Jump to content

itman

Most Valued Members
  • Content Count

    3,284
  • Joined

  • Last visited

  • Days Won

    115

Kudos

  1. Upvote
    itman received kudos from BALTAGY in MalwareTips   
    Proofpoint published an article titled, LCG Kit: Sophisticated builder for Malicious Microsoft Office Documents, which highlights two main points:
    1. MS Office malware attacks are becoming increasingly sophisticated.
    2. These attacks are now being sold on the dark web as kits enabled those without advanced programming skills to create advanced malware attacks that difficult to detect.
     
    https://www.proofpoint.com/us/threat-insight/post/lcg-kit-sophisticated-builder-malicious-microsoft-office-documents
    It is therefore imperative that organizations employ mitigations to defeat the above attack methods. I posted previously about OLE mitigations. JavaScript should be disabled via in-product Adobe Reader setting, RTF objects should likewise be blocked via MS Office in-product settings. Etc,, etc.
     
  2. Upvote
    itman received kudos from BALTAGY in MalwareTips   
    As far as the GrandCrab 5.0.4 ransomware, what was submitted to Hybrid-Analysis was a binary file, 05bfd83bb0d4e7d27bbfc2c057b2b692612de808cc4bca73d9e0ae1d9d479623.js.bin. This leads me to believe the original source of the ransomware was a MS Office Word .doc file employing this for example: https://cloudblogs.microsoft.com/microsoftsecure/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/ . So blocking all script child process startup including PowerShell from MS Office executables would have prevented the ransomware from running. Also do note the Microsoft recommended mitigation to block OLE automation in MS Office. 
  3. Upvote
    itman gave kudos to Tornado in MalwareTips   
    Downloaded the first sample with very few detections on VT and ESET picked it up as JS/TrojanDropper.Agent.NQS and the second link shows that ESET already detects it. Don't forget that ESET Advanced Memory Scanner would likely detect it as soon as it decloaked in memory.
  4. Upvote
    itman received kudos from BALTAGY in MalwareTips   
    Let me begin with it is almost impossible to stop malicious use of PowerShell by a determined attacker. One might think that creating a HIPS ask rule to monitor the startup of C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe and C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe will detect all PowerShell execution. It won't.
    Past examples of malicious use of PowerShell include to name few:
    1. The attacker downloading the old version of PowerShell, ver. 2.0, used in Win 7 and running it. This version for example, will run fine on Win 10 as long as .Net 2.0 or 3.5 is installed.
    2. Downloading the current ver. of PowerShell to any directory, possibly renamed but not necessary to do so, and running it from that location.
    3. Executing .Net subassemblies associated with PowerShell via C#, C, etc. program means.
    The only way to completely stop PowerShell execution would be to employ a security product that can block execution by hash value and then create ask/block rules for hash values associated with every known version of PowerShell. Also, setting PowerShell to Constrained Language mode or using AppContainer which does the same.
    Eset has a few knowledgebase articles on PowerShell and other script use mitigations:
    1. Firewall rules: https://support.eset.com/kb6132/
    2. HIPS rules: https://support.eset.com/kb6119/
    These will prevent the most prevalent malicious use of PowerShell. They will not prevent all malicious use of PowerShell.
  5. Upvote
    itman gave kudos to puff-m-d in Eset Internet Security 12.0.31.0 Network Connections Viewer Bug   
    Hello @cutting_edgetech,
    While you are on the "Network connections" tab in the ESET GUI, right click in the "Network connections" pane and uncheck "Show only TCP connections". UDP connections should now show along with the TCP connections.
    I hope this helps...
  6. Upvote
    itman received kudos from notimportant in Very poor test result   
    That said, I see a few "irregularities."
    TPSC has affiliations with Bitdefender, Kaspersky, and Sophos. Next as show in the below screen shot, Kaspersky only scored in 80.46% versus Eset's 95.6% in Phase 1 testing but passed overall testing? Appears that because Eset failed the Python ransomware test that was justification for the overall failure rating. Is this a standard AV lab testing methodology? Or is what we have here is a polished presentation using a pre-evaluated ransomware sample that my sponsors product detected but its major competitor did not?

