itman
-
Posts
12,244 -
Joined
-
Last visited
-
Days Won
322
Posts posted by itman
-
-
1 hour ago, Marcos said:
1, Update at logon has always been disabled by default:
I still believe there is a bug in NOD32. Notice in the screen shot you posted, the like dial-up option is enabled instead. Virtually no one uses a dial-up connection these days.
-
There are at least 42 variants of Gen:Variant.Mikey.24795 going back to 2015: https://totalhash.cymru.com/search/?av:Gen*Variant.Mikey.24795 . Average VT AV vendor detection is around 50% for these.
Below are some of the variants that Eset detected in the past. I did not check all of the 42 variants for Eset detection:
https://totalhash.cymru.com/analysis/?5485d4ada205b0feddf559da044d41f048dbe177
https://totalhash.cymru.com/analysis/?6c63f84bb0363fa01a70d580b8c122e743eaa36d
https://totalhash.cymru.com/analysis/?3371cb7e337bf3da285e851026dbcd37f7382913
-
As far as this goes:
QuoteWhy "update at logon " is disabled by default???
It is enabled by default in Internet Security. It might not be for NOD32. So I would create a support request and report it as a bug to Eset.
Also for Internet Security when the update at logon occurs, the Eset GUI startup screen does show that the update occurred; i.e. Last Update xx minutes ago, if with the current hour.
-
7 hours ago, Johnny Wan said:
The issue happens because we block traffic to outlook.office35.com
I also don't understand the above statement. If you are blocking outlook.office365.com connections, why is Firefox showing that indeed a connection was made?
-
29 minutes ago, novice said:
1, Why "update at logon " is disabled by default???
It isn't. You must have somehow disabled it.
-
5 hours ago, Johnny Wan said:
outlook.office35.com
I analyzed outlook.office365.com at QUALS: https://www.ssllabs.com/ssltest/analyze.html?d=outlook.office365.com . The certificate and chaining path are fine. See below screen shot.
Suspect this alert is happening in Firefox due to either Eset SSL proxying activities; i.e, Eset root CA cert. being used or there is a certificate issue within Firefox since they use their own root CA certificate store.
-
26 minutes ago, sypticle said:
i have 1 more question: so if i use Wireshark, and put the filter as "dns" would i be able to get the persons IP and block it in the firewall?
Per the Hybrid-Analysis, this isn't necessary:
QuoteNetwork Analysis
This report was generated with enabled TOR analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
-
2 minutes ago, sypticle said:
Okay, so when i downloaded the RAT, the person disabled my "Administrator Permissions" I'm not really sure how
In all likehoodly, the perpetrator ran one of the Win utility processes that are increasingly being abused. A number of those can be run hidden and silently elevate to admin level.
Tip - if you run as a limited admin and don't have UAC set to maximum level, you need to do so. Most of these bypasses can be detected when UAC set to max.. Yes, you will receive additional UAC alerts but the increased security factor is worth the minor annoyance.
-
One other thing.
Malware should not be able to write to the C:\Windows directory w/o full admin privileges as shown in the below screen shot; at least for Win 10. So that is something you should check out.
-
Just now, sypticle said:
so I'm guessing It's okay to delete?
Yes.
But I would zip it up in a folder in your download directory, etc. in the very remote chance its removal borks something in the near future. After a while with no issue related to its removal surfacing, you can then delete the folder.
-
8 minutes ago, sypticle said:
here is the link for the analysis: https://www.hybrid-analysis.com/sample/c1ac18c9c98e3fffc50553950c154601032048b4e007ef502bc9362f1acec90f/5be9cbea7ca3e132553fd388
With a behavior analysis score of 89/100 which is one point below the high confidence level, I would say this bugger is malicious. Especially so using the MITRE indicators noted.
Did AdwCleaner get rid of the Search Service.exe in the C:\Windows directory?
-
2 hours ago, 0x55 said:
I did notice that Eset had changed the sites' favicons in Chrome, but that has reverted back in the past few days. I can manually open the secure browser, and that seems fine.
The sites are definitely set to use secure browser in Advanced Setup. I've also tried variants like adding www or the index.html landing page, with no success.
Also discussed in a recent like thread on this subject, Eset doesn't support HTTPS/2 yet. So any like web site will not cause the opening of BP&P secure browser regardless of the source browser used.
-
1 hour ago, pronto said:
The actual question is whether it is enough to set up the directories in the 'Dectection Engine - Exclusions' dialog to exclude them both in the Real Time Scan
As far as I am aware of, process and file exclusions entered for the detection engine apply to any Eset options subordinate to it. This would include any of the manual or scheduled malware scanning options.
-
DATEV develops accounting software that appears to be quite popular in Austria and Germany: https://www.datev.at/321-about-datev
-
Another suggestion is to submit Search Service.exe for a scan on the Hybrid Analysis web site here: https://www.hybrid-analysis.com/ . As best as I can determine, the file hash you submitted to Virus Total has not been previously scanned at Hybrid Analysis. If you do this, copy the link for the scan and post it. I will take a look at the sandbox analysis performed.
-
41 minutes ago, Bordonbert said:
Can anyone envisage a way it is possible for an email to create a brand new folder in this way?
I use ThunderBird and have the latest version 63 installed.
I just opened it up and have no "Black Friday" folder being shown. I also have no Thunderbird spam settings enabled other than the default ones.
I would direct your concerns to the Mozilla Thunderbird forum.
