Jump to content

Aryeh Goretsky

ESET Moderators
  • Posts

    874
  • Joined

  • Last visited

  • Days Won

    66

Everything posted by Aryeh Goretsky

  1. Hello, Just saw the mention. I will admit my PowerShell skills are pretty amateur, but since you are instantiating it from ESET PROTECT, I'm wondering if the "-command" argument is still needed. You might want to check with business support on this and see what they advise. Regards, Aryeh Goretsky
  2. Hello, Did you post a message in ESET's forum by mistake? We make security software, not ERP software. Try visiting https://community.cdata.com/ for assistance with Snowflake, since that's the developer's support forum. Regards, Aryeh Goretsky
  3. Hello, The holiday season is upon us, and 2024 is almost here. Before we step away from our desks to spend time with our friends and families, I wanted to wish every one of you a joyous holiday season and forthcoming new year. I think it is fair to say that in 2023, the world has faced some unparalleled computer security threats, and ESET has worked diligently to protect you from them. Whether you have used our software for decades, or are new to ESET, thank you for trusting us to protect you throughout 2023 and we look forward to providing you with the very best security into 2024 and beyond. Best wishes for the season, Aryeh Goretsky
  4. Hello, Since the Lenovo forum thread specifies fully-qualified domain names, perhaps you could just add the following entries to your hosts file: 0.0.0.0 download.lenovo.com 0.0.0.0 filedownload.lenovo.com 0.0.0.0 cms.csw.lenovo.com 0.0.0.0 laapi.csw.lenovo.com 0.0.0.0 vantage.csw.lenovo.com I will point out this would block all access to these domains on the computer, not just for the Lenovo Commercial Vantage app. Regards, Aryeh Goretsky
  5. Hello, By any chance do your own smartphones have a MAC address randomization feature turned on? Regards, Aryeh Goretsky
  6. Hello, From looking at the image at https://www.eset.com/fileadmin/ESET/INT/Banners/Home/header1.jpg, it appears to be an artistic rendition of the layers of protection provided by the software. You would probably need to contact the marketing department for a more thorough answer, though. Regards, Aryeh Goretsky
  7. Hello, I do not have any information about EOL dates to share (that sort of information can be found on the https://support-eol.eset.com/ web site), but I did want to share a resource with you. About five years ago I wrote a paper on how to securely maintain computers running Microsoft Windows XP after Microsoft had ended support for it. You can find the blog post about it here (the paper itself is linked to at the end of second paragraph). While the paper itself focuses on securing Windows XP, a lot of the advice, concepts, suggestions, and recommendations are applicable to other obsolete operating systems like Windows Vista, Windows 7, and so forth. It has been five years since Microsoft ended support for the latter, and hardware manufacturers have not been making compatible devices for a while, etc. I would presume at some point Microsoft's activation servers will go offline as well. The paper outlines some strategies about maintaining parts surpluses, rotating working hardware, maintaining proper network segmentation, all of which can help ensure that old computers remain running until they can be replaced by modern hardware and operating systems. As someone who personally loves playing with all sorts of vintage and retro computers and archaic operating systems, writing it was a way for me to help out other hobbyists with similar interests. Regards, Aryeh Goretsky
  8. Hello, Please see https://forum.eset.com/topic/38251-sysrescue-do-not-update-their-database-anymore/#comment-173468 Regards, Aryeh Goretsky
  9. Hello, Consumer versions of the ESET's software are offered to small businesses with low seat counts because it is unlikely a business with 1-10 PCs has a full-time IT staff to manage an ESET PROTECT server. For that matter, they may not even have an Active Directory/Entra domain and WSUS servers; the entire network may consist of just a workgroup of PCs running Home or Pro editions of Windows, with one PC or a NAS providing file and print services. In this type of small office/home office environment where there is no dedicated information technology (or information security) staff, the operating system updates are handled by Microsoft. Handing control of this over to Microsoft ensures those PCs are running supported versions of Windows with the latest security patches. In other words, security is managed in the same way as for home users. Larger organizations have full time staff to manage PCs, and also make decisions about which versions of Windows at what patch level, and when those machines will receive updates. The editions of Windows they run are for the enterprise, and the organization has a robust management infrastructure in place to support that. In other words, they