itman

Most Valued Members
  • Content count

    2,153
  • Joined

  • Last visited

  • Days Won

    84

Kudos

  1. itman liked a post in a topic by stackz in Update 11.1.42 Event error ScRegSetValueExW   
    Here is the HIPS record for the "error" that occurs during the boot process:
    C:\Windows\System32\services.exe;Modify registry;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ekrn\FailureActions;blocked;Self-Defense: Registry with full protection;  
  2. persian-boy liked a post in a topic by itman in HIPS and some problems.   
    The "unknown operation" alert was triggered when an "ask" rule was present to monitor all file operations.
    Could this be one of Eset's hidden HIPS rules that monitor ransomware activities being triggered perhaps?
  3. 0xDEADBEEF liked a post in a topic by itman in CAD Malware Scan Based On Extension?   
    This article might be of some help: http://www.afralisp.net/archive/lisp/custom.htm .
    As I interpret things, .mnl files are created on the fly based on AutoCAD usage. The default ones mentioned in the article are:
    acad.mnl
    mymenu.mnl
    acetmain.mnl
    Of note is for every .mnu file that exists, there must be a corresponding .mnl file.
  4. persian-boy liked a post in a topic by itman in Changed LiveGrid Behavior Under Ver. 11.1.42   
    I wouldn't be concerned about it. @Marcos explained in another thread Eset's pico updates are being streamed this way.
    Hopefully, this will eliminate past LiveGrid update "snafu's."
  5. persian-boy liked a post in a topic by itman in Changed LiveGrid Behavior Under Ver. 11.1.42   
    Disabling OPP has no effect.
    Also, I was wrong about it being related to browser use. Connections are occurring long after browser has been closed as shown in the below screen shot. They are also quite frequent. If this is blacklist updating, it is occurring almost continuously:

     
     
  6. persian-boy liked a post in a topic by itman in Changed LiveGrid Behavior Under Ver. 11.1.42   
    Enabled LiveGrid logging and nothing shown in the Event log.
    Below is a TCPView screen shot what I am observing. Also packet count, 6, and byte count, in the 3K range, are what I am observing. Will get the logs to you shortly.

