-
Posts
12,151 -
Joined
-
Last visited
-
Days Won
319
Everything posted by itman
-
Multiples detections JS/Packed.Agent.H
itman replied to Andres96's topic in Malware Finding and Cleaning
Refer to this thread: https://forum.eset.com/topic/29087-club-pogo-and-selective-games-blocked-by-eset/ . Appears to be related to games with Pogo being the main culprit. -
Malware Detected on website JS/Agent.RMN
itman replied to PMEDIA's topic in Malware Finding and Cleaning
Malware still on web site. Refer to this Sururi report: https://sitecheck.sucuri.net/results/spzoz-warka.pl . -
Have you tried Win10Pcap: https://www.win10pcap.org/ ?
-
I can access the web site w/o any Eset alert.
-
The point of Andy Full's test is Eset should be VBS protecting its critical drivers; The problem is many older PCs don't meet the minimum requirements for VBS protection: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs However, the main protection mechanism of VBS is HVCI - Memory Integrity which my ancient PC supports;
-
I am also wondering if we are looking at exploitation of a new IPv6 DoH DNS rebind vulnerability similar to the IPv4 one noted here; Now my ISP uses 6rd tunneling on its network. This is the reverse of the above in that all IPv6 traffic is tunneled through an IPv4 connection via use of a tunnel broker ISP. Let's again review what happens when a connection is made to https://crackingpatching.com/2017/03/avast-pro-antivirus-internet-security-premier-17-2-3419-0-keys.html with DoH enabled in Firefox; Eset Filtered Web Site log shows it blocked access; Time;URL;Status;Detection;Application;User;IP address;Hash 3/9/2024 11:43:27 AM;https://crackingpatching.com;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxx;104.21.43.46;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCB Time;URL;Status;Detection;Application;User;IP address;Hash 3/9/2024 11:43:28 AM;https://accounts.google.com/o/oauth2/postmessageRelay?parent=https://crackingpatching.com&jsh=m;/_/scs/abc-static/_/js/k=gapi.lb.en.8uXxGUoumbY.O/d=1/rs=AHpOoo96qx3mL4tzGUOa-0q0udyPRqEAoA/m=__features__;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxx;2607:f8b0:4023:140d::54;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCB Notice first two connections are made with the first connection in IPv4 to the TLD. Eset doesn't alert or block the connection in this instance. However with DoH disabled in Firefox, only one connection is being made/logged. It is to the TLD. Most important it is via IPv6. Eset alerts and blocks this connection; Time;URL;Status;Detection;Application;User;IP address;Hash 3/11/2024 11:25:41 AM;https://crackingpatching.com;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxxx;2606:4700:3034::6815:2b2e;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCB Also significant is that the URL shown on the Eset block alert is the sub-domain; https://crackingpatching.com/2017/03/avast-pro-antivirus-internet-security-premier-17-2-3419-0-keys.html I have seen enough that I am keeping DoH permanently disabled.
-
Turned off all license notifications and they keep coming
itman replied to Jedis's topic in General Discussion
Based on this forum posting: https://forum.eset.com/topic/25526-expired-license-how-to-disable-popup/ and others like it, there is no way to stop the license expiration popup alert other than by uninstalling Eset. -
Another observation. With DoH disabled in Firefox, attempted access to https://crackingpatching.com/2017/03/avast-pro-antivirus-internet-security-premier-17-2-3419-0-keys.html results in blocking at the TLD as should be; Time;URL;Status;Detection;Application;User;IP address;Hash 3/10/2024 10:09:53 AM;https://crackingpatching.com;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxxx;2606:4700:3034::6815:2b2e;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCB
-
Did more testing with the TLD https://crackingpatching.com/ The problem is with DoH enabled in Firefox. With DoH disabled, Eset will alert and block access every time. When any of the DoH settings are enabled, Eset might block it once after setting change but not thereafter. Doesn't matter what DoH option is selected or DoH provider selected. I am keeping DoH disabled until this is resolved. Glad you found this problem.
-
Found the problem, I believe. Eset Filtered Web Site log shows it blocked access; Time;URL;Status;Detection;Application;User;IP address;Hash 3/9/2024 11:43:27 AM;https://crackingpatching.com;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxx;104.21.43.46;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCB Time;URL;Status;Detection;Application;User;IP address;Hash 3/9/2024 11:43:28 AM;https://accounts.google.com/o/oauth2/postmessageRelay?parent=https://crackingpatching.com&jsh=m;/_/scs/abc-static/_/js/k=gapi.lb.en.8uXxGUoumbY.O/d=1/rs=AHpOoo96qx3mL4tzGUOa-0q0udyPRqEAoA/m=__features__;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxx;2607:f8b0:4023:140d::54;F736FE1F2C3ACB8E53F9E22EFE632D18B65DECCB But web site access is not blocked. Notice the redirect to Google. Looks like someone has figured out how to bypass Eset Web Filtering on Firefox.