peteyt

I sent @Marcos a pm on Friday about this.

Hello @peteyt,
thank you for the feedback provided.
I passed it to the guy responsible and he is checking it.
Peter

Kaspersky also has an article on this Super Mario game hack with protection recommendations I am repeating here. I have highlighted and underlined the most important ones;
https://usa.kaspersky.com/blog/mario-forever-malware-too/28556/
Also, Kaspersky has a separate article on the dangers of game mods.

Yeah, they are now detected indeed. Thanks for helping in sending to the malware analysts.
But just now I tested again and turns out, if I run the samples then they can still "Steal" the data anyway. There was no reaction from ESET. It's only detected if I scan the file instead of running it. So, the flaw of ESET not detecting these via real-time protection remains. Sooner or later after execution real-time protection needs to catch it.
Can you test on your end? If you can reproduce, then report the issue to the responsible team. 

Today's discussion is why is initial detection of infostealers; recent malware loaders I have analyzed; etc. so difficult to detect? For starters, they employ both sandbox and behavior evasion tactics.
My analysis of the above yields the following activities;
1. Spawning one or more identical child processes of itself.
2. Malicious code injection into one of the child processes usually done remotely but not always, and execution of that code.
Sandbox evasion occurs if the initially run .exe; usually a shell, detects it is being monitored, it simply creates a process that does not perform any of the above activities. Of note is there is nothing malicious about this payload  (parent) process.
Behavior evasion occurs by performing above 1). and 2). activities. How?
It deals with how most AV's do behavior monitoring. If the AV detects anything suspicious with the payload (parent) process, it will set a hook, usually a .dll, into that process to monitor activities. If the parent process spawns a child process/processes copy of itself, no monitoring hook is set in those processes.
Since the child process is now running in an un-monitored AV state, malicious code injection into it can occur unimpeded.
Next is many legit processes processes spawn copies of themselves; most notably browsers.
There is a Sigma rule that detects parent child process cloning. Once triggered, process reputation evaluation needs to be performed.
If the process reputation status is unknown or low, the parent process needs to flagged as suspicious and blocked from executing. Alternatively, the AV needs to set its behavior monitoring hook into any spawned child process. The issue here is it appears these child process's are being created from the dropper shell and not the parent process. Therefore, shell processes need to be monitored for like behavior.

Yes, I've used the Eset Uninstall tool and as a last resort, even installed EIS on a pc with freshly installed Windows (ie no previous version of EIS) and in both scenarios, i still get the spinning wheel at random boot ups.

Might be worth backing any custom settings etc. and using the eset uninstaller in safe mode https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool
Then Install the pre release version from scratch. This will rule out this being caused by leftover files from a previous version

I can reproduce this. When you go to the VT page you are actually landing on the behavior page and ESET is picking up on some of the displayed Powershell script parts. See example pics below. So essentially there's no live malware to get infected from.
At VT:

 
In cache:

Unfortunately files encrypted by Filecoder.RYUK cannot be decrypted. I've checked your logs and my findings are below:
- ESET Server Security was installed today
- LiveGrid Feedback system is disabled
- detection of potentially unsafe applications is disabled
Network Level Authentication is disabled.
Recommended action: Enable (Right click This PC (or Computer) -> Properties -> Remote settings, and check "Allow connections only from computers running Remote Desktop with Network Level Authentication".)
The Security Event Logs cover only a small period of time (less than a day). The logs were either cleared by an attacker or the event log size is too small.
Consider increasing the event log size (eventvwr.msc -> Windows Logs (left panel) -> Security -> Properties (right panel) -> Maximum log size (enter new value)). We recommend to at least triple your current Maximum log size.
A brute-force attack from remote machine(s) was performed:
- ARISTANGROUP\arez had 105 failed login attempts
- Гость had 27 failed login attempts
Detected unsuccessful logon attempts from 7 blacklisted IP addresses.
- back up crucial data on a regular basis to prevent data loss
- disable or secure RDP (use VPN and block RDP from outside, restrict access to specific IP addresses, etc.)
- use a stronger password by users with RDP allowed
- set a password to protect ESET settings and to prevent it from being disabled or uninstalled by unauthorized persons
 
 

Quite a few are fixated with VirusTotal as the "Holy Grail" reference when it comes to security software detection capability. It is very far from that status as noted in this article: https://www.virusbulletin.com/virusbulletin/2018/01/vb2017-paper-virustotal-tips-tricks-and-myths/
Of note;

You really can't count on Eset detection on VT for new malware.
The first thing Eset will do for new malware is create a LiveGrid blacklist detection for it while it analyzes the malware further. Those LiveGrid blacklist detection's do not show in VT results.
Remember that not all Eset detection and/or protection mechanisms are deployed on the copy deployed at VT.

Version 17 will address that. More information to come in the beta channel once the beta becomes available.

No I meant the next higher product level. 
 
There was talk I believe to include this with nod32 but don't think it ever happened. But I may have misheard that anyways.
I do think for this feature alone it is best to get the next level above nod32

Based on a posting on wilderssecuritycom: https://www.wilderssecurity.com/threads/gigabyte-mobos-supply-chain-risk-from-gigabyte-app-center-backdoor.451620/#post-3149242 , it appears Gigabyte has pushed a firmware update to address this issue. There is also the question if a firmware update will be pushed for motherboards no longer supported.
It is uncharacteristic for Gigabyte to react this quickly to a vulnerability, so this must be a serious one.
-EDIT- Gigabyte statement here: https://www.gigabyte.com/Press/News/2091

https://thehackernews.com/2023/05/critical-firmware-vulnerability-in.html
Mitigations
https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/
Affected Gigabyte motherboard firmware
https://eclypsium.com/wp-content/uploads/Gigabyte-Affected-Models.pdf

Of course.

