Jump to content

itman

Most Valued Members
  • Content Count

    5,871
  • Joined

  • Last visited

  • Days Won

    167

Kudos

  1. Upvote
    itman received kudos from peteyt in Latest update BSOD.   
    FYI in regards to anyone using Win 10 Insider builds:
    https://www.onmsft.com/news/kaspersky-declines-support-windows-insider-builds-windows-10
    To the above, I add that just because Eset runs w/o issue on a Win 10 Insider build does not imply it is working properly. In other words, it is "user beware" in this regard.
  2. Upvote
  3. Upvote
    itman received kudos from Momber in Blue Screen after uninstalling Nod32   
    @Marcos post the regsvr32.exe command to unregister the service associated with edevmon.sys; believe that is edevmon. Then OP can run this from the command line option in Win 7 recovery environment.
    Hopefully Eset self-protections will not be in effect in recovery mode?
  4. Upvote
    itman received kudos from Momber in Blue Screen after uninstalling Nod32   
    Wishfully thinking on my part as far the as the above is concerned.
    Regedit is all that can be used in Win 7 recovery environment and the applicable registry hive must be loaded. Then service settings modified accordingly. Procedure is detailed here: https://support.microsoft.com/en-us/help/927525/after-you-install-a-device-or-update-a-driver-for-a-device-windows-vis
  5. Upvote
    itman received kudos from Momber in Blue Screen after uninstalling Nod32   
    Seems to me this still could be useful.
    Load the HKLM registry hive and navigate to Services key per Microsoft linked article. Open it up and determine if the following Eset services entries exist;
    eamonm ehdrv ekbddflt ekrn ekrnEpfw epfw epfwwfp epfwlwf ? Then do a; cd C:\Windows\System32\drivers. Then enter, dir.
    Next for all the above Eset services present in the Services key, verify that a corresponding .sys file exists in C:\Windows\System32\drivers.
    At least this will show what Eset driver is missing from C:\Windows\System32\drivers if that is indeed the issue.
  6. Upvote
    itman received kudos from Momber in Blue Screen after uninstalling Nod32   
    @Marcos if the problem is in the Registry as you seem to be indicating, how about restoring the registry from its backup?
    This article is for Win 10 but the author indicates it should work for Win 7: https://pureinfotech.com/restore-registry-backup-windows-10/
    Further confirmed in this Microsoft TechNet discussion:
    -EDIT and Important- Ignore the Repair option given below. Repair on Win 7 is anything but straightforward as I recollect. The installation media version must match what ver. of Win 7 you have installed; e.g. SP2 media if Win 7 SP2 is installed..
    https://social.technet.microsoft.com/Forums/windows/en-US/50c51ee9-f25a-4286-9c8c-657b1c6f9868/recovering-windows-7-registry-hivesfiles
  7. Upvote
    itman received kudos from Momber in Blue Screen after uninstalling Nod32   
    Since you haven't been able to successfully boot that device, did you try the "Last known good configuration" option?
    Ref.: https://www.sevenforums.com/tutorials/666-advanced-boot-options.html
    If that doesn't work, did you try the "System Restore" option from the Win 7 Repair screen?
  8. Upvote
    itman received kudos from SeriousHoax in Windows Registry Helps Find Malicious Docs Behind Infections   
    This is a great article on how to perform security forensics after a malware attack to determine the source MS Office entity responsible:
    https://www.bleepingcomputer.com/news/security/windows-registry-helps-find-malicious-docs-behind-infections/
  9. Upvote
    itman received kudos from Momber in Blue Screen after uninstalling Nod32   
    Have you tried to perform a Win 7 Start Up Repair?
    Ref: https://www.technorms.com/33940/startup-repair-windows-7
     
