-
Posts
12,197 -
Joined
-
Last visited
-
Days Won
321
Posts posted by itman
-
-
8 minutes ago, Rami said:
even though I am trying to open Display Settings , I only get a CMD window,
Do you mean Windows Update settings via the Eset GUI or "Display Settings?" If the later, you will have to elaborate more on what you are doing.
-
Reinstall of IS 11.0.27 didn't correct the issue. So as far as I am concerned, the lack of alerting is a bug.
-
I just exported/imported by Eset settings using Internet Security 12.0.27 w/o issue.
-
I tired a few. None of the below prompted to open in secure browser in IS 12.0.27 on IE11:
https://www.scotiabank.com/ca/en/0,,2,00.html
https://www.bmo.com/main/personal
https://www.rbcroyalbank.com/personal.html
-
3 hours ago, Rami said:
When you paste this into notepad and then you try to save it , also ESET doesn't detect it?
Eset's blocking/removal is fine. It is just not alerting that it did so. Previously, all eicar detections resulted in an Eset popup alert.
I also noticed in the last day or so, I am no longer getting an Eset popup notification when signature updating has occurred.
I am going to reinstall IS 12.0.27 and see if that resolves these issues. -EDIT- I might hold off on this since a NOD32 user just posted he is having issues imported his prior exported settings. I have "tons" of customized settings I don't want to lose.
-
I ran a few other eicar test downloads on other web sites just to verify that it wasn't something to do with the AMTSO site downloads. Same result - no alerts from Eset.
-
Win 10 Home x(64) 1803, Eset IS 12.0.27, IE11.
Not receiving Eset alerts on both eicar tests plus cloudcar test. Other tests do produce an Eset alert. Note: did not run the compressed malware tests.
Eset did block the downloads however as evidenced by entries in both the detection log and quarantine files.
-
39 minutes ago, Jendislav said:
but that weird certificate is another problem I think.
QuoteThe next time your Safetica clients connect to the Safetica Management Server, the clients will receive their individual signed endpoint certificates which will be used to sign all further network communication.
Suspect the "weird" certificate is your client's self-signed Safetica certificate.
-
As far as the bank's claim of a Gozi infection, your customer needs to contact its bank for a more detailed explanation on what they actually detected. It could very well be related to the Safetica proxy interception activity. If this is the case, your customer will have to figure out a way to exclude the bank's web site from Safetica's SSL protocol scanning.
-
34 minutes ago, Jendislav said:
Hi, if I deleted this certificate and restarted PC it returned back to trusted CAs.
I was afraid of that. Appears the malware has installed a mechanism to recreate the bogus root CA store certificate. The most common way is to run certutil.exe, a legit Win system process, via some script type; Powershell, wscript, cscript, or command, from one of the Windows startup directories or registry locations. Or, it created a scheduled task to do likewise at system startup time.
I would recommend you either contact your in country Eset support office by phone or open up an Eset support ticket for assistance.
-
On 11/23/2018 at 12:32 PM, Jendislav said:
I found that there is weird certificate installed in trusted root certification authorities called computername security cert 2. When I tried to access any website with HTTPS certificates it showed that for example https://google.com is secure, certificate is trusted, but google certificate had been issued by this weird trusted CA which is installed on PC.
To begin with, I would open certmgr.msc and move this certificate from the Windows root CA certificate store to the Untrusted Publishers certificate store. This way if for some reason that certificate is needed, it can be reinserted into the Windows root CA certificate store. -EDIT- Also moving the certificate to the Untrusted Publishers certificate store might result in the concern not being able to connect to any HTTPS web site. In this case, your only alternative is to delete the certificate. You could export the certificate to a secure directory prior deleting it.
Now verify if the site certificate for https://google.com is pinned to the correct root CA store certificate; i.e. Google Trust Services - Globalsign Root CA-R2. Note: This is the pinning relationship in IE11 and I assume Edge since both use the Windows root CA certificate store. As far as Chrome and FireFox browsers who knows since they use their own internal root CA certificate stores.
Assuming the concern can now connect to https://google.com securely, they also should be able to do so to their bank web site w/o issue.
-
We need a screen shot of the Eset Computer Scan log for the last scan you ran. Open up the that log file. It should show what files Eset detected threats in. The screen shot should show all the files where no cleaning was possible.
My best guess at this point is:
1. The files infected are system files. The OS has a lock on those files preventing Eset from cleaning them. -EDIT- Also, Eset's "cleaning" consists primarily of deleting and quarantining the file. It obviously won't do this for OS system files.
2. The malware installed or modified file permissions to System level which again would prevent Eset from accessing them.
Another thing you can try is to boot into Windows Safe mode and repeat the previous "Scan as Administrator" scan you performed. In Safe mode, less OS files are locked down and/or loaded.
-
13 hours ago, jasonmraz said:
do not have original registration address ESET was purchased/installed when hard drive was replaced by computer repair shop
You should contact the computer repair shop for the license key.
They at a minimum should have provided you with the license key since you stated they charged you for the license. If the repair shop is unwilling to provide the license key, you should be suspect that what the repair shop is doing is not legit. As far as I am aware of, Eset does not provide OEM bulk licensing where a vendor can install it on multiple devices.
-
Following up on @Marcos reply, open the Eset GUI. Click on "Advanced setup." Open the Malware scans section, then the THEATSENSE PARAMETERS section under Smart scan. Ensure that the Cleaning level option is set to "Normal cleaning" as shown in the below screen shot.
If it is not so set, change it to Normal cleaning. Click on the "OK" tab to save you settings. Finally, run another scan.
