Jump to content

itman

Most Valued Members
  • Content Count

    3,604
  • Joined

  • Last visited

  • Days Won

    122

Kudos

  1. Upvote
    itman gave kudos to AGH1965 in Idle Time Scanning Question?   
    According to ESET Online Help it will. Logging off can be used as a trigger for idle-state scanning.
  2. Upvote
    itman received kudos from Rami in Win64.Vools.L Can not be cleaned   
    Appears to me, the clients got nailed by a true 0-day malware. Also, it appears Eset created a new signature for this bugger, Win64/Vools.P.
    It is encouraging that Eset was still able to detect it via AMS using a prior variant DNA signature.
    BTW - what was the source of the svchost.exe injection?
  3. Upvote
    itman received kudos from Clark T in Has There Been A Change To Banking & Payment Protection?   
    Thanks for the feedback. Would suggest Eset post an announcement when a change to GUI related components are made. Especially in regards to B&PP since many are sensitive to any changes in that area possibly due to the malware.
  4. Upvote
    itman received kudos from persian-boy in Has There Been A Change To Banking & Payment Protection?   
    The content isn't showing.
     
  5. Upvote
    itman received kudos from persian-boy in Installed poweriso and eset is blocking websites   
    My question is why is this type of software attempting to connect to the Internet with the activity you posted? It is basically just software to create a .iso file for the most part. At most, the only outbound connection it would need is to the vendor's server for software updates.
  6. Upvote
    itman received kudos from Hijin25 in EIS blocks toolslib.net   
    I just scanned toolslib.net using QUALS SSL Server check and they gave the site an A+ rating: https://www.ssllabs.com/ssltest/analyze.html?d=toolslib.net&s=51.15.229.92&latest . All certs. look OK except they are using a self-signed Let's Encrypt cert.. Only thing QUALS noted was:
    OCSP STAPLING ERROR: OCSP response expired on Tue Mar 05 18:00:00 UTC 2019   
  7. Upvote
    itman received kudos from Hijin25 in EIS blocks toolslib.net   
    You will have to be patient and let @Marcos get back to you with whatever issue Eset is detecting with the web site. If you immediately have to download AdwCleaner for some reason, you can do so via the bleepingcomputer.com link I posted previously.
  8. Upvote
    itman received kudos from Hijin25 in EIS blocks toolslib.net   
    Appears the issue has been resolved. I can download AdwCleaner from the Malwarebytes site w/o issue.
  9. Upvote
    itman received kudos from Debner in The Credentials used to access ESET LiveGrid servers are not correct.   
    Did you enter the new license key into the currently installed expired Eset version?
    I suspect any registration info. on Eset servers got wiped/hosed after the currently installed Eset version expired.
    Suggest you perform the following:
    1. If you made any custom changes to NOD32, export your current settings.
    2. Uninstall your current Eset version using Windows Control Panel -> Programs -> Uninstall a program.
    3. Reboot your PC; Eset should instruct you to do so - if it doesn't, reboot anyway.
    4. Download current version of NOD32 here: https://support.eset.com/kb2885/?locale=en_US&viewlocale=en_US .
    5. Reinstall Eset and enter your new license key. Reboot your PC if Eset instructs you to do so to complete the installation.
    6. Import your old Eset settings if you previously exported them.
  10. Upvote
    itman received kudos from persian-boy in EFI/ COMPUTRACE   
    Do all the devices have UEFI? Older PCs don't and just have a BIOS.
  11. Upvote
    itman received kudos from persian-boy in Malware removal being extremely slow   
    I am "dying of anticipation." Has "block at first sight" LiveGrid cloud scanning been added?
  12. Upvote
    itman received kudos from Aryeh Goretsky in Firewall is not working partly. Is it a bug or a hack?   
    https://support.eset.com/kb3678/?segment=home  
  13. Upvote
    itman received kudos from Peter Randziak in ESET Smart Security Suite with other 3rd party malware scanners   
    FYI - MSRT is downloaded and run with each Win Update monthly cumulative update as noted in the link reference posted below. Therefore, there is no need to download it separately. It is also of dubious effectiveness:
    https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx
    As far as Microsoft Safety Scanner which is a bootable media installation, you can create a more effective like solution using the Eset "SysRescue Live" option available in the Eset GUI Tools section.
    Bottom line - Eset provides you with all the system security you need.
  14. Upvote
    itman received kudos from bbenz in TCP SYN Flood Attack - Router IP   
    There are a lot of 207.69.0.0/16 subnet addresses in the log you posted. That IP address range is allocated to Earthlink.net. Is Earthlink your ISP? I would contact their tech support about all these TCP SYN ACK transmissions you are receiving and that are being blocked as a DoS attack by your router. You can refer them to your log upload link above. Also one specific IP address I checked, 207.69.195.84, has an imap. prefix for its associated domain name. This makes me think there might be an issue perhaps with their e-mail servers.
