itman
-
Posts
12,195 -
Joined
-
Last visited
-
Days Won
320
Posts posted by itman
-
-
13 hours ago, Guest h4x0R said:
Is the order of least security to most security:
automatic -> smart -> learning period then interactive
Correct. But you forgot policy mode which offers the most protection. In policy mode any process w/o a specific HIPS allow rule will be blocked.
-
@Marcos, this detection might be a false positive: https://discussions.apple.com/thread/8167373?sortBy=best .
-
Is this a Mac PC? Detection name is associated with Mac based adware.
In any case, it's classified as adware;
QuoteAdware/Genieo!OSX is classified as a type of adware.
Adware is any software package that automatically displays advertisements while the program is running. Adware is often not malicious, but unwanted, and a user is often unaware of its being installed on the local machine.
The Fortinet Antivirus Analyst Team is constantly updating our descriptions. Please check the FortiGuard Encyclopedia regularly for updates.
https://www.fortiguard.com/encyclopedia/virus/8057659
If Eset is detecting it, there must be a malicious component to the adware.
If the Eset alert occurs when a web site is accessed, assume the adware is being generated from the web site server which Eset doesn't have access to.
On the other hand, this adware can be bundled with other downloaded software. In this case, assume its been installed either stand-alone or within other legit software.
-
Did you verify that the Eset GUI icon on lower desktop toolbar is not hidden? Mouse click on up arrow symbol on the toolbar and see if the icon is there.
Also, can you open Eset GUI via Win 10 Start Menu per below screen shot?
-
4 hours ago, IK4 said:
/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd
It appears this is the source of the malicious script injection Eset is detecting. Since its a system process, Eset can't access it to perform remediation;
QuoteWhat is Cloudd on Mac?
Cloudd on Mac, like most processes ending with a d, is a daemon that runs in the background and handles system tasks. It is closely related to CloudKit, as the man page tells us. If you want to check the man page yourself, execute the following command in Terminal.man cloudd
Cloudkit is Apple's framework that allows macOS and third-party apps to store data on iCloud for syncing to other devices. It can also be used to sync your Mac's desktop and documents to other devices. The Cloudd process works whenever an application syncs data to or from iCloud on your Mac. You can locate Cloudd by opening Finder, clicking Go > Go to Folder from the top, and entering /system/library/privateframeworks/cloudkitdaemon.framework/support/cloudd.
-
On 2/6/2024 at 4:06 PM, amber438 said:
Thats strange because I've had mbam and eset together for years without issues.
MBAM now registers itself in Microsoft Security Center as the active Win real-time solution just as Eset does. This is bound to lead to erratic and borked registration behavior as observed.
This article: https://support.malwarebytes.com/hc/en-us/articles/360039024313-Register-Malwarebytes-for-Windows-v4-with-the-Windows-Security-Center shows how to disable MBAM Microsoft Security Center registration. This said, MBAM real-time scanning should be permanently disabled, which will do the same, as it's bound to conflict w/East real-time scanning in other ways.
-
44 minutes ago, User said:
Since today the workaround above doesn't work anymore.
What now?
One distinct possibility is the archive web site certificates have changed. You could try deleting and re-adding certs. associated with the web sites.
-
1 hour ago, ESSPUSR said:
Can you use the same license on both Windows and Android with the ESET Home Security Premium subscription?
Yes as long as you purchase a license for at least two devices.
-
Below are two links to web sites that specialize is malware removal, cleanup. etc.. They use specialized tools such as Farbar Recovery Scan Tool (FRST) that can detect system modifications done by malware;
https://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-help/
https://malwaretips.com/forums/windows-malware-removal-help-support.10/
-
1 hour ago, NewToThis said:
Since none of the scans have actually found the xworm payload and have only found the initial .bat files from the archive, does that mean I should be in the clear
Did you actually extract the archive and run the .bat or any other executables in the extracted archive folder? If the answer is no, you are OK.
The key item here is if the archive was extracted or not. If the archive has been extracted and you didn't do so manually, assume malware did so.
-
10 hours ago, stackz said:
The final payload is xworm 5.2 -
Here's an article on XWorm and what it does: https://www.pcrisk.com/removal-guides/27436-xworm-rat .
The main question is what credentials were compromised prior to discovery of this malware? Resetting of existing passwords and the like at a minimum would be advisable.
-
Same issue reported here: https://forum.eset.com/topic/38541-ehdrvsys-failed-to-load/ . Appears issue was never resolved.
