Jump to content

Aryeh Goretsky

ESET Moderators
  • Content Count

    750
  • Joined

  • Last visited

  • Days Won

    48

Kudos

  1. Upvote
    Aryeh Goretsky gave kudos to Marcos in Your LiveGrid system needs tweaking   
    Reputation has no effect on protection and showing for instance Windows or other popular applications as red after an update would not be good.
  2. Upvote
    Aryeh Goretsky gave kudos to itman in Hoping ESET will work   
    Eset scans the boot sectors; e.g. MBR, for malware on BIOS based devices. It does not scan the BIOS since those settings are firmware related and are retained in chip memory on the motherboard. There is no way Eset can physically access that area.
    BIOS based malware is very rare and usually is a result of a hacked BIOS firmware update. If you have reason to believe you have BIOS based malware, you should download the latest BIOS firmware update from your device manufacturer's web site and re-flash the BIOS.
    Note that BIOS setting corruption is often caused by a dead battery attached physically to the motherboard. This battery supplies power to the chip memory when the device is A/C powered off to retain existing BIOS settings in the chip memory.
    UEFI based systems also deploy a BIOS like component but add an interface component to the OS stored in a hidden partition on the drive Windows is installed on. Ref.: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions . Eset scans this UEFI partition for malware. It again has no way to physically access settings stored in firmware.
    Also note that the source of the Lojax UEFI malware was a firmware setting built in by the device's manufacture. As far as the second known UEFI malware, it requires physical access to the device;
    https://arstechnica.com/information-technology/2020/10/custom-made-uefi-bootkit-found-lurking-in-the-wild/
    Here's a good article on the difference between BIOS and UEFI based systems: https://www.howtogeek.com/56958/HTG-EXPLAINS-HOW-UEFI-WILL-REPLACE-THE-BIOS/
    Finally note that although Eset can detect known UEFI based malware, it cannot remove them. Again, the only way to do so is to re-flash the UEFI with the original or latest device manufacture's update. Ditto for BIOS based boot sector malware. The MBR needs to be restored with a backup of it. If no backup exists, then by rebuilding the individual boot sector components via Win 10 recovery environment.
  3. Upvote
    Aryeh Goretsky gave kudos to itman in Should I be concerned with newly jumpdrive from China?   
    If the Chinese wanted to embed something on the drive, they would do so in the drive firmware at manufacturing time. Ref.: https://lifehacker.com/how-to-check-your-usb-devices-for-unsafe-firmware-1841773522
    As a rule, I reformat new USB drives primarily to get rid of any crud utilities the manufacture's love to load on these drives. Also, to set the drive to NTFS format which is more secure than the default FAT32 format.
  4. Upvote
    Aryeh Goretsky gave kudos to itman in Method of detection   
    Eset scans files using normal and advanced heuristics at file creation time.
    However, some malware may have obfuscated or encrypted code that will not reveal itself until process execution time. As @Marcosnoted, Eset has additional mitigations to scan for malware after it has uncloaked in memory. However, these are post-execution mitigations. 
    Eset also has a subscription option named Dynamic Threat Defense: https://help.eset.com/edtd/en-US/overview.html that will perform a full cloud sandbox analysis on executable's prior to their actual execution. It can be optionally set to block process execution until full sandbox analysis verdict is rendered.
    It also needs to be explored in more detail just how this "solution" is creating these malware samples in this special folder. For example, what makes this folder/directory "special' from any other folder created on the device? If this folder is locked by the OS for some reason, Eset can't access what is being created in it.
  5. Upvote
    Aryeh Goretsky gave kudos to itman in The very nice folks at Eset have told me that my Win 7 32bit OS is out the window.   
    FYI
    https://www.reddit.com/r/msp/comments/b660m8/blue_screen_of_death/
    Also there have been reports that BSOD's were caused by existing driver issues after installing these updates. So all drivers; especially video drivers, should be updated to latest versions prior to installing these updates:
    https://answers.microsoft.com/en-us/windows/forum/all/security-update-2019-03-windows-7-causing-blue/6398adc5-d14f-4409-8277-6e8b46181fa2
    https://www.sevenforums.com/bsod-help-support/419195-i-need-help-bsod-start-up-unless-f8-last-known-good-configuration.html
    Again this is not an Eset issue. Eset is only responding to what Microsoft has dictated.
    Also anyone currently on Win 7 needs to upgrade their OS. Win 7 is no longer supported by Microsoft and even third party support of Win 7 is becoming non-existent.
     