     
  7. Upvote
    itman received kudos from katycomputersystems in EICAR for web protection   
    Run through the tests on this web site: https://www.amtso.org/feature-settings-check-for-desktop-solutions/
  8. Upvote
    itman gave kudos to Marcos in Very poor test result   
    In order for us to provide an official response on the test, we would need the following:

    Obviously the following concerns were not addressed since the "tester" didn't download files from actual urls serving the payload, ie. real-world conditions were not fulfilled and one of the important protection layers was bypassed:
    Without logs, samples or hashes, and possibly further metada, everything said in this topic are just speculations. Respected testers would allow vendors of tested AVs to review the results, provide the necessary stuff for verification and give room for disputes with vendors. This was not the case. Having said that, we'll draw this topic to a close.
  9. Upvote
    itman received kudos from ECELeader in Very poor test result   
    Doubt this is the case.
    From what I can determine, PC Security Channel is not an AMTSO member: https://www.amtso.org/members/
    This test falls into the category of all ad hoc Internet tests whose results cannot be verified and therefore should be ignored. The only exception I can think of would be Runbenking's PC Magazine tests employing the Core Impact tools. He has been doing those for years and is very upfront on how and what he tests for.
  10. Upvote
    itman received kudos from Moriseif in I can't see "Refer your friend" button!   
    Now this is strange.
    I reinstalled IS 12.0.27 yesterday from a download from the Eset U.S. web site. Prior to this, I had 12.0.27 installed via the in-program upgrade feature from the latest ver. 11. The upgraded 12.0.27 ver. did show the Eset GUI Refer Friend option. This latest direct download install of 12.0.27 does not. Me thinks that the problem lies in the direct download from Eset.
  11. Upvote
    itman received kudos from soda_za36 in Untrusted Certificate Popup on several machines   
    Per Robtex:
    Per Wikipedia:
    https://en.wikipedia.org/wiki/Webtrekk
    Appears your web traffic is being tracked.
  12. Upvote
    itman received kudos from heyyahblah in Banking Protection Just Stopped ...   
    Don't know what you mean by "IB Pages?" None of the links you posted will cause Eset BP&P to launch or prompt to launch on my PC either.
    Also, like the OP stated, both Bank of America and Wells Fargo do launch Eset BP&P.
  13. Upvote
    itman received kudos from heyyahblah in Banking Protection Just Stopped ...   
    I tired a few. None of the below prompted to open in secure browser in IS 12.0.27 on IE11:
    https://www.scotiabank.com/ca/en/0,,2,00.html
    https://www.bmo.com/main/personal
    https://www.rbcroyalbank.com/personal.html
     