are making very careful decisions about risk, and managing their security to mitigate risk based on those decisions. That's the environment for which ESET's endpoint programs are intended. From the program code perspective, there's nothing that technically prevents a consumer version of ESET's software from running in a business environment or a business version of ESET's software from running in a home environment. Now, there may be licensing requirements that differ, but that is because programs are intended for use in the appropriate market segment. Enterprise management features are not going to be roadmapped for added to consumer versions. Now that your comment in the Future Changes to NOD32 thread has been answered, and your reply here in this thread has been replied to, I am going to redirect you back to your own thread on the matter. Any further discussion of this matter in this thread will be removed. Regards, Aryeh Goretsky
  10. Hello, As I believe my colleague Marcos noted, this is already available in the business versions of the software. If you need that functionality for your organization, I would suggest reaching out to your local ESET office, distributor, or VAR, and see if you can migrate from a home to a business version. Regards, Aryeh Goretsky
  11. Hello, Just to add to my colleague @Marcos's reply, the detection technology that ESET provides to VirusTotal is not exactly the same as what is generally available to customers. While I am unable to go into specifics because they get into some confidential discussions as well as details of our proprietary technologies, I will point out that ESET has partnered with VirusTotal for many years, dating back to when our NOD32 engine was often more recognized than our company name of ESET. That probably has more to do with why VirusTotal's reports say "ESET NOD32" in them for our detections. That was many years ago, and since then ESET is a lot more well-known and has added many products to its portfolio, such as ESET Smart Security Premium, ESET Endpoint Security, ESET LiveGuard, ESET Inspector, ESET PROTECT, and so forth. I can definitely reach out to ESET's marketing and public relations people to see about the possibility of getting the name changed to something else for branding reasons. Regards, Aryeh Goretsky
  12. Hello, Deleting the data in the partition table about the size and locations of the drives, and/or formatting those drives will remove anything that was stored in them. However… the master boot record (also known as a disk boot record, partition boot record, etc.) contains a few hundred bytes of program code before the partition table begins. That may or may not be cleared or overwritten when you delete all of the partitions on a drive. As such, I always recommend wiping the first sectors at beginning of a drive prior to installing an operating system in order to erase any code that might be present at the beginning of the drive. Here are some instructions on how to do this from a Windows installation USB /DVD/CD: How to wipe a drive using Windows installation media Formatting and even repartitioning a drive under Windows does not erase its MBR (Master Boot Record), which can be infected and replaced by bootkits. Here are instructions to erase a drive, step-by-step, so that it can be re-used. Create a new Windows Installation DVD/USB flash drive on a known-good system. Go to the problematic computer, power it up, and configure it to boot first from its DVD or USB in its BIOS/UEFI firmware and then turn it turn it off. If the computer has multiple drives inside of it, and you only wish to erase one of them, open the computer up and disconnect the power or data cables from the other drives (you do not need to disconnect both, although you can if you want to). Plug the USB flash drive into the computer and power up to have it boot directly from the USB flash drive (or insert the DVD and let the computer boot from it). Once the computer finishes booting, it should be at a Windows installation screen. Do not agree to any prompts, copyright licenses, or click on any buttons. Press the Shift + F10 keys together to open a Command Prompt. Run DISKPART to start DiskPart, the command-line disk partitioning utility. The command line prompt will change from a drive letter to DISKPART>. At the DISKPART> prompt, type LIST DISK to get the numbers of all drives in the system. Make a note of the number assigned to the infected drive. At the DISKPART> prompt, type SEL DISK n where n is the number of the infected drive--it is usually 0 or 1 but it could be something else. At the DISKPART> prompt, type CLEAN and this will erase the MBR code from the beginning of the drive. *WARNING:* After performing the clean operation, the drive now be blank/erased, and everything on it will be gone (all files, etc.). It may still be recoverable by specialist data recovery services, though. If you are planning on selling the drive and do not want the data to