-
1 hour ago, Marcos said:
That's expected cause we've blacklisted the site with the JS malware that was detected.
The problem is I could fully access the web site w/o issue. No alert and no blocked access.
1 hour ago, Marcos said:Now the new malware JS/Agent.RJZ trojan is detected on the main page as shown above.
Correct. Alert now shown and web site access blocked.
-
10 minutes ago, Marcos said:
You should be getting an alert like this:
Strange. I am not getting any alert, but Eset Web Filtering is detecting and blocking it;
Time;URL;Status;Detection;Application;User;IP address;Hash
2/5/2024 9:22:22 AM;https://near.flyspecialline.com;Blocked;Internal blacklist;C:\Program Files\Mozilla Firefox\firefox.exe;xxxxxxxx;2606:4700:3033::6815:4c11;ACC1CEC6D99C83F3D99BC4D0FEFC058D349CA731 -
15 minutes ago, Marcos said:
The website is still infected
I'm not receiving any Eset alerts on the web site. Also, Sucuri doesn't detect any malware.
-
6 hours ago, Marcos said:
The thing is that C:\Program Files\ESET\ESET Security\eamsi.dll seems to be correctly registered as an AMSI provider in the registry.
AMSI can be disabled via reg key hack: https://www.elastic.co/guide/en/security/current/modification-of-amsienable-registry-key.html
-
6 minutes ago, amber438 said:
Ran the command pronpt items and this is what I got
If this output received when Eset showed the AMSI not functional alert, it appears the alert is a bogus one.
-
The following run from admin cmd prompt window will verify if Eset AMSI is running properly;
-
It is normal EIS behavior to keep Windows Defender firewall service running. If you refer to your above Windows Defender firewall settings screen shot, you will observe the wording that Eset "manages" its usage.
-
4 hours ago, Chawkes said:
Also if I use the secure all browsers option (turn it ON), I start to experience random jumbled letters in what I type on screen
The usual reason for this behavior is if additional anti-keylogger software such as KeyScrambler is installed on the device. This type of software will conflict with anti-keylogger protection of Secured browser feature.
-
Since "unfortunate souls" keep posting in the forum about a way to decrypt their files w/o using Eset to prevent the ransomware in the first place, the following might be informative. Note that this tool applies to cryptor's that perform partial file encrytion and only for a limited number of file extension types;
QuoteCyberArk has created an online version of 'White Phoenix,' an open-source ransomware decryptor targeting operations using intermittent encryption.
The company announced today that although the tool was already freely available through GitHub as a Python project, they felt an online version was needed for the less tech-savvy ransomware victims who don't know how to work with the code.
Using the online White Phoenix is as simple as uploading files, hitting the "recover" button, and allowing the tool some time to restore whatever it can.
Currently, the tool supports PDFs, Word and Excel document files, ZIPs, and PowerPoint. Also, the online version has a file size limit of 10MB, so if you're looking to decrypt larger files or virtual machines (VMs), the GitHub version is the only way to go.
QuoteIt was tested on BlackCat/ALPHV Ransomware, Play Ransomware, Qilin/Agenda Ransomware, BianLian Ransomware, and DarkBit.
Intermittent encryption occurs when ransomware chooses not to encrypt every part of each file but instead encrypts sections, frequently in blocks of a set size or just the start of the targeted files.
https://www.helpnetsecurity.com/2024/01/31/free-ransomware-recovery-tool-white-phoenix-web-version/
White Phoenix web site here:https://getmyfileback.com/
-
Appears to me, it's related to how you are specifying your Win Downloads file. Normally, it's located in this path,C:\Users\xxxxxxxx\Downloads.
-
5 hours ago, peters said:
Am I able to send such a particular file to virustotal myself with ESET installed (site blocked)?
It's magento malware. Most likely will not manifest until web site purchase check-out activities. Sucuri will show the code signature it's detecting: https://sitecheck.sucuri.net/results/www.scientex.com.my .
-
LiveGuard and malware
in ESET Endpoint Products
Posted · Edited by itman
Eset offers two versions of LiveGuard; one available in consumer products and one available for Eset commercial products. The version available for commercial products is titled LiveGuard Advanced and is a subscription service. LiveGuard Advanced offers features and protection not available on consumer product versions such as the ability to configure malware detection sensitivity level and detection response actions.
Refer to this Eset article on LiveGuard Advanced: https://help.eset.com/elga/en-US/overview.html .