Jump to content

itman

Most Valued Members
  • Content Count

    5,353
  • Joined

  • Last visited

  • Days Won

    158

Kudos

  1. Upvote
    itman received kudos from Rami in Antivirus vendors push fixes for EFS ransomware attack method   
    https://www.zdnet.com/article/antivirus-vendors-scramble-to-fix-new-efs-ransomware-attack/
    Ref.: https://support.eset.com/en/ransomware-shield-bypass-mitigations
  2. Upvote
    itman received kudos from Rami in CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability   
    This is only the latest among numerous other ways to employ Win OS "living of the land" legit executables to perform hidden escalation to admin privileges. Thankfully, most but not all, can be thwarted by setting UAC to its maximum setting. The issue is how many have UAC set to that level? Many don't care for its alerts at the default setting and will certainly object to more alerts at the maximum level. -EDIT- Then there is the real question of how many have the technical skills to effectively respond to an unexpected UAC alert.
    Finally, there is Microsoft's atypical statement that "UAC is not a security boundary."
    BTW - logging on under a standard user account will also prevent most of these hidden escalation attempts. 
  3. Upvote
    itman received kudos from User21000 in Need help understanding Botnet.CnC.Generic detection event   
    Eset does use a blacklist of known botnet C&C servers. Only they know what it contains.
    However, Eset also uses this Botnet detection for inbound brute force attacks. Another thread on same alert here: https://forum.eset.com/topic/21967-increasing-botnetcncgeneric-detections/
     