be recoverable, issue a CLEAN ALL command, instead. Note that you should ONLY DO THIS IF YOU DO NOT WANT TO BE ABLE TO RECOVER ANY DATA. If you are just reinstalling (regardless of whether you're dealing with malware) then just use CLEAN, if you are selling or donating the drive and do not want the data to be recoverable use CLEAN ALL. The drive is now clean. You can now exit the DiskPart program and continue with your Windows installation. Source: instructions I wrote for the r/24hoursupport wiki on Reddit at https://old.reddit.com/r/24hoursupport/wiki/index#wiki_how_to_wipe_a_drive_using_windows_installation_media Now admittedly, malware such as computer viruses and bootkits that infect an MBR are extraordinarily rare these days: Malware authors usually do not have to dig so deeply into a drive's internal structure to accomplish what they want. However, since this process takes less than a minute with practice it is an easy step to add to any reinstallation of the operating system. Regards, Aryeh Goretsky
  13. Hello, Please share the log file entries. Open the ESET user interface and select Tools → Log files to view the detection entries. Then right-click on each one and select Copy from the context menu that pops up. You can then paste these into your reply to this message. Regards, Aryeh Goretsky
  14. Hello, In addition to what my colleague @Marcos noted, you may also want to review ESET Knowledgebase Article # 2882, How to configure ESET Windows home products to automatically scan removable media devices. Regards, Aryeh Goretsky
  15. Hello, I would not say your Windows password is irrelevant. If you are logging in to a domain-joined machine, or using your Microsoft account (email) to log in, than an attacker being able to obtain your password could lead to the account being compromised, theft of your data, theft from other accounts, and so forth. As far as MAC addresses go, they are pretty useless to an attacker in most scenarios as it is not going to give them any information they can use for user-centric attacks. It may be more useful for some kinds of network attack planning. In any case, MAC addresses are not usually available to other devices outside of your local network, so someone who is halfway around the world having it, or even just across town, is not going to be able to do too much with it. Regards, Aryeh Goretsky
  16. Hello, I have just heard that it has been fixed. Regards, Aryeh Goretsky
  17. Hello, ESET will notify Dr. Web, but it is going to be up to them to implement a fix in their detection logic. Regards, Aryeh Goretsky
  18. Hello, Just saw this. Enabling the options there will cause those objects to be scan when they are accessed. So, it would not be a continuous scan, but rather when any attempt to access the Boot Sector or UEFI, or accessing a file that has been runtime-packed. Regards, Aryeh Goretsky
  19. Hello, It is my understanding that this is a regional promotion offered by ESET's North American office for its Canadian and United States-based customers. There are some U.S.-based retailers that are participating, too: Micro Center and Newegg. ESET's various offices and distributors around the world perform promotions specific to their regions all the time for various holidays. You can always your local office or distributor when they perform theirs, or if they can match the promo from another region (this does not mean that they will automatically do this, just that it doesn't hurt to ask). Regards, Aryeh Goretsky
  20. Hello, The only version of ESET SysRescue Live available for download in v1.2.22.0. Here are the direct download links for that version: ISO for burning to a CD/DVD: https://download.eset.com/com/eset/tools/recovery/rescue_cd/latest/eset_sysrescue_live_enu.iso IMG for writing to a USB flash drive: https://download.eset.com/com/eset/tools/recovery/rescue_cd/latest/eset_sysrescue_live_enu.img Either image can be written to the appropriate media using standard tools. Regards, Aryeh Goretsky
  21. [Although my colleague @Marcos has locked the thread, I am unlocking to just add this reply because I didn't see the reply notifications. Then locking back up. ^AG] Hello, I just saw and read through the new posts since my last reply, and having read through everything at once I wanted to clarify something I observed. It seems the terms "scanning," "accessing," and "detecting threats" were being used by multiple forum members, all of whom are from different parts of the world and may all speak English a little differently from each other. From ESET's point of view, if you can access something , it can be scanned. If something can be scanned, then ESET's software will detect threats in it. Some people may view this as a chain of separate steps, but other people may view these terms as all meaning the same thing (access = scan = threat detection). I think it is because there was some confusion in how the English language was being used by different forum members that this thread seemed to be going in circles: Some people thought they were asking separate questions, other people thought they were asking the same question. So, in helping draw this to a close, I will note (as I did earlier) that ESET's software is able to access, scan and detect threats in Master Boot Records (both legacy MBR and GPT-partitioned), boot records ("classic" boot sectors like you see on floppies and modern Volume Boot Records), and firmware (both the classic BIOS and modern UEFI types). Regards, Aryeh Goretsky