Platform is Prestashop 1.7
files infected was:
classes/Product.php classes/Store.php classes/Dispatcher.php classes/Hook.oho classes/Tools.php classes/controller/ModuleFrontController.php classes/controller/Controller.php classes/controller/FrontController.php classes/shop/Shop.php
Best way to clean infected files is to restore them from a backup.
If is not posible or not have a recent backup (!!!!!!), download Prestashop from offical site (same version) and overwrite infected files.
I hope this can help other users, as Marcos says

I presume these are some of the newer security stuff with windows. Each new version does have newer protection so comparing to older versions isn't really applicable. I'd also add people would be put off by an AV not signed properly as it could look dodgy and you need to be able to trust your AV
You mention a Hotel Clerk using XP but surely any system a hotel would use would contain data, either just user data and/or card details.
I think in these days it's bad advise/practise to advise people to use an OS no longer officially supported and officially patched

If one buys programs second-hand on the Internet, you can't expect activation to work. It's like with Windows for instance; you can purchase it from an arbitrary person for a few bucks to save money but if the license leaked and the seller was selling it to numerous people while violating EULA it's not vendor's duty to support those who bought it.
When it comes to the license 3A7-7DK-C3B, it is valid and can be used by the person who bought it, ie. the one with the email address cXXXXXXXX4@sXXXXXXh.com.

Hello! I am interested in one question: Does ESET have a technology to rollback malicious actions of a program (similar to the one in Kaspersky Lab products) whose behavior was deemed as malicious by the deep behavioral check? For example, moving the files created by such a program to quarantine, deleting registry entries associated with it and those created by it, etc. And if there is no such feature, will it be added in the future? Thank you in advance!

Ok, you're right. We'll add support for cleaning it via a module update soon.
I've tested it with eicar by replacing the default "explorer.exe" value and it was cleaned alright upon detection and cleaning of the eicar file.

Let me sum it up:
If you install a security system to your house and put the code in front of the house, don't blame the security system because the theft was able to disarm it and steal things from your house.
I barely remember a case where the encryption was caused by ESET's fault. An unpatched system where the attacker was able to remote in and disable ESET prior to running ransomware.
In order for ESET to protect users, the following conditions must be met:
- using a fully supported operating system and applications with all available security updates installed
- secured RDP allowing access only from the local network or from specific IP addresses
- using a password to protect ESET settings when other users can access the machine
- enabling detection of potentially unsafe applications to detect and block tools that might kill or remove the AV
- practicing safe computing when it comes to passwords, permissions, applications that one installs and uses, etc.
We recommend using a higher tier product that ESET NOD32 Antivirus which provides only essential security and comes without network protection that is able to stop brute-force attacks.
Having said that, we'll draw this topic to a close.

While there's things I'd like to see added to eset which have been debated on and off for a while by others, part of the issue is a lot of the complaints of eset not protecting well are made by people who don't know the factors for the issue.
As mentioned here, the requester has already confirmed they are using windows 7 a version that is no longer supported and updated so there will be vulnerabilities. Using an unsupported OS is like having a prison with a hole in the fence. It can have security but there's a gapping hole.
The requester has also mentioned using remote access. This may have been using a weak or even a leaked password and might have not been set up to block things like certain IPs and also multiple unsuccessful login attempts.
As mentioned if Eset was not password protected, they could easily remote on, disable Eset protections that would have possibly blocked the ransomware and then cleared any logs to hide what they had done.
As mentioned they used Nod32 so no network protection or brute force protection and there's no mention of the version of eset so it could have been an older version with less protection.
The thing is Eset may or may not have blocked it if it was on a newer OS with the features mentioned enabled, but security starts with the user and you can't blame an AV when your using old unsupported stuff with bad habits.
 

Microsoft ended support for Windows 7 on Jan 14, 2020:
https://support.microsoft.com/en-us/windows/windows-7-support-ended-on-january-14-2020-b75d4580-2cc7-895a-2c9c-1466d9a53962
As of then the OS became vulnerable since no security updates were released. Also you have NOD32 Antivirus installed which provides basic protection, ie. network protection is missing as well as ESET LiveGuard (available in ESET Smart Security Premium) which performs analysis of suspicious downloaded files in a cloud sandbox before the files are allowed to run.

Chciałbym zaproponować funkcję, która ułatwiłaby zarządzanie w programie ESET HOME. Mam na myśli możliwość zlecenia skanowania za pomocą ESET HOME lub przeglądania logów po skanowaniu po wykryciu zagrożenia. Ułatwiłoby to zarządzanie komputerami domowymi w rodzinie, np. jeśli mamy kilka komputerów i laptopów, łatwiej byłoby wydać kilka poleceń w ESET HOME w celu uruchomienia skanowania na komputerach dzieci lub innych członków rodziny. Brakuje mi możliwości głębszego zarządzania instalacjami poprzez platformę ESET HOME, może dałoby się coś takiego wprowadzić w jakimś pakiecie dla rodzin?
 
Machine translation:
I would like to suggest a feature that would make it easier to manage in ESET HOME. I mean the ability to order a scan via ESET HOME or view the post-scan logs when a threat is detected. This would make it easier to manage the home computers in the family, e.g. if we have several computers and laptops, it would be easier to issue a few commands in ESET HOME to run a scan on the computers of children or other family members. I miss the possibility of deeper installation management through the ESET HOME platform, maybe something like this could be introduced in a package for families?