  4. Upvote
    itman received kudos from hoopsdavis in CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability   
    The patch was included in the Jan. cumulative update for Win 10 release last Tues..
    For Win Server 2016 and 2019 which are also vulnerable, one will have to check with Microsoft on how the patch is being delivered or download the patch from the Win Catalog web site.
  5. Upvote
    itman gave kudos to Marcos in Multiple Notifications of exact same type   
    Site blocking is often interconnected with malware being active on a machine. E.g. if there's an undetected downloader running on a machine that continually attempts to download payload from a url that is blocked by Web access protection, alerts about blocked urls give the user an indication that something bad is going on there which should be looked at.
  6. Upvote
    itman received kudos from peteyt in Did You Recently Update to FireFox ver. 72?   
    Make sure you check for updates again:
    https://www.ghacks.net/2020/01/08/firefox-72-0-1-fixes-a-security-vulnerability-that-is-actively-exploited/
  7. Upvote
    itman received kudos from SeriousHoax in Files encrypted by ransomware   
    Since regasm.exe was used in this Nemty ransomware sample, I will point out that there are more stealthy methods to deploy it for malicious purposes as noted here: https://securelist.com/using-legitimate-tools-to-hide-malicious-code/83074/ . One would be advised to monitor its execution per Mitre's recommendation: https://attack.mitre.org/techniques/T1121/ or at least minimally, monitor via firewall rules any outbound communication from it.
  8. Upvote
    itman received kudos from peteyt in 9anime blocked bcz of HTML/scrlnjet.B trojan   
    Here is Quttera's detailed report on 9anime.to: https://quttera.com/detailed_report/9anime.to
    It found 23 malicious JavaScript files on the web site. All appear to be hosted at defpush.com.
  9. Upvote
    itman received kudos from Mekail wardak in 9anime blocked bcz of HTML/scrlnjet.B trojan   
    You shouldn't do it since the site is being detected as hosting malware.
  10. Upvote
    itman received kudos from Aryeh Goretsky in Again & again coming message window   
    It is unclear what you want to do.
    Refer to this Eset knowledgebase article for options available when the potentially unwanted application alert appears: https://support.eset.com/en/what-is-a-potentially-unwanted-application-or-potentially-unwanted-content
  11. Upvote
    itman received kudos from shapoor.hesami in VIRUS UPDATE   
    A 130 MB download would indicate this is an Eset software update: most likely a version upgrade.
    Stated ISP rated connection speed is grossly overstated in most cases. Your actual download speed is probably half of advertised speed at best.
  12. Upvote
    itman received kudos from mohammad51 in ESET System Cleaner not working   
    A sure fire way to get banned from this forum is to keep posting the same topic repeatedly. @Marcos has responded to your previous posting.
  13. Upvote
    itman received kudos from Aryeh Goretsky in Important question regarding ESET at a startup.   
    In Win 10, Eset uses the Early Launch Anti-malware;  i.e. ELAM, driver to load its kernel process drivers prior to any other non-device drivers. You can read about ELAM here: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/early-launch-antimalware
  14. Upvote
    itman received kudos from pps in Snatch ransomware reboots PCs in Windows Safe Mode to bypass antivirus   
    Off the top of my head, the best way to prevent this is to create a HIPS rule to monitor the running of shutdown.exe. Note that malware since the XP days have used this to force a reboot to run their nasty at boot time. As such, it would not surprise me that Eset already as a built-in HIPS rule to monitor the start up of shutdown.exe.
  15. Upvote
    itman received kudos from SeriousHoax in Files encrypted by ransomware   
    I have long argued that what is need is a "professional" version of Eset consumer products. For example, the above mentioned EES 7.2 aggressive option could be one feature provided. Another I would like to see is more aggressive reputational scanning options such as the ability to alert/block unknown non-system processes and the like. Etc., etc..
    To date, this has fallen "on deaf" Eset ears.
  16. Upvote
    itman received kudos from Norm@Home in Security Camera / EIS says it's sending malicous content?   
    Review this: https://support.eset.com/en/identical-ip-addresses-detected-in-network .
    My best guess is the network adapter installed in this notebook is not assigning a unique IP address to the web camera for some reason.
    I suspect this Eset alert is an IDS one. You might have to create an IDS exception in Eset for this.
  17. Upvote
    itman received kudos from BALTAGY in Files encrypted by ransomware   
    I have long argued that what is need is a "professional" version of Eset consumer products. For example, the above mentioned EES 7.2 aggressive option could be one feature provided. Another I would like to see is more aggressive reputational scanning options such as the ability to alert/block unknown non-system processes and the like. Etc., etc..
    To date, this has fallen "on deaf" Eset ears.
  18. Upvote
    itman received kudos from Rami in disable EIS and have windows defender running instead   
    Seems to be effective. I haven't seen a published bypass of it to date.
  19. Upvote
    itman received kudos from pps in HIPS Problem   
    I suspect your problem is how you coded your HIPS rule for the Brave browser. You coded "C:\Users\\AppData ............... Wildcards of any type are not supported in file path names other than at the end of the path name; e.g. .......\* or ........\*.*.
    Add the missing user name; e.g. "C:\Users\xxxxxx\AppData .........", and retest.
  20. Upvote
    itman received kudos from BeanSlappers in The PC Security Channel [TPSC] vs Eset 2020   
    Yes.
    99.33% on Proactive Detection and 100% on Clean system. I consider this quite a good score given the PC Security Channel's testing methods.
    So I guess we have the first ad hoc of Augur's advanced machine learning capability.
  21. Upvote
    itman received kudos from Mirek S. in User Interface will not display   
    Refer to the screen shot you posted. A Start Mode of Minimal will only allow notifications to be displayed.
    Appears the Manual setting is what you desire:
    https://download.eset.com/com/eset/apps/business/ees/windows/latest/eset_ees_7_userguide_enu.pdf
  22. Upvote
    itman received kudos from peteyt in is Teamviewer Secure? on my server.   
    https://www.howtogeek.com/257376/how-to-lock-down-teamviewer-for-more-secure-remote-access/
  23. Upvote
    itman received kudos from Azure Phoenix in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Microsoft added Tamper Protection in Win 10 1903. Oddly, it has to be manually enabled.
    I keep looking for a published bypass if it, but so far so good for Microsoft. It also appears to "have held its own" against the latest and greatest version of Trickbot which tried its darnedest to disable it:
    https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/
    Such can not be said for MalwareBytes or Sophos.
  24. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add option to realtime scanner to block obfuscated Powershell scripts. Option would be dependent upon Win 10 AMSI option enabled in the Eset GUI.
    Justification
    Microsoft added a like mitigation in the form of a Windows Defender Exploit Guard ASR mitigation effective with Win 10 1709. ASR mitigations are only effective if Windows Defender is enabled as the realtime scan engine.
    Further justification is Eset's failure to detect malware in highly obfuscated PowerShell script in a Malware Research Group ad hoc test: https://www.mrg-effitas.com/research/current-state-of-malicious-powershell-script-blocking/
  25. Upvote
    itman received kudos from Azure Phoenix in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add option to realtime scanner to block obfuscated Powershell scripts. Option would be dependent upon Win 10 AMSI option enabled in the Eset GUI.
    Justification
    Microsoft added a like mitigation in the form of a Windows Defender Exploit Guard ASR mitigation effective with Win 10 1709. ASR mitigations are only effective if Windows Defender is enabled as the realtime scan engine.
    Further justification is Eset's failure to detect malware in highly obfuscated PowerShell script in a Malware Research Group ad hoc test: https://www.mrg-effitas.com/research/current-state-of-malicious-powershell-script-blocking/
×
×
  • Create New...