-
11 hours ago, sypticle said:
Do you know if its supposed to open on startup?
edit: i just checked and my version of of searchservice.exe has a space..What I do know is this.
Many of the detections for it on VT were for Gen:Variant.Mikey.24795. Gen:Variant.Mikey is a generic detection for adware/browser hijacker/etc..
Malwaretips.com has a few cleaning guides for earlier versions of it. Here's one: https://malwaretips.com/blogs/gen-variant-adware-mikey-10000-removal/ . Since AdwCleaner was recommended for removal of it, I would give it a shot on getting rid of this variant. You can download it here: https://www.bleepingcomputer.com/download/adwcleaner/ .
What I will say about Search Service.exe is that it is located in the Windows directory. As far as I am aware of, this is not a Windows system process or utility and has no business being in that directory. Additionally, the fact that it is located in a Windows directory significantly ups the probability that the process is dangerous.
-
Below are link references to the "This App Can't Run On Your PC" alert. There a many more on the web.
https://www.ghacks.net/2017/10/30/fix-this-app-cant-run-on-your-pc-on-windows/
https://www.easeus.com/todo-backup-resource/this-app-cant-run-on-your-pc-in-windows-10.html
The fact that the alert window is being displayed in red, leads me to suspect that Win 10 native SmartScreen is the source of the alert. You can try to temporarily disable it by setting to it "Off" as shown in the below screen shot. If the problem goes away with SmartScreen disabled, you have found the source of the issue.
Also corrupted files can cause this alert in regards to software publisher: https://www.overclockers.com/forums/showthread.php/722938-Corrupted-files-are-the-cause-of-Windows-8-quot-This-app-can-t-run-on-your-PC-quot-error
-
I use T-Bird e-mail on version 12.0.27 to access my AOL e-mail which is in essence now Yahoo e-mail. I don't have any issues. However, I don't use the POP/S protocol but the IMAP/S protocol.
For starters, you should verify that Eset's Windows root CA store certificate is installed in T-Bird's root CA certificate store. If it is installed, then you might as a test try switching to the IMAP/S protocol in T-Bird and see if e-mail can be retrieved. Note: Yahoo might use a different URL for their IMAP/S servers.
-
I am not so sure that the search service.exe is a benign process. Here is a write up on the legit version: https://www.file.net/process/searchservice.exe.html .
The important point to note is the legit version is named searchservice.exe. Note there is no space between "search" and "service" in the process name. If the process running doesn't point back to this directory, C:\Program Files\Ticno\, I would be doubly suspicious.
-
According to Comodo, there are almost as many malicious versions of Dexon Agent as there are legit versions. And the malware versions are nasty indeed:
https://file-intelligence.comodo.com/windows-process-virus-malware/exe/Agent
-
9 minutes ago, Jesse S. said:
Also, when I use the eset banking icon to access the url, I now see "not secure" on the url line- on Google Chrome browser.
FYI - https://www.engadget.com/2018/05/18/chrome-to-kill-secure-indicator/
-
10 hours ago, Veremo said:
VT says 1fa45104b40630d08b83513cd2424ab72d79b0e1 was signed by Dexon Software.
Additionally this file contains timestamp countersignature which proofs it is not "recent"Date signed 11:53 PM 11/30/2005
I figured we would get around to this.
Here is an AV vendor that found it to be "clean": https://www.reasoncoresecurity.com/agent.exe-0eced01089ae9cba59f2e6b94173cd7dd495b9c8.aspx . Well, sort of. It did find two variants that it classified as PUAs. For the heck of it, I submitted the following "clean" variant to VT:
Agent.exe 5,1,3,648 06db69c21a367a7df46f24d70a8cf7734306b904
Interestingly, Microsoft indicated this one was clean although many other vendors did not including Eset. Do note that VT does indicate that its code signing cert. has expired.
Which gets us to just what the hell is this bugger? Well, it turns out it is part of a legit trusted installer software. You can read about it here: https://www.neuber.com/taskmanager/process/agent.exe.html . This makes its use an ideal target for malware, adware, you name it to abuse.
The bottom line is that this bugger does not "mysteriously" appear on your PC. It relies on some user unwittingly installing it via what appears to be a legit software installation.
So for those Eset users that insist on overriding Eset's PUA alert and installing some software that they "know" to be safe, you have been warned.
-
13 hours ago, Jesse S. said:
I also noticed that when using Google Chrome, it says "Not Secure" on the ese tbanking and payment protection url
This is due to Chrome's recent changes to override the "lock" symbol processing for HTTPS web sites since "big brother" Google feels nothing on the web can be trusted unless Google "has in hands into it."
SearchService.exe 30/68 on VirusTotal.com, virus?
in Malware Finding and Cleaning
Posted
One final comment about this Search Service.exe sample that most might have not noticed.
Cloudstrike Falcon at VT detected it as 100% malicious. Assumed is the Falcon sandbox is not deployed at VT and only machine learning heuristics were deployed. However the analysis at Hybrid-Analysis does deploy the Falcon sandbox allowing for a more thorough process analysis. That analysis yielded a 89% malicious confidence rating.
Now lets factor the other known variables involved. This does not imply that there are other unknown ones involved:
1. An unknown and unsigned process created in a Windows directory.
2. A Windows autorun mechanism created to run the process at system startup time.
I really believe that at a minimum, Eset should have thrown a suspicious alert on this one.