-
Also, I monitor all cmd.exe startup using a HIPS rule. If egui.exe was doing so, I would have received an alert from it which I never have received.
Eset programs are written in assembler; at least ekrn.exe is and I assume egui.exe is also. You can start a program directly from assembler code using the following I found on the web:
QuoteYou can start a program with CreateProcessA and wait for its end with WaitForSingleObject. The GCC-linker (LD) needs also a suffix with the number of the pushed bytes (e.g. "@4", one dword = four bytes). That is one reason to use another linker.
The following code example is for cmd.exe but it could also be deployed for systemsettings.exe and accessing the Windows Update feature within:
QuoteHere's a simple example to start a shell (cmd.exe) with a "dir"-command:
exec_dir.asm:
STRUC _STARTUPINFO ; https://msdn.microsoft.com/library/windows/desktop/ms686331.aspx
.cb: resd 1
.lpReserved: resd 1
.lpDesktop: resd 1
.lpTitle: resd 1
.dwX: resd 1
.dwY: resd 1
.dwXSize: resd 1
.dwYSize: resd 1
.dwXCountChars: resd 1
.dwYCountChars: resd 1
.dwFillAttribute: resd 1
.dwFlags: resd 1
.wShowWindow: resw 1
.cbReserved2: resw 1
.lpReserved2: resd 1
.hStdInput: resd 1
.hStdOutput: resd 1
.hStdError: resd 1
ENDSTRUCSTRUC _PROCESS_INFORMATION ; https://msdn.microsoft.com/library/windows/desktop/ms684873.aspx
.hProcess: resd 1
.hThread: resd 1
.dwProcessId: resd 1
.dwThreadId: resd 1
ENDSTRUCENDSTRUC
section .data
startupinfo:
istruc _STARTUPINFO
iend
procinfo:
istruc _PROCESS_INFORMATION
iend
app_fullpath: db "C:\Windows\System32\cmd.exe",0
params: db "/c dir", 0
msg: db `\n\nok.\n`,0global _main
EXTERN _ExitProcess@4, _CreateProcessA@40,_WaitForSingleObject@8
EXTERN _puts, _fflushsection .text
_main:; CreateProcess(app_fullpath,params,0,0,false,0,0,0,&startupinfo,&procinfo)
push procinfo
push startupinfo
push 0
push 0
push 0
push 0
push 0
push 0
push params
push app_fullpath
call _CreateProcessA@40 ; https://msdn.microsoft.com/library/windows/desktop/ms682425.aspx; WaitForSingleObject( procinfo.hProcess, INFINITE );
push -1 ; INFINITE
push dword [procinfo + _PROCESS_INFORMATION.hProcess]
call _WaitForSingleObject@8; puts ("ok."), fflush to flush the stdout-buffer
push msg
call _puts
mov dword [esp], 0
call _fflush
add esp, 4; return 0
push 0
call _ExitProcess@4 -
1 hour ago, Tom L said:
I'm updating that while the antivirus notified me that my protection is lost, it kept on updating and working for a while, and now didn't start when my computer started and seems like it's not installed. I tried to download the installer, but when it starts it keeps on showing a similar message - that it doesn't find an internet connection.
It sounds like Eset is still installed but no longer active.
Try uninstalling it via the Windows Uninstall Program options. Reboot. Then try to install the version you downloaded.
If that doesn't work, try uninstalling Eset using the Eset Uninstaller Tool. Instructions on its use are here: https://support.eset.com/kb2289/?locale=en_US&viewlocale=en_US . When the tool completes, it will display if the uninstall was successful. Then boot into Windows normal mode and install the version you downloaded.
-
9 minutes ago, Rami said:
And that probably why I get an empty CMD admin window when I click it
No - I don't believe Eset is using cmd.exe for this. Programs can interact with the desktop. What I believe equi.exe is doing is internally running this: ms-settings:windowsupdate.
-
-
On 11/23/2018 at 9:45 PM, TomFace said:
The OP did not say it was an initial scan. If your scan is taking 2.4 hours for 380K items, that's too long. On my machine, a smart scan took 22.5 minutes to scan 247K items.
Refer to my posting again. It specifically refers to the initial scan.
As far as the OP's original posting, he didn't state the context of the scan. I assumed with the times referenced, it was the initial scan.
-
The initial Eset scan after installation takes a long time. Mine took 2 hours and 21 mins. for 380K items. Extrapolating that for 2.8 million objects would yield a time around 15 hours.
-
@Rami, I checked this out. I opened Process Explorer prior to accessing Win Update checking via Eset GUI check for Win Updates button in Win 10 Home x(64) 1803. I did not observe any startup of cmd.exe origination from ekrn.exe, equi.exe, or anything else for that matter. My best guess is Eset is executing "ms-settings:windowsupdate" via run command window equivalent.
-
3 minutes ago, anton83 said:
Did you enable pre-release update in Eset settings?
No. I believe HTTP/2 has worked with Eset in these two browsers for some time.
Note: the web site must also support HTTP/2; a number still do not.
-
3 hours ago, Abdul Jabbar Dumrai said:
No browser (Chrome, Firefox etc) are able to upgrade protocol from HTTP 1.1 to HTTP 2 because of this filtration.
HTTP/2 and Eset work fine together in IE11 or Edge.
-
In the forum Search window click on the magnifier glass symbol. Under Date Created section, select "Custom." Enter a "From" and "To" date for the search. I suspect by default, the search option only goes back a year since that is the earliest specific date option offered.
Missing Alerts on AMTSO Desktop Tests
in ESET Internet Security & ESET Smart Security Premium
Posted · Edited by itman
Eset_Settings_12-0-27_11-27-2018.zip