eset AMSI DLL Issue on Win 10 x(64) 1903]

Just upgraded to ver. 12.2.23.

Appears all is fixed except injection into Windows Security Center service; i.e. wscsvc. Possibly because it is running as PPL process.

[Windows 1903 Windows Antimalware executable]

It should be noted that it is not advisable to permanently disable Windows Defender. If there should be an issue with Eset's real-time scanning due to malfunction or other reason, Win 10 will automatically engage Windows Defender real-time protection mode.

[ESET detects WinToolBar Avast]

To start with, you shouldn't be running both Avast and Eset with their realtime scanners enabled if that is the case. Only one AV scanner should be running with realtime enabled.

Refer to this posting: https://forum.avast.com/index.php?topic=181969.0 . Uninstall Avast using its uninstall utility . If you must, reinstall it via "custom" installation and ensure nothing related to Google is check marked during the installation process. Then disable Avast's realtime scanning option and use it as a second opinion scanner.

Also Avast's free version is very aggressive in regards to installing undesirable software. So in the free version, I am not sure the above will 100% work. Personally, I would just leave it uninstalled.

[Eset asks to Monitor my Data?]

If you are referring to Eset's Customer Improvement program option, this can be disabled here:

[Unable to Access Certain https sites in Chrome on ESET 7]

To begin with the certificate Chrome is objecting to is associated with a private IP address:

Quote

Private IP Addresses

Most organisations have far more computers than available IP addresses. Using private IP addresses helps to tackle this issue by allowing companies to have a single Internet gateway with a public IP address. All of the other nodes have private IP addresses. The gateway uses a Network Address Translation (NAT) server to translate the private IP addresses to an address that can be routed across the Internet.

ICANN has reserved sets of IP numbers for private use on the three classes of address. Notice how the recommendation includes non-standard subnet masks for class B and class C private IP ranges.

Private Address Ranges for class A, B and C networks

Class	Private IP Address Range	Subnet Mask
A	10.0.0.0 to 10.255.255.255	255.0.0.0
B	172.16.0.0 to 172.31.255.255	255.240.0.0
C	192.168.0.0 to 192.168.255.255	255.255.0.0

 

https://www.sqa.org.uk/e-learning/WebTech01CD/page_12.htm So unless IP address, 10.10.1.69, is associated with some internal network web site/device address, you shouldn't be connecting to it in the first place. I believe in the U.S., some cable providers use the 10.xxx.xxx.xxx range for their internal network address assignments versus the 192.168.xxx.xxx range. One possibility here is the cable router, gateway device, etc. uses some type of admin utility that requires a root certificate to be installed? These type of "utility" certificates have been abused in past; e.g. Lenovo "Superfish" incident.  If this is an internal network entity, this article describes how to add the self-signed certificate used by the entity to Chrome's root CA certificate store: https://www.corvil.com/kb/how-do-you-get-chrome-to-accept-a-self-signed-certificate Bottom line - this has nothing to do with Eset's SSL/TLS protocol scanning.

[conection time out]

What is the program you are trying to "log in" to? As a rule, you don't log into apps.

[Eset AMSI DLL Issue on Win 10 x(64) 1903]

I was able to identify one of the svchost.exe services where eamsi.dll was blocked and it is Windows Security Center. So the sooner ver 12.2 is implemented, the better.

BTW - Win 10 1903 was released in May ........................

Quote

Starting in Windows 10, version 1903, if your AMSI provider DLL is not Authenticode-signed, then it may not be loaded (depending on how the host machine is configured). For full details, see IAntimalwareProvider interface.

https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal

[FireFox 68 Error On Win 10 x(64) 1903 When Accessing Banking & Payment Protection]

This FF 68 error might be associated with Nano Defender add-on which I recently added to uBlock Origin. I saw two tmpadd-nnn files in my AppData\User\Temp directory. Have a hunch Eset B&PP "choked" when trying to remove/re-add these add-on files as part of B&PP processing.

[Eset AMSI DLL Issue on Win 10 x(64) 1903]

59 minutes ago, cyberhash said:

I have the same but it just seems to be an informative alert rather than a genuine fault.

Not quite.

Each one of the errors indicates a process where Eset's AMSI .dll was blocked from loading. Most of the alerts relate to SIHClient.exe; i.e. service-initiated healing:

This daily task launches the SIH client (server-initiated healing) to detect and fix system components that are vital to automatic updating of Windows and Microsoft software installed on the machine. This task can go online, evaluate applicability of healing actions, download necessary payloads to execute the actions, and execute healing actions.

I am not too concerned about this one.

However, there are errors associated with svchost.exe with no detain given of associated service. These are the ones I am concerned about. As it presently stands, Eset AMSI .dll is only injected into two svchost.exe service associated processes.

[Eset AMSI DLL Issue on Win 10 x(64) 1903]

EIS ver. 12.1.64

[FireFox 68 Error On Win 10 x(64) 1903 When Accessing Banking & Payment Protection]

Just upgraded to Win 10 x(64) 1903 yesterday.

Just noticed in my Win 10 Event Log, FireFox 68 is throwing an error every time Eset IS 12.1.34 initiates B&BP within FF 68. Eset B&PP page opens OK and web site is accessed w/o issue.

 

[BPP Now Blocks John Hancock Financial]

11 minutes ago, COStark26 said:

OK to leave SSL Filtering UN-Chk'd?

If permanently, the answer is obviously no.

Eset web filtering protection will not be done on HTTPS which is most web sites today. 

[BPP Now Blocks John Hancock Financial]

Also, can you access this site,  https://www.jhannuities.com/ , in FF 68 w/o using B&PP? You will first have to remove the URL from B&PP protected site list.

[BPP Now Blocks John Hancock Financial]

I added https://www.jhannuities.com/ to B&PP protected web sites and now it also opens to B&PP in FF 68.

My best guess at this point is something is messed up with your FF profile.

[ESET affecting Surface Pro Type Cover usability?]

5 minutes ago, aldel said:

The problem doesnt happen sometimes for days

This is symptomatic of a hardware issue. If Eset's driver was the issue, it should manifest each time you boot.

[ESET affecting Surface Pro Type Cover usability?]

On 7/13/2019 at 6:01 AM, Marcos said:

You can try temporarily uninstalling ESET Internet Security and see if it makes a difference.

Did you try this? If the type error persists with Eset unistalled, Eset is not the source of the issue.

[BPP Now Blocks John Hancock Financial]

In FF 68, this link, https://www.jhannuities.com/ , does not open Eset B&BP automatically. Eset is also not using the site's root CA certificate but Eset's own root CA certificate. Could not open the site in B&PP using FF 68 since my default browser is IE11. However, the site opened fine in non-B&PP FF68.

Was this site previously opening BP&P from FireFox? I had no issues accessing the site in IE11 using B&PP via manual startup. And the link shown was https://www.jhannuities.com/Marketing/default.aspxMarketing/default.aspx

Did a QUALS SSL Server scan on https://www.jhannuities.com/ and all that was shown amiss was:

Site was rated "A."

[Scarab Ransomware]

58 minutes ago, classiccor83 said:

The email has been sent to the email address as requested. What are the next steps?

Wait for an e-mail reply from Eset support.

Were all your backup files on the NAS storage? Backups need to be created on storage that is off-line and disconnected from your PC.

[DNS Queries over HTTPS (DoH)]

The current pressing issue is regards to DNS is DNS hijacking of which DoH is only marginally effective against: https://www.bleepingcomputer.com/news/security/ncsc-issues-alert-about-active-dns-hijacking-attacks/ . Immediate due diligence needs to be performed to ensure routers/gateways are properly secured.