  6. Upvote
    Aryeh Goretsky gave kudos to Marcos in ESET For iOS   
    They don't have real-time protection nor on-demand scanner as far as I can see.
  7. Upvote
    Aryeh Goretsky gave kudos to Marcos in Mac OS 11 Big Sur **BETA IS LIVE**   
    Unfortunately even our developers have not received a final version of Big Sur yet so we can't have a version fully compatible with it. It would be great if we got RTM versions of Mac OS in advance which is unfortunately not the case.
  8. Upvote
    Aryeh Goretsky gave kudos to Marcos in Router affected?   
    ESET will not affect your router in any way. While you can check the router for weaknesses via the Connected home feature, ESET will protect only the machine where it is installed.
  9. Upvote
    Aryeh Goretsky gave kudos to Marcos in blitzhandel24.pt - Caution!!!   
    Please contact ESET Portugal: https://www.eset.com/pt/. They should be able to tell if it's an authorized reseller or not.
    As for the licenses that don't work, please provide the public license IDs.
  10. Upvote
    Aryeh Goretsky gave kudos to WhiteHat_PT in blitzhandel24.pt - Caution!!!   
    Hi Jorge Melo. Thanks for your feedback and contacting us at ESET Portugal, Unfortunately we have in fact identified similar situations from other purchases of ESET licenses sold by Blitzhandel24 e-commerce sites.
    The situation is under investigation and we advise our customers and potential customers to buy only from ESET official websites or official e-stores - in Portugal that will be https://www.eset.com/pt, as Marcos wrote.
    It's likely that one can find other e-commerce websites in Portugal selling ESET solutions (home products) but please be aware if the seller is registered in Portugal and not only using a .PT domain (while having commercial registration in any other country).
    * Customer advisory *
    Please consider that buying a cheaper ESET license from anywhere else from official websites or partners can result on:
    Product activation failure; Lack of official customer support; Unnecessary additional cyber-security risk; Be safe and protected!
  11. Upvote
    Aryeh Goretsky gave kudos to Marcos in Firewall Rules to allow Windows Update   
    Firewalls in general work with IP addresses, not with hostnames. Since IP addresses may change in time, I would not recommend creating firewall rules to restrict communication of the OS with Microsoft's servers.
  12. Upvote
    Aryeh Goretsky gave kudos to Marcos in Microsoft Teams issues   
    The firewall logic has not changed over years. We assume that Teams has been updated and now works in the way that a connection is initialized by the server. In automatic mode, all outbound communication is allowed and all non-initiated inbound communication blocked, hence a rule for Teams may need to be created. It is beyond us to have a list of all 3rd party applications where the communication is initiated from outside and maintain the rules for them.
     
