itman

This was discussed in another forum thread which I currently can't find. MBAM is now a full fledged AV solution and as such now registers itself in Windows Security Center as Eset does. Windows 10/11 only allows one third party AV to register itself as the active real-time AV solution. This is where the conflict is and the source of the Eset AMSI error. Why this just recently started with devices having both MBAM - real-time mode and Eset installed only Microsoft knows. The only solution is to disable MBAM real-time mode and run it as an on-demand second opinion AV.

The Eset recommended anti-ransomware rule for PowerShell child process startup is detecting it starting conhost.exe. You will have to create a HIPS allow rule for this activity. I did. Appears internal PowerShell maintenance scripts used by Windows perform this activity.

What browser did you use to perform the AMTSO test? Eset detects it when using Firefox:

I assume he's connecting to Zoom via Chrome browser; https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0060732#collapseWeb

An earlier forum posting on this detection here: https://forum.eset.com/topic/36679-jschromexagentbz-help/ . To summarize, a malicious/corrupt Chrome extension kept loading at Chrome startup time due to the Sync feature being enabled. One poster in the thread stated in his case it was related to ChatGPT.

Is this the NVR software you are using: https://www.acti.com/products/software-nvr ?

Are the source or target IPv4 address a multicast one; i.e. 224.xxx.xxx.xxx?

At this point, I am not sure the source is malware based; I just gave an example. Check the server's network adapter settings in Windows. Is IPv6 enabled?

Refer to this posting in regards to how malware can install an IPv6 network interface: https://www.malwarebytes.com/blog/news/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread;

FDE TPM settings here: https://help.eset.com/efde/en-US/req_and_supported.html?policy_encryption_options.html

For the time being, I suspect that if you disable Safe Banking & Protection Secured browser memory protection prior to playing this game, it should allow these .dlls to establish a "hook" into the browser. Just make sure you re-enable the protection after done playing your game. Also now and in the future when this issue is fixed, you need to close the browser when done playing the game. This is to ensure these game .dll "hooks" have been cleared from browser memory space.

The problem here is by your previously posted admission, you have been infected for months with this malware. The longer the malware remains resident, the more system damage that can be done; e.g. downloading of additional malware, etc.. I recommend you ask for malware removal assistance at one of the like sites previously posted. These sites specialize in removing entrenched multiple malware.

Post the Eset detection log entry for one of these detection's. I have never seen Eset block use of a file under untrusted criteria.

The domain is still blacklisted by Eset; Time;URL;Status;Detection;Application;User;IP address;Hash 2/22/2024 9:37:44 AM;https://wenter.pl;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxxx;195.78.67.36;48025B59ABE1DACBB8D4B5E3269302C6DC3B92E0

Yeah, Eset shows it as a PUC;

Older posting for like malware variant here: https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/ . In this case, malware was resident in; https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/?do=findComment&comment=134240

Same here; no Eset detection for the posted domain. However, Sucuri rates the web site high risk due to outdated software: https://sitecheck.sucuri.net/results/www.grapevinemarketing.org .

I received the Eset detection alert upon web site product selection box; e.g. https://aalvink.nl/product/varkensnek .

Same here. Eset was running scheduled maintenance on its servers today. Eset status says all is operational now. Perhaps someone forgot to turn on update servers.

After running the recommended reg key deletions, the only keys remaining on my Win 10 x(64) Pro 22H2 build are those shown in the below screen shot. The only key related to Microsoft Defender is the one highlighted. The other two keys are for Eset;

Worked of me. After deleting @Marcos specified reg keys and performing a system restart, new Win Event log Security Center errors are not generated. I also checked WSC and everything is as it should be; Eset registered as active AV and firewall.

This won't mitigate the vulnerability;

The worst type of vulnerability is one in an AV product due to the elevated privileges it runs under. Now that this vulnerability has been publicly released, expect attackers to start actively exploiting it. Again, you have been advised. It's your decision if you chose to ignore it.

Not that I am aware of.

For those running ver. 16 of Eset, you are advised to upgrade to ver. 17 ASAP: https://support.eset.com/en/ca8612-eset-customer-advisory-link-following-local-privilege-escalation-vulnerability-in-eset-products-for-windows-fixed .