  10. Upvote
  11. Upvote
    itman received kudos from Carl S in PowerShell/Runner.G   
    Just be careful about deleting stuff from the registry. Either back it up first, or export any keys being modified/deleted prior to any registry cleaning exercise.
  12. Upvote
    itman received kudos from Carl S in PowerShell/Runner.G   
    I suspect what the malware did was a registry Import or equivalent to get around Eset's detection of the malicious code.
  13. Upvote
    itman received kudos from Carl S in PowerShell/Runner.G   
    Also checkout this reg key: HKCU:\Software\AppDataLow\Software\Microsoft\D4062752-23C4-26DB-4D48-07BAD1FC2B8E .This is what the PowerShell script was using.
    Have a feeling the "D4062752-23C4-26DB-4D48-07BAD1FC2B8E" sub-key has to go along with possibly the actual D4062752-23C4-26DB-4D48-07BAD1FC2B8E key itself.
  14. Upvote
    itman received kudos from SeriousHoax in Hips Configuration   
    Actually, there are better ways to deliver script based malware. That is, convert the script to a .exe.
    Here's an article on how to do so for a PowerShell script: https://www.ilovefreesoftware.com/19/windows/powershell-to-exe-converter.html . This will also allow me to password protect my script code so Eset can't scan it via hueristics. I then phish the target into entering the password via e-mail etc..
    Here's one for .bat scripts: https://www.addictivetips.com/windows-tips/convert-a-bat-script-to-an-exe-on-windows-10/ . Note this runs hidden.
    One for .vbs scripts: https://www.snapfiles.com/get/vbstoexe.html
    Finally and my favorite, one for Python scripts: https://ourcodeworld.com/articles/read/273/how-to-create-an-executable-exe-from-a-python-script-in-windows-using-pyinstaller . Note that Win AMSI does not scan Python scripts.
  15. Upvote
    itman received kudos from SeriousHoax in Hips Configuration   
    One other important point in regards to ransomware protection and any other malware that deploys scripts.
    Eset firewall rules need to be created to monitor outbound network traffic done by scripts and other commonly abused processes used by malware developers. Additionally, these firewall rules will serve as a backup mechanism to any like HIPS created rules in the event malware was able to bypass those. A very common technique employed by malware developers to use scripts to connect to their remote C&C servers for the purpose of downloading their malicious payload executable or to stage a remote execution attack. How to create these firewall rules are given here: https://support.eset.com/en/kb6132-configure-firewall-rules-for-eset-endpoint-security-to-protect-against-ransomware .
    Finally, Eset best practices recommendations should be reviewed for additional ways to mitigate ransomware: https://support.eset.com/en/kb3433-best-practices-to-protect-against-filecoder-ransomware-malware .
  16. Upvote
    itman received kudos from Parsh in HIPS Ask rules auto-allowing actions after timeout   
    Pre-defined rules override any like user rules in regards to a specific action. With advanced HIPS logging enabled, one will observe wording in regards to user rules such as "partially allowed/blocked." This would be indicative of an Eset pre-defined rule taking precedence.
    Bottom line - one really does not know if a user HIPS rule is working fully working as intended.
  17. Upvote
    itman received kudos from TheDeeGee in Problems excluding files from detection.   
    I personally believe that a global exclusion for AutoIt is a bad idea since it is bundled with a lot of installers. But "each to their own" on this subject.
  18. Upvote
    itman received kudos from BeanSlappers in Site being incorrectly blocked with parental control.   
    Appears to me, Eset needs to do some serious QC in regards to their tech support infrastructure. I have seen previous moderators comments that in-country tech support is supposed to escalate the issue to Eset corp. tech support if the issue can't be resolved locally. Based on forum postings where local tech support was contacted, it appears this escalation is not being performed. 
  19. Upvote
    itman received kudos from BeanSlappers in Very Strange Eset Behavior   
    Yesterday I was doing some system testing that caused hundreds of Eset desktop notifications. In my haste to stop those, I inadvertently and mistakenly turned off desktop notifications. No problem. Went into Eset GUI and re-enabled it.
    Now here is where it gets very strange. Afterwards all my Eset HIPS ask rules were suddenly auto allowing the activity. Additionally, I was no longer receiving any Eset confirmation for GUI setting changes.
    A system reboot returned everything back to normal. However, this behavior was a bit disturbing. 
  20. Upvote
    itman received kudos from BeanSlappers in Site being incorrectly blocked with parental control.   
    I am interpreting this to be if DNS over HTTPS is implemented in the browser, Parental Control won't work?
  21. Upvote
    itman received kudos from BeanSlappers in Eset Alert Bug - Google Search List   
    Actually, you should be receiving a PUA alert if not using Google Search. When using Google Search, no alert but no connection but access silently blocked and PUA log entry created.
    In any case, you should not be allowed access to the pcrisk web site unimpeded.
  22. Upvote
    itman received kudos from Nightowl in hshipmenttracker.co/   
    A few final comments:
    1. Never ever install a browser extension/add-on from a web site request. Always install the extension from the Store associated with that particular browser.
    2. Never ever absolutely assume that a browser Store extension/add-on is 100% safe. Google notoriously and Firefox to a lesser extent do not test their Store extensions for malware prior to being placed in the Store. Apps are usually removed only after someone has discovered one is malicious or potentially unwanted status.
    3. Configure your browser such that extensions/add-on's are not automatically added. In other words, you must manually allow the request.
    4. AV solutions are as a rule are quite poor in detecting browser extension/add-on malware. This is because the app is not a stand-alone executable but running as a processing extension to the browser.
  23. Upvote
    itman received kudos from Mirek S. in This really shouldn't be difficult, but it is   
    Where the confusion kicks in on Eset licensing options is they offer a multi-device license option: https://www.eset.com/us/home/multi-device-security/ . This license allows you to install Eset on any device where a supported product version exists.
    To add to the confusion depending on where you reside, Eset marketing in that country might offer a multiple pack option; usually up to 5 devices. So the result is a multi-device and multi-license subscription which allows any Eset product to be installed on up to 5 supported devices. The key to keeping all this straight is that Eset products have built-in restrictions; e.g. NOD32 has an option for Windows and Linux. The other Eset desktop products only support Windows. And obviously, the Eset mobile version is for Smart phones. 
  24. Upvote
    itman received kudos from Scotch in This really shouldn't be difficult, but it is   
    Where the confusion kicks in on Eset licensing options is they offer a multi-device license option: https://www.eset.com/us/home/multi-device-security/ . This license allows you to install Eset on any device where a supported product version exists.
    To add to the confusion depending on where you reside, Eset marketing in that country might offer a multiple pack option; usually up to 5 devices. So the result is a multi-device and multi-license subscription which allows any Eset product to be installed on up to 5 supported devices. The key to keeping all this straight is that Eset products have built-in restrictions; e.g. NOD32 has an option for Windows and Linux. The other Eset desktop products only support Windows. And obviously, the Eset mobile version is for Smart phones. 
  25. Upvote
    itman received kudos from Agathon in hshipmenttracker.co/   
    I will also add this situation needs to be addressed immediately since this "puppy" is not serving up adware and the like. But rather ransomware. Also based on the Joe Sandbox analysis screen shots, the web site involved is phishing the user into thinking he is actually uninstalling a browser extension whereas the reverse is actually happening.
    Refer to this article I posted a while back: https://forum.eset.com/topic/22398-pirated-software-is-all-fun-and-games-until-your-data’s-stolen/ .
×
×
  • Create New...