Jump to content

itman

Most Valued Members
  • Posts

    12,102
  • Joined

  • Last visited

  • Days Won

    319

Kudos

  1. Upvote
    itman gave kudos to Gregecslo in Malicious file PHP/TrojanDownloader.Agent.CZ was detected   
    Yes you did I also found it.
    URLSCAN.IO shows multiple scans for this domain with different Webshells hosted on it.
    @FTL
    We also got this detection, but it`s OK because at least for us, webserver returned 404 or 500 when POST request was made (we do not host wordpress at all). So basically this is automated script, that tries to exploit some wordpress vulnerability and if successful, curl downloads webshell.
    Example:
     
    95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And yes, detection occurred on: file:///tmp/phpMjc32fg  which is normal, because PHP processed this POST request.
    So in my opinion nothing happened with your server, but check where that post request was made and make sure WP and plugins are up to date.
  2. Upvote
    itman received kudos from DanielJUK in ESET Internet Security 17... when will it be out?   
    Version 17 is projected to be released in November;

  3. Upvote
    itman received kudos from constexpr in Disturbing B&PP Behavior   
    You "beat me to the posting punch." I was just going to post this is exactly what I was going to do in Firefox settings for isolated browser mode.
  4. Upvote
    itman received kudos from micasayyo in Disturbing B&PP Behavior   
    A bit more research yields the following.
    Both in normal and B&PP Firefox mode, five add-on exceptions existed. They all appear to be Mozilla related with two of them for Private mode. I certainly didn't create these exceptions. I deleted all these exceptions and doing so doesn't appear to impact FF. Also, the exceptions have not reappeared.
  5. Upvote
    itman received kudos from peteyt in Can I disable the admin password for firewall alerts?   
    Using a password to access Eset GUI settings is an optional setting and is not enabled by default. Therefore it is assumed you manually set password use.
    Using a password to access Eset GUI settings makes the product cumbersome to use where a feature such as Interactive firewall requires frequent access to the GUI. It is your choice here as to whether password use should be disabled or not.
  6. Upvote
    itman received kudos from micasayyo in Potential unsafe application   
    It appears the Eset scan cache was not cleared when the second on-demand scan was run. This resulted in results from the first scan influencing the detection's from the second scan. Running back to back full on-demand scans is not expected normal scan behavior.
    This option detects exactly as stated. These apps are not malware per se, but exhibit undesirable behavior such as scams to purchase unneeded services and the like. Due to the fact users might be using such apps as you are, the option is not enabled by default at installation time.
  7. Upvote
    itman received kudos from LesRMed in A Workaround Solution For Azure Code Signing Requirement For Windows OS End-of-Life Versions   
    Further analysis yields there is a way to provide to provide ACS support for Win 10 1903+ versions. Microsoft has removed all ACS support KB's for Win 10 versions prior to 1903 from the Win Catalog other than LTSB versions.
    If you refer to Micosoft's article on ACS support: https://support.microsoft.com/en-au/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4 , you will note there is no KB listed  for Win 10 1903. Likewise if you try to install the KB listed for Win 10 1909, that won't work either because it is for LTSB version only.
    However if you access KB5005611 which is the ACS support KB listed for Win 10 2004, 20H2, and 21H1, it states the update applies to all Win 10 versions 1903 and later;