    Somewhat of a mystery is IP address, 23.34.140.54, which appears to be a legit Akamai address. Again, it appears the issue lies with the transmissions being forwarded by your ISP.
    Also your log shows WAN side router DoS attacks being detected and supposed to be dropped by the router there. As far as I am aware of, Eset is unaware of this activity and is only monitoring LAN side router activity. It appears the router is "leaking" WAN side DoS activity to the LAN side and this is what Eset's IDS is detecting. You would have to discuss this with Netgear as to why this might be happening. 
    One possibility is that the router has been compromised with malware. Another is the DoS attacks have overwhelmed the router's blocking capability; not a pleasant possibility. Or for some unknown reason, this is by design in regards to TCP SYN Flood attack detection. For the time being, you can modify Eset IDS behavior in regards to this detection not to constantly alert you but still block it and log it if so desired. Refer to this: https://support.eset.com/kb2939/?locale=en_US&viewlocale=en_US on how to do so. If Netgear later informs you this is desired behavior, you can change the Eset IDS actions for this activity for block, notify, and log to "No."
  15. Upvote
    itman received kudos from SCR in I can't see "Refer your friend" button!   
    I have a solution to this issue.
    Drop the GUI referral option altogether. Return to the prior e-mail based referral option as done in the past: https://www.dmnews.com/channel-marketing/social/news/13059759/eset-deploys-forwardtoafriend-emails-to-boost-sales-and-customer-acquisition which is less likely to be abused. Also, the forum won't be cluttered up with never ending postings about the issue.
  16. Upvote
    itman received kudos from Azure Phoenix in Eset taking up a lot of my CPU usage   
    Here's a recent posting on the Malwarebytes forum where an Avast user was having similar issues: https://forums.malwarebytes.com/topic/241898-avast-service-high-cpu-and-malwarebytes-web-protection/ . Appears they recently updated MBAM which appears to have resolved that issue. So you might want to try to do the same.
    The bottom line is MBAM 3.x is conflicting with a lot of other AV solutions. You should never be running more than one AV in realtime mode. It is recommended that MBAM realtime scanning be disabled and only used a second opinion on-demand scanner.
  17. Upvote
    itman received kudos from Peter Randziak in Ransomware or Exploits - Which Are More Likely To Attack You?   
    According to Fortinet which does annual threat landscape reporting, the "hands down winner" is exploits:
    https://www.fortinet.com/corporate/about-us/newsroom/press-releases/2017/fortinet-threat-landscape-report.html
    Therefore one's number one security priority should be ensuring all their devices have applied all available OS and app software patches as soon as they are available.
  18. Upvote
    itman received kudos from Moneesh in Frequently receiving notification of blocked website   
    Make sure you create an Eset firewall to block outbound C:\Windows\SysWOW64\dllhost.exe traffic as you did for the Win firewall. Set the logging level to warning. Then periodically monitor the Eset Networking log for any entries related to dllhost.exe. If no log entries appear after a few days, then we can safely assume the TinukeBot trojan has been removed.
    You need to create the Eset firewall rule since Eset disables the Win firewall.
  19. Upvote
    itman received kudos from Moneesh in Frequently receiving notification of blocked website   
    Possible but doubtful. I suspect the attacker switched to a URL not currently blacklisted by Eset.
    Modify the firewall rule you created to block inbound and outbound activity for C:\Windows\SysWOW64\dllhost.exe instead of the previous IP address. As far as I am aware of, this process should never perform any Internet activity. Assuming you are using the Win firewall, check its firewall log for blocked dllhost.exe connections.
  20. Upvote
    itman received kudos from Moneesh in Frequently receiving notification of blocked website   
    As posted above, here's the download link: ftp://ftp.nod.sk/samples/svchecker/ESETSysVulnCheck.exe
    Right click on the downloaded file and run it as administrator. It will create a zipped file in your Downloads folder. Attach that to your reply.
    After seeing you are still vulnerable to the EternalBlue exploit, I am "bowing out" from any further replies.
  21. Upvote
    itman received kudos from Moneesh in Frequently receiving notification of blocked website   
    As far as the TinukeBot trojan, Symantec has a write up on it dating to 2017. It is a backdoor and probably what is establishing the remote C&C connection. That variant was run via:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"" = "%AppData%\[RANDOM NUMBERS FOLDER NAME]\[RANDOM NUMBERS FILE NAME].exe"
    So it might be worth a look at the registry run keys; especially the HKEY_CURRENT_USER ones.
  22. Upvote
    itman received kudos from Moneesh in Frequently receiving notification of blocked website   
    Pretty sure this is the bugger: https://www.virusradar.com/en/Win32_Tinukebot.B/description since its using dllhost.exe:
    And again, starts from:
     
