-
Posts
12,102 -
Joined
-
Last visited
-
Days Won
319
Kudos
-
itman gave kudos to Gregecslo in Malicious file PHP/TrojanDownloader.Agent.CZ was detected
Yes you did I also found it.
URLSCAN.IO shows multiple scans for this domain with different Webshells hosted on it.
@FTL
We also got this detection, but it`s OK because at least for us, webserver returned 404 or 500 when POST request was made (we do not host wordpress at all). So basically this is automated script, that tries to exploit some wordpress vulnerability and if successful, curl downloads webshell.
Example:
95.214.27.5 - - [23/Oct/2023:05:39:30 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 500 1713 "-" mjdomain.com "Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0" APACHELOG And yes, detection occurred on: file:///tmp/phpMjc32fg which is normal, because PHP processed this POST request.
So in my opinion nothing happened with your server, but check where that post request was made and make sure WP and plugins are up to date.
-
itman received kudos from DanielJUK in ESET Internet Security 17... when will it be out?
Version 17 is projected to be released in November;
-
itman received kudos from constexpr in Disturbing B&PP Behavior
You "beat me to the posting punch." I was just going to post this is exactly what I was going to do in Firefox settings for isolated browser mode.
-
itman received kudos from micasayyo in Disturbing B&PP Behavior
A bit more research yields the following.
Both in normal and B&PP Firefox mode, five add-on exceptions existed. They all appear to be Mozilla related with two of them for Private mode. I certainly didn't create these exceptions. I deleted all these exceptions and doing so doesn't appear to impact FF. Also, the exceptions have not reappeared.
-
itman received kudos from peteyt in Can I disable the admin password for firewall alerts?
Using a password to access Eset GUI settings is an optional setting and is not enabled by default. Therefore it is assumed you manually set password use.
Using a password to access Eset GUI settings makes the product cumbersome to use where a feature such as Interactive firewall requires frequent access to the GUI. It is your choice here as to whether password use should be disabled or not.
-
itman received kudos from micasayyo in Potential unsafe application
It appears the Eset scan cache was not cleared when the second on-demand scan was run. This resulted in results from the first scan influencing the detection's from the second scan. Running back to back full on-demand scans is not expected normal scan behavior.
This option detects exactly as stated. These apps are not malware per se, but exhibit undesirable behavior such as scams to purchase unneeded services and the like. Due to the fact users might be using such apps as you are, the option is not enabled by default at installation time.
-
itman received kudos from LesRMed in A Workaround Solution For Azure Code Signing Requirement For Windows OS End-of-Life Versions
Further analysis yields there is a way to provide to provide ACS support for Win 10 1903+ versions. Microsoft has removed all ACS support KB's for Win 10 versions prior to 1903 from the Win Catalog other than LTSB versions.
If you refer to Micosoft's article on ACS support: https://support.microsoft.com/en-au/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4 , you will note there is no KB listed for Win 10 1903. Likewise if you try to install the KB listed for Win 10 1909, that won't work either because it is for LTSB version only.
However if you access KB5005611 which is the ACS support KB listed for Win 10 2004, 20H2, and 21H1, it states the update applies to all Win 10 versions 1903 and later;
Select the version 21H1 update applicable to your OS version.
For additional reference you can refer to the Sophos ACS article: https://support.sophos.com/support/s/article/KB-000045019?language=en_US
Finally and important, you need to verify that this certificate,Microsoft Identity Verification Root Certificate Authority 2020, exists in your Win root CA store using certmgr.exe. If it does not, you will need to download and install the certificate manually. Refer to the above linked Microsoft ACS article on how to do that.
-
itman received kudos from LesRMed in Install Failing on 2008R2 Servers with ACS Support
The anomaly here is on Win 10, these KB updates won't even start installing. Therefore, HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info\ACSSupport key never gets created. I attribute this to the age of Win Server 2008 R2 and that Win Updating was in a developing state then. Also and very much evident is Eset never tested that these Microsoft KB's actually worked on EOL and EOS OS versions.
Same here. I am "throwing in the towel" on the ACS support baloney since there is no way to implement it on EOL and EOS OS versions w/o ESU.
-
itman gave kudos to Marcos in How to deal with the procexp152.sys detection
Please use the latest version of Process Explorer from the Microsoft website.
-
itman gave kudos to Marcos in How to deal with the procexp152.sys detection
The latest version does not contain a vulnerable driver.
-
itman received kudos from LesRMed in Azure Code Signing Requirement Clarification
Eset needs to modify its posting: https://support-eol.eset.com/en/trending_weol2023_10_2022.html to note the following.