  14. Upvote
    itman received kudos from Danutak in Malicious trafic   
    I suspect what the OP has installed is just a cable modem. Example here: https://www.hitron-americas.com/wp-content/uploads/2016/09/CDA3-35-datasheet1.pdf .
    In this setup, all devices must be connected via co-axial cable to the modem. Most cable modems do not have advanced security features routers provide such as a SPI firewall, NAT, etc..
  15. Upvote
    itman received kudos from Danutak in Malicious trafic   
    If your ISP provided your router, you can contact their tech support for assistance.
    Also if your ISP is a cable provider, they might have only installed a cable modem. Modems have none of the security features a router provides such as a stateful firewall, NAT, etc..
    My best guess based on what you posted would be the firewall, if provided ,would be in the DOCSIS WAN section. Again if you don't know what you are doing, strongly recommend you contact your ISP provider for assistance.
    Here's an example of a cable modem/router combo whose security protection specifically notes it has a SPI firewall w/NAT and denial of service protection: https://www.netgear.com/home/products/networking/cable-modems-routers/C7000.aspx#tabs-Security
  16. Upvote
    itman received kudos from galaxy in NOD32 update   
    You're welcome. 
  17. Upvote
    itman received kudos from SreneityBish in Automatic creation of folder by email in mail client   
    I use ThunderBird and have the latest version 63 installed.
    I just opened it up and have no "Black Friday" folder being shown. I also have no Thunderbird spam settings enabled other than the default ones.
    I would direct your concerns to the Mozilla Thunderbird forum.
  18. Upvote
    itman received kudos from Leonardo in Virus Dexon Agent.exe no detectado por el antivirus ESET Endpoint (Dexon Agent.exe virus not detected by ESET)   
    A bit more detail on this.
    Per Trend Micro, Eset did detect an earilier version as Win32/Dexon.A; as a PUA: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/pua_dexon .
    So a couple of possibilities as to this infection:
    1. This is a new undetected variant.
    2. Eset PUA protection was not enabled on the endpoint devices.
    3. The delivery payload was a worm. It infected the server and spread Dexon via SMB. Likewise, it could have been PUA software installed on an endpoint and spread via SMB.
    My money is on number 3).
    Based on the modifications this malware makes to Win system directories and registry, extensive cleaning will be required to remove it. 
  19. Upvote
    itman received kudos from Azure Phoenix in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add option to realtime scanner to block obfuscated Powershell scripts. Option would be dependent upon Win 10 AMSI option enabled in the Eset GUI.
    Justification
    Microsoft added a like mitigation in the form of a Windows Defender Exploit Guard ASR mitigation effective with Win 10 1709. ASR mitigations are only effective if Windows Defender is enabled as the realtime scan engine.
    Further justification is Eset's failure to detect malware in highly obfuscated PowerShell script in a Malware Research Group ad hoc test: https://www.mrg-effitas.com/research/current-state-of-malicious-powershell-script-blocking/
  20. Upvote
    itman received kudos from Azure Phoenix in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add option to realtime scanner to block obfuscated Powershell scripts. Option would be dependent upon Win 10 AMSI option enabled in the Eset GUI.
    Justification
    Microsoft added a like mitigation in the form of a Windows Defender Exploit Guard ASR mitigation effective with Win 10 1709. ASR mitigations are only effective if Windows Defender is enabled as the realtime scan engine.
    Further justification is Eset's failure to detect malware in highly obfuscated PowerShell script in a Malware Research Group ad hoc test: https://www.mrg-effitas.com/research/current-state-of-malicious-powershell-script-blocking/
  21. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add a column showing PID number in the following logs after the noted existing log column headings:
    1. HIPS - Application
    2. Network - Source
    This is necessary to properly identify the origin for multiple same process occurrences such as svchost.exe. 
  22. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    It actually used to do this prior to ver. 11. I believe this has something to do with Microsoft's decree to AV vendors that they can't interfere with the boot process in Win 10 ver. 1709. I am actually surprised that Eset even processes an Ask HIPS use in ver. 11 and instead, just auto allows it. I know it is doing so because it will slightly delay your boot time; something I though wasn't supposed to happen on Win 10 ver. 1709.
    Again it is a bit peculiar that the HIPS default action is allow. However, it always has been this way. To be honest, I seriously doubt Eset will change it to block mode.
    A proper frame of reference for you is Eset first and foremost created the HIPS for its own internal use. As such, it really isn't designed to be user configurable other than to create a few exception rules. This is more so evident in the retail vers. of Eset. For example, Eset added file wildcard capability a while back for the Endpoint vers. but refuses to do so for the retail vers..
  23. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    I explained this once to you. Eset has internal default rules and those rules take precedence to any user created rules.
    Also if an alert response is not received within a short period of time, Eset will auto allow the action. This comes into play for example with any ask rule that might be triggered during the boot process. Those will be allowed by the time the PC initializes, the desktop appears, and finally the Eset GUI is started. 
  24. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Nvidia in their "infinite security wisdom" created two .bat scripts they dumped in C:\Windows directory. Their startup service can run these .bat scripts if errors are encountered in their software as recovery procedures. So basically, you have to allow svchost.exe to run cmd.exe. Not the most secure thing to do if malware creates a malicious service. Hence my recommendation that file wildcard support is needed.
    There is also the issue of why the HIPS hasn't been updated to reflect Win 10's current ability to uniquely identify an individual svchost.exe service by process id. 
  25. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Yeah, I know about this.
    Just be careful with GitHub software. Being open source, it can be hacked. One of the major sources of nasty backdoors has been GitHub software.
×