  13. Upvote
    Aryeh Goretsky gave kudos to SteveSi in Sysrescue Boot to USB Problem   
    Did your Yoga come with Windows 10 32-bit or Windows 10 64-bit?
    To UEFI-boot, the USB drive needs to have a FAT32 partition with a \EFI\BOOT folder on it containing one or more .EFI boot files.
    For systems with a UEFI 64-bit BIOS - you need \EFI\BOOT\BOOTX64.efi
    For systems with a 32-bit UEFI BIOS - you need \EFI\BOOT\BOOTIA32.EFI
    If your system came with 64-bit Windows installed then it needs to boot from the BOOTX64.EFI file.
    If your system came with 32-bit Windows, it probably has a 32-bit UEFI BIOS and so needs to boot from BOOTIA32.EFI.
    Many ISOs are 64-bit UEFI only...
  14. Upvote
    Aryeh Goretsky gave kudos to Marcos in Activation failed - Leaked license   
    The license indeed leaked. We do not sell on ebay. The license was issued in the US to Otto B. and has been used for activation almost 3,500 times.
    Please ask for a refund and purchase a license via www.eset.com or through any of our authorized sellers.
  15. Upvote
    Aryeh Goretsky gave kudos to itman in Blocking IP address 34.102.136.180. Something to do with WPAD   
    This is related to WPAD DNS activity:
    https://findproxyforurl.com/wpad-introduction/
    Appears WPAD has a number of security risks with the recommendation it be permanently disabled if not using IE11 or Edge as your browser: https://auth0.com/blog/heads-up-https-is-not-enough-when-using-wpad/
  16. Upvote
    Aryeh Goretsky gave kudos to TomPark in Blocking IP address 34.102.136.180. Something to do with WPAD   
    Hi All,
    Thank you for the information, like has already been said I think the notification from ESET is a side affect of something else that is changing the domain suffix when connect to the VPN.
    Something that might be of consideration is disabling the 'Auto-Detect' proxy configuration in Chrome / IE which will then stop the browser from looking for these configurations as 'wpad.domain.com' is the default search browser use if this setting is enabled and the information is not provided via DHCP. This should fix the issue for anyone that is still seeing this on their machine. Please note to disable the setting a browser restart will be required.
    As @Marcos said the IP will be unblocked, if anyone is able to test the solution above that would be appreciated. 
    Regards,
  17. Upvote
    Aryeh Goretsky gave kudos to TomPark in Blocking IP address 34.102.136.180. Something to do with WPAD   
    Hi Guys, 
    A quick question are all of these machines that are affected domain joined machines?
    Also is anyone using wpad to configure a proxy on the machines connecting to the VPN?
    Regards,
  18. Upvote
    Aryeh Goretsky gave kudos to itman in Best Business VPN for Remote Connection   
    https://www.comparitech.com/blog/vpn-privacy/remote-access-vpn/
  19. Upvote
    Aryeh Goretsky gave kudos to Marcos in Problem updating audio drivers and HIPS   
    Please carry on as follows:
    - enable logging of blocked operations in the advanced HIPS setup
    - reproduce the issue
    - disable logging
    - collect logs with ESET Log Collector and upload the generated archive here.
  20. Upvote
    Aryeh Goretsky gave kudos to abshakya in Sites block   
    I will contact the conjars.org. Thank you for support.
  21. Upvote
    Aryeh Goretsky gave kudos to jaftwo in Win10 Defender   
    Thanks. I spend too much time juggling backups, changing passwords, updating drivers, and security -- didn't want more things.
  22. Upvote
    Aryeh Goretsky gave kudos to Marcos in Win10 Defender   
    There will be no effect on 3rd party AVs. As long as another AV is registered in the system, Defender will stay disabled.
  23. Upvote
    Aryeh Goretsky gave kudos to Marcos in Stagefreight Not Detected   
    Applications on Android are quite limited in terms of functionality. Antivirus can detect malicious applications and files but it cannot access SMS/MMS or check network communication for instance. These are limitations of the operating system.
    As Wiki says: Stagefright is the name given to a group of software bugs that affect versions 2.2 "Froyo" of the Android operating system. It's hard to believe that you would have such an old version of Android. It's not even supported by ESET so you would not install EMS on it either.
  24. Upvote
    Aryeh Goretsky gave kudos to Marcos in Too many notifications   
    Please check the Detections logs which should provide more information about the email which was detected. There should be the time of receipt, subject and both the recipient and sender logged. If you receive email through IMAP(S) and the detection was called HTML/Fraud.something, it's most likely a known issue which will be addressed via an automatic module update soon. If you have a chance to log in via a web interface to the mail server and remove the troublesome email, please do so.
  25. Upvote
    Aryeh Goretsky gave kudos to peteyt in ESET Internet Security uses almost 1GB of RAM. What's going on?   
    Also does version 13 have the same issues?
×
×
  • Create New...