  23. Upvote
    itman received kudos from fvmb in Ping ICMP Echo Reply Rule   
    Personally, I never was concerned about unsolicited incoming echo reply request since my router's firewall blocks them by default.
    As far as Eset goes, I have it set to defaults in regards to Known Networks; i.e. use Windows Settings. The Win firewall is set to Public profile.
    Also for the record, the Eset default inbound firewall rule for ICMP IPv4 does not specify Trusted Networks in its Remote setting field. This would be the proper setting for the other ICMP protocol settings other than Echo Reply. Bottom line - you have a bug in that default ICMP rule. -EDIT- Actually, it doesn't matter if external incoming echo reply requests are allowed since Eset will only allow corresponding outgoing echo reponse requests from the Trusted Network. The only concern would be an ICMP flood attack which Eset's IDS will detect and alert.
  24. Upvote
    itman received kudos from fvmb in Ping ICMP Echo Reply Rule   
    Below is a screen shot of Eset default firewall rule for inbound IPv4 ICMP including echo reply:

    Assuming you want to block inbound IPv4 ICMP echo reply, you need to create a similar rule specifying only ICMP Type/code of "0" less the quote marks. Set the Name field to "Block incoming ICMP echo reply communication." Set Action field to Block. Set Protocol field to ICMP. Set Logging severity to "Warning" if you want the event to be logged. Checkmark the "Notify user" field if you want to alerted to block activity occurring. Click on the OK button to create your rule.
    Your rule will now be positioned at the bottom of all prior existing rules. You now must position the rule using the arrow keys provided to immediately proceeding the existing default incoming ICMP rule. Click on the OK tab and any subsequent shown one to save your changes. Finally, reenter the Firewall rules editor and validate your rule is positioned correctly.
    Note: Eset processes firewall rules in top-to-bottom order. Your created block inbound ICMP echo reply rule will always be executed prior to the existing allow one.    
  25. Upvote
    itman received kudos from td1958 in Purchased ESET Internet Security 2019 - 3 PCs From NewEgg   
    It appears that Newegg.com is shipping a "boxed" version of Eset. The license key is contained within the box on a printed page.
    You can install EIS in trial version mode now. When you receive the boxed version of Eset, you can then upgrade Eset to a fully paid version by just entering the license key you received. You do so by opening the Eset GUI and proceeding to the "Help and Support" section. Click on the "Change License" button. Click on the "Use a purchased License Key" option and enter your license key contained within the Eset box you received from Newegg.com.
×
×
  • Create New...