    Select the version 21H1 update applicable to your OS version.
    For additional reference you can refer to the Sophos ACS article: https://support.sophos.com/support/s/article/KB-000045019?language=en_US
    Finally and important, you need to verify that this certificate,Microsoft Identity Verification Root Certificate Authority 2020, exists in your Win root CA store using certmgr.exe. If it does not, you will need to download and install the certificate manually. Refer to the above linked Microsoft ACS article on how to do that.
  8. Upvote
    itman received kudos from LesRMed in Install Failing on 2008R2 Servers with ACS Support   
    The anomaly here is on Win 10, these KB updates won't even start installing. Therefore,  HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\ACSSupport key never gets created. I attribute this to the age of Win Server 2008 R2 and that Win Updating was in a developing state then. Also and very much evident is Eset never tested that these Microsoft KB's actually worked on EOL and EOS OS versions.
    Same here. I am "throwing in the towel" on the ACS support baloney since there is no way to implement it on EOL and EOS OS versions w/o ESU.
  9. Upvote
    itman gave kudos to Marcos in How to deal with the procexp152.sys detection   
    Please use the latest version of Process Explorer from the Microsoft website.
  10. Upvote
    itman gave kudos to Marcos in How to deal with the procexp152.sys detection   
    The latest version does not contain a vulnerable driver.
  11. Upvote
    itman received kudos from LesRMed in Azure Code Signing Requirement Clarification   
    Eset needs to modify its posting: https://support-eol.eset.com/en/trending_weol2023_10_2022.html to note the following.
    In regards to reference to required KB updates to support Azure Code Signing: https://support.microsoft.com/en-us/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4 , these updates can only be applied;
    1. If the OS version is not end-of-life status.
    2. If OS version is end-of-life status , it has extended support status.
    In all other cases, these KB updates will fail. In this instance, the only alternative available is to upgrade the OS to a supported version if end-of-service status; purchase extended support if that option is still available; or purchase a new OS license for a supported version,
  12. Upvote
    itman gave kudos to LesRMed in no support for Azure Code Signing - Eset Node 32   
    I had the same issue on two of my computers that were on 1909. I was able to resolve it by using the media creation tool here: https://www.microsoft.com/en-us/software-download/windows10. Click the Download Now and do the upgrade (you don't actually have to create the media).
  13. Upvote
    itman received kudos from murko in Address has been blocked   
    Another posting about this bugger on Reddit;
    https://www.reddit.com/r/techsupport/comments/zaqigb/is_this_a_maleware/
    The interesting part is most of its binaries are Microsoft signed. It also appears the payload is embedded within conhost.exe. Based on what was recently posted in this thread, it appears cmd.exe was started or conhost.exe standalone; most likely in suspended mode, then process hollowing and/or command line modification was done on conhost.exe, and conhost.exe was started.
    Perhaps its time Eset start setting deep behavior inspection hooks into conhost.exe as it does for cmd.exe.
  14. Upvote
    itman gave kudos to LesRMed in Install Failing on 2008R2 Servers with ACS Support   
    There is no policy that disables the notification. I had the warnings showing before I started all of this, and I still have two laptops that are showing the warnings (that I haven't tackled yet).
  15. Upvote
    itman received kudos from offbyone in ESET Endpoint products compatibility issue with Azure Code Signing (ACS) program   
    I will also add that people "better get cracking" on applying these KB updates. Based on this recent posting: https://forum.eset.com/topic/38212-install-failing-on-2008r2-servers-with-acs-support/ , updating is far from smooth.
  16. Upvote
    itman received kudos from offbyone in ESET Endpoint products compatibility issue with Azure Code Signing (ACS) program   
    Obviously, you will be able to apply the applicable KB for the referenced OS version.
    The problem is there is no reference to Win 10 1903 in https://support.microsoft.com/en-au/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4 . As such, it can be assumed it can't be updated via KB method.
  17. Upvote
    itman received kudos from Baldrick in ESET Internet Security 17... when will it be out?   
    https://www.eset.com/us/beta/
    Open Eset GUI. Select Settings -> Advanced setup -> Update.
    Select Profiles. Under My Profiles, select Updates. Change Update type to Pre-release update. Save your change.
    At this point, Eset will download the latest available pre-release update and will continue to download any new pre-release update until Update type is changed back to regular updates.
  18. Upvote
    itman received kudos from micasayyo in ESET Internet Security 17... when will it be out?   
    https://www.eset.com/us/beta/
    Open Eset GUI. Select Settings -> Advanced setup -> Update.
    Select Profiles. Under My Profiles, select Updates. Change Update type to Pre-release update. Save your change.
    At this point, Eset will download the latest available pre-release update and will continue to download any new pre-release update until Update type is changed back to regular updates.
  19. Upvote
    itman gave kudos to Nightowl in Threat: HTML/ScrInject.B trojan false-positive website   
    Clicking "Go Home" would trigger
    hxxps://watchseries.id/home;HTML/ScrInject.B trojan
     
  20. Upvote
    itman received kudos from micasayyo in ESET Internet Security 17... when will it be out?   
    No. Only users enrolled in Eset Beta Tester program are allowed access to Beta versions.
    You will have to wait until it's released to the pre-release channel.
  21. Upvote
    itman received kudos from micasayyo in ESET Internet Security 17... when will it be out?   
    Version 17 is projected to be released in November;

  22. Upvote
    itman received kudos from nabeelmansoor in ESET Internet Security 17... when will it be out?   
    No. Only users enrolled in Eset Beta Tester program are allowed access to Beta versions.
    You will have to wait until it's released to the pre-release channel.
  23. Upvote
    itman received kudos from LesRMed in Allow Disabling of Status - Missing Support for Azure Code Signing   
    You've asked this question no less than 14 times in this thread.
    You're fortunate that the Eset forum is tolerate of such activity. You would have been banned long ago on most security forums.
  24. Upvote
    itman received kudos from Joe S in Interactive Firewall useless since 16.2   
    I will also add that as I have posted in other forum replies, it is virtually impossible to block nVidia telemetry via a firewall;
    https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/
    As deleting this .dll can cause other issues, the only effective way to block the telemetry is via IP address blocking.
  25. Upvote
    itman received kudos from New_Style_xd in We want to hear your Intel Threat Detection Technology experience!   
    My own opinion here is Eset should commission SE Labs to perform ransomware testing as CloudStrike did: https://selabs.uk/reports/enterprise-advanced-security-ransomware-crowdstrike-2022-oct/ .
×
×
  • Create New...