  22. Hello, Quick update: I spoke with one of the researchers involved with ESP (EFI System Partition) malware analysis, and he recommended removal and replacement of the entire partition to ensure the integrity of the computer. Regards, Aryeh Goretsky
  23. Hello, In response to your questions: Yes. I can't find any great mentions of BIOS-based malware, but this blog post on WeLiveSecurity from the end of 2011 mentions Mebromi, a BIOS-based rootkit. ESET was the first to discover UEFI-based malware in the wild. You can read more about that discovery in this blog post. Yes. It is not something commonly seen today, but discussions about various forms of bootloader malware can be found here, here, and here on WeLiveSecurity, ESET's searchable blog that provides news, commentary and the occasional opinion on security. From a scanning point of view, GPT (GUID Partition Table) is a kind of extension of the MBR specification, and is scanned, cleaned and protected the same way. Yes. ESET's programs provide advanced threat protection that can scan (access) these areas of the computer (MBR/GPT, boot sector/VBR, BIOS/UEFI firmware, the EFI system partition). Threats in them can be detected and removed (this may require reflashing firmware or deleting and recreating the ESP). Threats targeting all of these can be prevented by ESET's software while it is running. For example, a computer running Microsoft Windows and ESET Smart Security Premium would detect malware that intended to rewrite the boot code or the firmware, and warn you about it. For more information about the types of protective systems that are built into ESET's software, please see this page about ESET's technology: English | Turkish Regards, Aryeh Goretsky
  24. Hello, Let me see if I can provide some clarification here: Since the DOS-era, ESET's software has detected and removed threats from the Master Boot Record (MBR), which is the first sector on a hard disk drive (or SSD, these days) that contains some bootstrapping code, plus the partition table of data that tells the computer how the hard disk is formatted. This works for both older MBR and newer GPT partitioned disks. ESET's software also detects and removes threats from the boot sector (volume boot record) of each partition on a drive. Coincidentally, the very first computer virus I ever dealt with on my very first day in the antivirus industry back in 1989 was a boot sector infector. You can read about how I nearly bungled that here. ESET does detect threats in firmware. The two types of firmware encountered are BIOS (Basic Input Output System) firmware, introduced with the IBM PC's Industry Standard Architecture in 1982, and UEFI (Universal Extensible Firmware Interface), which was introduced in 2005 by Intel to replace the older standard. Removing a threat from firmware requires rewriting it. In the case of BIOS-based firmware, that is usually going to require going to the computer or systemboard manufacturer, getting a clean copy of the BIOS firmware image, and reflashing the BIOS. For UEFI firmware, the process would be similar. A UEFI-based system often has an ESP (EFI System Partition) associated with it, sometimes just referred to as a system partition. The ESP is a special partition that can contain boot loaders (handy if you have a drive partitioned to multiboot different operating systems) as well as additional device drivers needed by the firmware to initialize the computer's hardware that are too big to reside in the firmware itself. As far as removing a threat from the ESP goes, that is a little harder to say because we have seen so few of these types of malware. Depending upon the infection we may be able to remove it, but it could require working with one of our specialists. It might be quicker to delete the EFI System Partition and replace it with a new, uninfected one. As far as preventing threats to these areas of system goes, ESET can indeed block them. The proviso here is that the operating system would already need to be loaded and ESET's software running when the attack occurred. The scenario for this kind of attack would be a dropper trying to write to to the MBR, VBR or ESP, or be trying to flash the BIOS or UEFI firmware with its malicious payload. For more information about these types of threats and how ESET combats them, I would suggest becoming a regular reader of our blog, WeLiveSecurity. Regards, Aryeh Goretsky
×
×
  • Create New...