In regards to reference to required KB updates to support Azure Code Signing: https://support.microsoft.com/en-us/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4 , these updates can only be applied;
1. If the OS version is not end-of-life status.
2. If OS version is end-of-life status , it has extended support status.
In all other cases, these KB updates will fail. In this instance, the only alternative available is to upgrade the OS to a supported version if end-of-service status; purchase extended support if that option is still available; or purchase a new OS license for a supported version,
-
itman gave kudos to LesRMed in no support for Azure Code Signing - Eset Node 32
I had the same issue on two of my computers that were on 1909. I was able to resolve it by using the media creation tool here: https://www.microsoft.com/en-us/software-download/windows10. Click the Download Now and do the upgrade (you don't actually have to create the media).
-
itman received kudos from murko in Address has been blocked
Another posting about this bugger on Reddit;
https://www.reddit.com/r/techsupport/comments/zaqigb/is_this_a_maleware/
The interesting part is most of its binaries are Microsoft signed. It also appears the payload is embedded within conhost.exe. Based on what was recently posted in this thread, it appears cmd.exe was started or conhost.exe standalone; most likely in suspended mode, then process hollowing and/or command line modification was done on conhost.exe, and conhost.exe was started.
Perhaps its time Eset start setting deep behavior inspection hooks into conhost.exe as it does for cmd.exe.
-
itman gave kudos to LesRMed in Install Failing on 2008R2 Servers with ACS Support
There is no policy that disables the notification. I had the warnings showing before I started all of this, and I still have two laptops that are showing the warnings (that I haven't tackled yet).
-
itman received kudos from offbyone in ESET Endpoint products compatibility issue with Azure Code Signing (ACS) program
I will also add that people "better get cracking" on applying these KB updates. Based on this recent posting: https://forum.eset.com/topic/38212-install-failing-on-2008r2-servers-with-acs-support/ , updating is far from smooth.
-
itman received kudos from offbyone in ESET Endpoint products compatibility issue with Azure Code Signing (ACS) program
Obviously, you will be able to apply the applicable KB for the referenced OS version.
The problem is there is no reference to Win 10 1903 in https://support.microsoft.com/en-au/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4 . As such, it can be assumed it can't be updated via KB method.
-
itman received kudos from Baldrick in ESET Internet Security 17... when will it be out?
https://www.eset.com/us/beta/
Open Eset GUI. Select Settings -> Advanced setup -> Update.
Select Profiles. Under My Profiles, select Updates. Change Update type to Pre-release update. Save your change.
At this point, Eset will download the latest available pre-release update and will continue to download any new pre-release update until Update type is changed back to regular updates.
-
itman received kudos from micasayyo in ESET Internet Security 17... when will it be out?
https://www.eset.com/us/beta/
Open Eset GUI. Select Settings -> Advanced setup -> Update.
Select Profiles. Under My Profiles, select Updates. Change Update type to Pre-release update. Save your change.
At this point, Eset will download the latest available pre-release update and will continue to download any new pre-release update until Update type is changed back to regular updates.
-
itman gave kudos to Nightowl in Threat: HTML/ScrInject.B trojan false-positive website
Clicking "Go Home" would trigger
hxxps://watchseries.id/home;HTML/ScrInject.B trojan
-
itman received kudos from micasayyo in ESET Internet Security 17... when will it be out?
No. Only users enrolled in Eset Beta Tester program are allowed access to Beta versions.
You will have to wait until it's released to the pre-release channel.
-
itman received kudos from micasayyo in ESET Internet Security 17... when will it be out?
Version 17 is projected to be released in November;
-
itman received kudos from nabeelmansoor in ESET Internet Security 17... when will it be out?
No. Only users enrolled in Eset Beta Tester program are allowed access to Beta versions.
You will have to wait until it's released to the pre-release channel.
-
itman received kudos from LesRMed in Allow Disabling of Status - Missing Support for Azure Code Signing
You've asked this question no less than 14 times in this thread.
You're fortunate that the Eset forum is tolerate of such activity. You would have been banned long ago on most security forums.
-
itman received kudos from Joe S in Interactive Firewall useless since 16.2
I will also add that as I have posted in other forum replies, it is virtually impossible to block nVidia telemetry via a firewall;
https://www.ghacks.net/2016/11/07/nvidia-telemetry-tracking/
As deleting this .dll can cause other issues, the only effective way to block the telemetry is via IP address blocking.
-
itman received kudos from New_Style_xd in We want to hear your Intel Threat Detection Technology experience!
My own opinion here is Eset should commission SE Labs to perform ransomware testing as CloudStrike did: https://selabs.uk/reports/enterprise-advanced-security-ransomware-crowdstrike-2022-oct/ .