itman
-
Posts
12,836 -
Joined
-
Last visited
-
Days Won
337
Posts posted by itman
-
-
Here's a FireFox posting on the error: https://support.mozilla.org/en-US/questions/1170738
Check FireFox's root CA certificate store and ensure only one Eset root CA certificate is present. If multiple ones exist, keep the one associated with Eset 12.1.31 installation and delete the rest.
-
Confirmed this was a "glitch" in the Security Report. Resetting it did the trick and all incoming e-mails are correctly identified count wise in the report. Well, in-box wise they are.
Appears that anything dumped into the Bulk e-mail; etc.. folders in Thunderbird are not reflected in the report counts but I am not sure those are actually physically downloaded to my device.
-
I believe this one of the detections Eset uses when it detects a suspicious driver. Here's a 2013 Eset posting where it was flagging Windows Defender engine related file: https://forum.eset.com/topic/990-windows-defender-false-positive/ .
In this case, it was positively identified as a FP.
-
-
Accordingly to this: https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00 , TLS 1.0 has already been deprecated. However, Microsoft previously has stated that it will be supported in IE11 until 2020. Maybe something has changed in that regard? Note that some app software like Salesforce has already disabled use of TLS 1.0 in IE11.
-
One finally comment about this attack for anyone reviewing this posting for future reference.
This attack although similar to that described in this posting: https://forum.eset.com/topic/13651-powershell-script-possible-malicious-attack/ was different. In that posting, the attacker was using WMI to maintain persistence of the malicious WMI command event. The referenced WMILister_30.vbs script developed by Eset was coded to not only remove the WMI command event, but also its persistent recreation capability via WMI.
In this posting's attack, it appears PowerShell was run via autorun capability; e.g. registry run key or Windows startup directory that re-created the malicious WMI consumer event at system boot time to maintain its persistence. Hence the reoccurrence of the WMI command event after WMILister_30.vbs script was deployed.
This is a great example of how malware authors are constantly evolving their tactics to avoid mitigation methods.
-
I was also going to recommend the Eset Network wizard to create the rule.
I suspect something is wrong with his existing firewall rules. If I recollect, Eset firewall Interactive mode adds a "global" block? rule for outbound connections at the bottom of the existing rules set. I have had issues with that rule in prior Interactive mode use. I believe I had to change that rule to "ask" to receive alerts. Also, I had to always ensure the rule was at the end of the existing rule set.
-EDIT- I also noticed Abode Reader on Win 10 1809 for example is now dynamically creating Win firewall rules each time a .pdf is accessed. Only God knows why they are doing such nonsense. This app is also Abobe based and might also be doing such nonsense.
-
10 hours ago, Sejjeto said:
they cannot get to websites that show to have outdated TLS
Perhaps they have disabled TLS 1.0 in IE11? Maybe something to do with their Group Policy settings?
I use IE11 as my primary browser and have never experienced any profound performance issues with Eset installed.
-
4 minutes ago, Marcos said:
Do you use automatic firewall mode
Title of his post indicates he's using it in Interactive mode. So that's my assumption at present.
-
13 hours ago, novice said:
PC Tools Firewall Plus
The firewall is obsolete and hasn't been supported since mid-2013.
You're better advised to stick with the Win 7 firewall. If you want something to monitor outbound connections, check out the third party Win 7 firewall extensions such as Windows Firewall Control: https://www.binisoft.org/wfc.php or the like. Better yet, update to Win 10 with a better built-in firewall since Win 7 end-of-life is next year. Or even more advisable, just upgrade to Eset Internet Security which also provides IDS protection.
-
I just checked my Win 10 1809 Warning Event log entries and no such entries exist. Also those log entries are user profile related.
Are you logged on under default limited admin account or a standard user account?
What is your OS version?
-
Are you getting Eset alerts for other apps that request outbound access for which no existing firewall rule exist?
-
13 minutes ago, novice said:
I have a firewall which I want to run it with NOD32 Antivirus (let's name it generic "Firewall"
Normally, you would not have to add exclusions for a basic third party firewall in NOD32. You only need to add exclusions when another security product that performs realtime scanning is employed. Which BTW is not recommended.
Are you referring to Comodo perhaps?
-
Appears MSIL/Bladabindi starts up at boot time via registry run key or one of startup directories.
-
I reset the security report. Will check my e-mail tomorrow and see if this corrected the issue.
-
5 hours ago, TomFace said:
had to run the Uninstall tool a 2nd time (could not do a normal uninstall as the PW was messed up) and then did a clean install of EIS v12.1.31.0.
So is everything now straightened out password wise?
-
39 minutes ago, Marcos said:
So it should be reproducible by downloading email with Thunderbird, e.g. from a Gmail account?
I would think so although I connect to AOL e-mail servers.
-
51 minutes ago, Marcos said:
It may not be a legit Flashplayer but malware disguised under that name
Ah, yes. I didn't expand the screen shot enough; Adobe Flash Player.exe? I believe the legit version is Flash Player.exe.
Does not an AMS based log entyry show the executable path information?
-
After opening my e-mail client, Thunderbird, I decided to check recently scanned e-mail counts in the security report. It only showed a count of 10 which appear to be the e-mails I physically opened and read versus the dozens of unread e-mails that were actually downloaded.
I hope that this is just a bug in the security report and not that Eset is no longer scanning all e-mails upon download as was the case in prior versions?
-
Since the infection is related to Flashplayer, make sure your OS is fully patched in regards to Win 10 if you are running that version. If you are using Win 7, make sure the stand alone ver. of Flashplayer has had all its outstanding updates applied.
-
1 hour ago, TomFace said:
then ran the ESET Uninstaller tool
Did you run it in safe mode?
-
As @Marcos previously requested, you need to access Eset's Detection log and find the recent entry associated with this malware detection. You then need to post what is shown there in English.
To accomplish this, right click on the log entry and select "Copy." Open your browser and enter this URL: https://translate.google.com/ . Make sure English is selected in the "Translation" section. Paste what you previous copied into the "Detect Language" section. After the translation section is complete, copy what is shown there in English to your forum posting.
-
In my 1809 upgrade failures, it wasn't Eset that was the culprit but having 1803 Virtualization enabled. Disabling that feature in the BIOS allowed the 1809 upgrade to proceed w/o issue.
There have been numerous issues related to the 1809 upgrade. I have had Eset installed in every Win 10 Feature upgrade to date w/o issue.
-
Open the Eset GUI. Using Advanced Setup, click on "Web and Email." Click on "Email client protection." Refer to the below screen shot . Uncheck "Enable email protection by client plug-ins." Save your changes. This should eliminate the Eset add-on for Outlook.
Note doing this will reduce Eset's e-mail protection and e-mail will only be scanned upon arrival.
In this case, it was positively identified as a FP.
Exclusions
in ESET NOD32 Antivirus
Posted · Edited by itman
I will also add that since it appears you are a firewall expert, you should most certainly know what exclusions they would require.
Just don't expect Eset to be the least bit "accommodating" when it comes to conflicts with an obsolete and unsupported circa 2013 firewall.