  7. persian-boy liked a post in a topic by itman in Changed LiveGrid Behavior Under Ver. 11.1.42   
    To begin with, I have all LiveGrid upload settings disabled.
    What I am observing is LiveGrid upload/download activity upon close of a browser session to IP address 91.228.166.150 for example. If Eset is now scanning browser cache,  temp file, etc. data in the cloud, that is fine. However, they should publicly state they are now doing so.
  8. Peter Randziak liked a post in a topic by itman in ESET blocks l2tp connections   
    Your VPN provider is not doing his job properly. He should have immediately recognized what the problem is.
    To use L2TP VPN, special firewall rules are required. If you have the Eset firewall set to default configuration, then it is also using the Win firewall inbound rules. Those rules need to be modified as noted in this article: https://www.magnumvpn.com/setup-windows-10-firewall-l2tp.html . Although the article is for Win 10, the firewall rules are applicable to Win 7.
    Also possibly, Eset's firewall rules will also have to be modified in regards to UDP ports 50, 500, 4500 to allow unrestricted inbound access. Also I don't know if Eset's firewall has the equivalent to the Win firewall IPsec authentication; I don't believe so.
  9. k.crabbe liked a post in a topic by itman in Event id 7006 scregvaluexw   
    Actually if you Google on ScRegSetValueExW, noted is that the Win event is logged for almost all AV products.
  10. 0xDEADBEEF liked a post in a topic by itman in VB100 RAP Test   
    Might also be informative to post what the RAP test is about. Also of note is that Kaspersky no longer participates; perhaps because System Watcher is not enabled by default :
    https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1/
  11. persian-boy liked a post in a topic by itman in Please read: Network threat blocked   
    Prior Huawei routers and modems have been riddled with vulnerabilities: http://www.securitynewspaper.com/2015/12/03/critical-vulnerabilities-3g4g-modems/ .
    I would advise doing a bit of research on your particular model and ensure it does not have any known security issues and if so, are patches available from the manufacturer.
  12. Peter Randziak liked a post in a topic by itman in Eset Server Users - You Need to Patch Now!   
    In light of these RDP attacks showing up in the Malware forum section, this is a must read.
    CredSSP Vulnerability Affects RDP and WinRM on All Windows Versions
    https://www.bleepingcomputer.com/news/security/credssp-vulnerability-affects-rdp-and-winrm-on-all-windows-versions/
  13. persian-boy liked a post in a topic by itman in Eset failed to stop ransomware   
    It has worm like characteristics, hence the movement throughout the network. On the desktop that was attacked initially, did you verify that all Eset protections were enabled? That is, the firewall was not in a paused state, etc..?
    Also if you have RDP enabled on the workstations, you need to read this: https://forum.eset.com/topic/14929-eset-server-users-you-need-to-patch-now/
  14. persian-boy liked a post in a topic by itman in VB100 RAP Test   
    Malware will try to disable network connections if it can. This is especially true during its payload installation phase.
    Depending on the AV product used, the lack of Internet access could have a major impact on product effectiveness. Windows Defender for example is heavily dependent on cloud scanning for detection of recently deployed malware. Ditto for Panda that is 100% cloud based. Even products such as Eset can be impacted. LiveGrid would not be available for reputational evaluation purposes. Note that LiveGrid is an integral part of Eset's ransomware protection. Eset's internally used blacklists could not be updated, etc..
    Products that employ behavioral analysis in addition to conventional AV malware detection methods such as signature analysis do well on this test. Hence, the high scores given Emsisoft and Bitdefender. The exception is Trustport usually the highest scoring product in this test. It deploys an aggressive HIPS. As such, Trustport doesn't participate in other AV lab tests since its resultant high false positive(FP) detection as a result of the HIPS aggressiveness would place it in the bottom tier of test scores. BTW - the highest score ever given on the RAP test was by PCMatic that scored 99.9% in both the proactive and reactive tests. The reason? PCMatic is a whitelist or anti-exec solution. Finally, note that the RAP tests do not factor in FP count. PCMatic's FP rate in these tests have been "in the stratosphere" although I notice it has improved considerably in the latest AV-Test lab test.
  15. persian-boy liked a post in a topic by itman in VB100 RAP Test   
    Good question. I have been wondering the same. Somewhat puzzling since Eset always had a respectable score on the test.
  16. itman liked a post in a topic by 0xDEADBEEF in VB100 RAP Test   
    Just out of curiosity... Is there a reason that ESET didn't participate in recent VB100's RAP test? The latest one for ESET was on 2017-04.
  17. Peter Randziak liked a post in a topic by itman in Eset Server Users - You Need to Patch Now!   
    In light of these RDP attacks showing up in the Malware forum section, this is a must read.
    CredSSP Vulnerability Affects RDP and WinRM on All Windows Versions
    https://www.bleepingcomputer.com/news/security/credssp-vulnerability-affects-rdp-and-winrm-on-all-windows-versions/
  18. persian-boy liked a post in a topic by itman in Different ESET Internet Security settings over different accounts   
    No need to do this. It is disabled by default on Win 10 and there is in reality, no way to enable it: http://you-cant-enable-guest-account-windows-10-stop-trying .
    In regards to the OP's original firewall concern, the firewall Interactive mode really only protects against already resident malware outbound connections. The firewall's primary objective is to prevent unwanted inbound malware traffic.
    Eset does have the capability to create specific rules to be applied using firewall profiles. You can read about that here: http://help.eset.com/eis/11/en-US/idh_config_epfw_profiles_group.html . This capability however is conditioned by network adapter use. One possibility is if the default limited Admin account uses an Ethernet connection and the router also has Wi-Fi capability, restrict the standard user account to using the Wi-Fi connection only. Then firewall rules could be created for a profile and that profile assigned to the Wi-Fi adapter.
  19. Lockbits liked a post in a topic by itman in PowerShell infection by Win64/Agent.IV trojan   
    Applying OS patches will only prevent any further exploiting activity. It will not help if you're currently infected.
    Besides malware using a WMI consumer event for persistence which I am sure you are aware of, a few other possible areas used are:
    1. Registry associated Run keys and Win directories used for app startup at boot time.
    2. Scheduled tasks that run at boot time. These also can be timer triggered to startup after boot time.
    3. Installation of a malware service that starts at boot time. Service could be associated with a malicious driver.
  20. MasterTB liked a post in a topic by itman in Home Network Issues   
    Another possibility is this is the cable set top box your TV is connected to as I initially assumed. If you look at the screen shot you posted in regards to it, the URL shown is associated with your cable provider. It does not show up in your router's DHCP list because the device itself has no Internet connectivity.
    As far as telecom tech support capability in things like this, their technical knowledge in many cases leaves a lot to be desired. A lot of the support is off-shored to the cheapest provider they can find. 
  21. jadinolf liked a post in a topic by itman in Firewall rules   
    Not quite by a long stretch. It's a simple two-way firewall designed to be an add-on to the Win firewall. It has no IDS protection. It has been and is buggier than hell: https://www.wilderssecurity.com/threads/gave-up-on-tinywall.396865/ .
  22. jadinolf liked a post in a topic by itman in Firewall rules   
    Not quite by a long stretch. It's a simple two-way firewall designed to be an add-on to the Win firewall. It has no IDS protection. It has been and is buggier than hell: https://www.wilderssecurity.com/threads/gave-up-on-tinywall.396865/ .
  23. Azure Phoenix liked a post in a topic by itman in Firewall rules   
    The default svchost.exe firewall rules cover the basic services used in internal and external network communication. These are; DNS, DHCP, NTP, SSDP and ICSLAP i.e. UPnP, RPC, RDP, Web Services Discovery, and PNRP. Also note that depending on IDS options selected, these default rules can change.
    Additionally, the Eset firewall has an option to use Windows firewall inbound rules which some find useful especially in Win 10 since it includes default rules for Windows app processes.
    The primary purpose of the Eset firewall, and any firewall for that matter, is to block unsolicited inbound communication. As far as providing default outbound app and system process rules not directly related to basic network connectivity, that is impractical to do since each PC software configuration is different. The recommended procedure for creating such rules is to enable the firewall's training mode. In this mode all inbound and outbound will be learned and corresponding rules created. After a few days, switch the firewall mode to interactive if you wish to monitor all outbound network traffic in the firewall. This learning procedure can be sped up by booting a few times, opening up all apps the require outbound network connections, running Win Updates, and related like activity.
    Another option that can be used is to open the Win firewall and manually duplicate all outbound rules there in the Eset firewall. Note that the Win firewall only includes rules for Win apps and system processes. You will still have to manually create rules for browsers, PDF readers, etc..
  24. TomFace liked a post in a topic by itman in Gave incorrect network access to app - how to change?   
    As a rule, the public network setting is the most secure firewall setting. And its applicable whether one is using the default Windows firewall or a third party solution. For example when using the public firewall profile, all network file sharing to the device is automatically disabled.
  25. persian-boy liked a post in a topic by itman in Code Signed Encrypted Malware   
    Something Eset needs to look into: https://go.recordedfuture.com/hubfs/reports/cta-2018-0222.pdf