Jump to content

itman

Most Valued Members
 View Profile  See their activity

  • Posts

    12,197

  • Joined

  • Last visited

  • Days Won

    321

 Content Type 

Posts posted by itman

    Missing Alerts on AMTSO Desktop Tests

    in ESET Internet Security & ESET Smart Security Premium

    Posted · Edited by itman

    3 hours ago, Rami said:

    When you paste this into notepad and then you try to save it , also ESET doesn't detect it?

    Eset's blocking/removal is fine. It is just not alerting that it did so. Previously, all eicar detections resulted in an Eset popup alert.

    I also noticed in the last day or so, I am no longer getting an Eset popup notification when signature updating has occurred.

    I am going to reinstall IS 12.0.27 and see if that resolves these issues. -EDIT- I might hold off on this since a NOD32 user just posted he is having issues imported his prior exported settings. I have "tons" of customized settings I don't want to lose.

    Gozi malware

    in Malware Finding and Cleaning

    Posted · Edited by itman

    39 minutes ago, Jendislav said:

    but that weird certificate is another problem I think.

    Read this: https://support.safetica.com/index.php?/Knowledgebase/Article/View/379/81/configuring-safetica-to-sign-its-network-communication-with-a-companys-root-digital-certificate :

    Quote

    The next time your Safetica clients connect to the Safetica Management Server, the clients will receive their individual signed endpoint certificates which will be used to sign all further network communication.

    Suspect the "weird" certificate is your client's self-signed Safetica certificate.

    Gozi malware

    in Malware Finding and Cleaning

    Posted · Edited by itman

    As far as the bank's claim of a Gozi infection, your customer needs to contact its bank for a more detailed explanation on what they actually detected. It could very well be related to the Safetica proxy interception activity. If this is the case, your customer will have to figure out a way to exclude the bank's web site from Safetica's SSL protocol scanning.

    Gozi malware

    in Malware Finding and Cleaning

    Posted · Edited by itman

    34 minutes ago, Jendislav said:

    Hi, if I deleted this certificate and restarted PC it returned back to trusted CAs.

    I was afraid of that. Appears the malware has installed a mechanism to recreate the bogus root CA store certificate. The most common way is to run certutil.exe, a legit Win system process, via some script type; Powershell, wscript, cscript, or command, from one of the Windows startup directories or registry locations. Or, it created a scheduled task to do likewise at system startup time.

    I would recommend you either contact your in country Eset support office by phone or open up an Eset support ticket for assistance.

    Gozi malware

    in Malware Finding and Cleaning

    Posted · Edited by itman

    On ‎11‎/‎23‎/‎2018 at 12:32 PM, Jendislav said:

    I found that there is weird certificate installed in trusted root certification authorities called computername security cert 2. When I tried to access any website with HTTPS certificates it showed that for example https://google.com is secure, certificate is trusted, but google certificate had been issued by this weird trusted CA which is installed on PC. 

    To begin with, I would open certmgr.msc and move this certificate from the Windows root CA certificate store to the Untrusted Publishers certificate store. This way if for some reason that certificate is needed, it can be reinserted into the Windows root CA certificate store. -EDIT- Also moving the certificate to the Untrusted Publishers certificate store might result in the concern not being able to connect to any HTTPS web site. In this case, your only alternative is to delete the certificate. You could export the certificate to a secure directory prior deleting it.

    Now verify if the site certificate for https://google.com is pinned to the correct root CA store certificate; i.e. Google Trust Services - Globalsign Root CA-R2. Note: This is the pinning relationship in IE11 and I assume Edge since both use the Windows root CA certificate store. As far as Chrome and FireFox browsers who knows since they use their own internal root CA certificate stores.

    Assuming the concern can now connect to https://google.com securely, they also should be able to do so to their bank web site w/o issue.

     

    Eset detects threads but do not clean them

    in ESET Internet Security & ESET Smart Security Premium

    Posted · Edited by itman

    We need a screen shot of the Eset Computer Scan log for the last scan you ran. Open up the that log file. It should show what files Eset detected threats in.  The screen shot should show all the files where no cleaning was possible.

    Eset_Threats.png.bd7b9cdf332afe0b356567fb242e5a1b.png

    My best guess at this point is:

    1. The files infected are system files. The OS has a lock on those files preventing Eset from cleaning them. -EDIT- Also, Eset's "cleaning" consists primarily of deleting and quarantining the file. It obviously won't do this for OS system files. 

    2. The malware installed or modified file permissions to System level which again would prevent Eset from accessing them.

    Another thing you can try is to boot into Windows Safe mode and repeat the previous "Scan as Administrator" scan you performed. In Safe mode, less OS files are locked down and/or loaded.

    Liscens key

    in ESET Internet Security & ESET Smart Security Premium

    Posted

    13 hours ago, jasonmraz said:

    do not have original registration address ESET was purchased/installed when hard drive was replaced by computer repair shop

    You should contact the computer repair shop for the license key.

    They at a minimum should have provided you with the license key since you stated they charged you for the license. If the repair shop is unwilling to provide the license key, you should be suspect that what the repair shop is doing is not legit. As far as I am aware of, Eset does not provide OEM bulk licensing where a vendor can install it on multiple devices. 

    Eset detects threads but do not clean them

    in ESET Internet Security & ESET Smart Security Premium

    Posted

    Following up on @Marcos reply, open the Eset GUI. Click on "Advanced setup." Open the Malware scans section, then the  THEATSENSE PARAMETERS section under Smart scan. Ensure that the Cleaning  level option is set to "Normal cleaning" as shown in the below screen shot.

    If it is not so set, change it to Normal cleaning. Click on the "OK" tab to save you settings. Finally, run another scan.

    Eset_Cleaning_Mode.thumb.png.4e63a5dbec1e985e8b8cac23c09ddcf0.png

     

    ESET Internet Security V12.0.27 possible bug

    in ESET Internet Security & ESET Smart Security Premium

    Posted · Edited by itman

    Also, I monitor all cmd.exe startup using a HIPS rule. If egui.exe was doing so, I would have received an alert from it which I never have received.

    Eset programs are written in assembler; at least ekrn.exe is and I assume egui.exe is also. You can start a program directly from assembler code using the following I found on the web:

    Quote

    You can start a program with CreateProcessA and wait for its end with WaitForSingleObject. The GCC-linker (LD) needs also a suffix with the number of the pushed bytes (e.g. "@4", one dword = four bytes). That is one reason to use another linker.

    The following code example is for cmd.exe but it could also be deployed for systemsettings.exe and accessing the Windows Update feature within:

    Quote

    Here's a simple example to start a shell (cmd.exe) with a "dir"-command:

    exec_dir.asm:

    STRUC _STARTUPINFO                      ; https://msdn.microsoft.com/library/windows/desktop/ms686331.aspx
        .cb:                resd 1
        .lpReserved:        resd 1
        .lpDesktop:         resd 1
        .lpTitle:           resd 1
        .dwX:               resd 1
        .dwY:               resd 1
        .dwXSize:           resd 1
        .dwYSize:           resd 1
        .dwXCountChars:     resd 1
        .dwYCountChars:     resd 1
        .dwFillAttribute:   resd 1
        .dwFlags:           resd 1
        .wShowWindow:       resw 1
        .cbReserved2:       resw 1
        .lpReserved2:       resd 1
        .hStdInput:         resd 1
        .hStdOutput:        resd 1
        .hStdError:         resd 1
    ENDSTRUC

    STRUC _PROCESS_INFORMATION              ; https://msdn.microsoft.com/library/windows/desktop/ms684873.aspx
        .hProcess:      resd 1
        .hThread:       resd 1
        .dwProcessId:   resd 1
        .dwThreadId:    resd 1
    ENDSTRUC

    ENDSTRUC

    section .data
        startupinfo:
            istruc _STARTUPINFO
            iend
        procinfo:
            istruc _PROCESS_INFORMATION
            iend
        app_fullpath: db "C:\Windows\System32\cmd.exe",0
        params: db "/c dir", 0
        msg: db `\n\nok.\n`,0

    global _main
    EXTERN _ExitProcess@4, _CreateProcessA@40,_WaitForSingleObject@8
    EXTERN _puts, _fflush

    section .text
    _main:

        ; CreateProcess(app_fullpath,params,0,0,false,0,0,0,&startupinfo,&procinfo)
        push procinfo
        push startupinfo
        push 0
        push 0
        push 0
        push 0
        push 0
        push 0
        push params
        push app_fullpath
        call _CreateProcessA@40         ; https://msdn.microsoft.com/library/windows/desktop/ms682425.aspx

        ; WaitForSingleObject( procinfo.hProcess, INFINITE );
        push -1         ; INFINITE
        push dword [procinfo + _PROCESS_INFORMATION.hProcess]
        call _WaitForSingleObject@8

        ; puts ("ok."), fflush to flush the stdout-buffer
        push msg
        call _puts
        mov dword [esp], 0
        call _fflush
        add esp, 4

        ; return 0
        push 0
        call _ExitProcess@4

     

    Network connection issues while renewing licence

    in ESET NOD32 Antivirus

    Posted

    1 hour ago, Tom L said:

    I'm updating that while the antivirus notified me that my protection is lost, it kept on updating and working for a while, and now  didn't start when my computer started and seems like it's not installed. I tried to download the installer, but when it starts it keeps on showing a similar message - that it doesn't find an internet connection.

    It sounds like Eset is still installed but no longer active.

    Try uninstalling it via the Windows Uninstall Program options. Reboot. Then try to install the version you downloaded.

    If that doesn't work, try uninstalling Eset using the Eset Uninstaller Tool. Instructions on its use are here:  https://support.eset.com/kb2289/?locale=en_US&viewlocale=en_US . When the tool completes, it will display if the uninstall was successful. Then boot into Windows normal mode and install the version you downloaded.

    Why is my scan taking so long?

    in ESET Internet Security & ESET Smart Security Premium

    Posted · Edited by Marcos
    Unnecessary comment removed

    On 11/23/2018 at 9:45 PM, TomFace said:

    The OP did not say it was an initial scan. If your scan is taking 2.4 hours for 380K items, that's too long. On my machine, a smart scan took 22.5 minutes to scan 247K items.

    Refer to my posting again. It specifically refers to the initial scan.

    As far as the OP's original posting, he didn't state the context of the scan. I assumed with the times referenced, it was the initial scan.

    ESET Internet Security V12.0.27 possible bug

    in ESET Internet Security & ESET Smart Security Premium

    Posted · Edited by itman

    @Rami, I checked this out. I opened Process Explorer prior to accessing Win Update checking via Eset GUI  check for Win Updates button in Win 10 Home x(64) 1803. I did not observe any startup of cmd.exe origination from ekrn.exe, equi.exe, or anything else for that matter. My best guess is Eset is executing "ms-settings:windowsupdate" via run command window equivalent.

×
×
  • Create New...