Aryeh Goretsky gave kudos to JamesR in Win64/CoinMiner.ZF
I agree with Marcos, this looks like a WMI persistent threat. Manually telling ESET to update its detection engine, should correct the issue of the threat continually being detected. Although, there is a good chance you may already have the update (ESET checks for these updates once per hour).
If this does not fix the issue, definitely generate an Autoruns log.
Lastly, its not uncommon for Servers to have been infected due to unexpected ports being exposed to the internet. I highly recommend you audit your public IP Addresses with some simple nmap scans to verify what ports are exposed to the internet.
nmap -sV -Pn -F %PublicIPAddress%
Aryeh Goretsky gave kudos to RJanata in Dropbox can't establish secure internet connection
Same problem here (Dropbox v111 - the lastest stable to the date). On the second computer, no problem with Dropbox v112 (early updates enabled).
It's apparently a problem on Dropbox side since they have release the version 112 fixing this issue:
If you cannot update to Dropbox version 112, you can temporarily set Dropbox client to ignore in SSL/TLS filter.
Aryeh Goretsky gave kudos to Marcos in Updated programs - Keep Rules
We are aware of the problem with Windows applications and the changing path with each update. There is a plan to come with up a solution to this in long term. Also I can assure you that we value any constructive feedback or suggestion and it's discussed with product managers and developers.
Aryeh Goretsky gave kudos to itman in Eternal Blue checker help?
Here's a Microsoft article detailing Windows versions vulnerable to EternalBlue: https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed
Also I realized why srv.sys no longer exists on my device. Windows will auto remove SMBv1 10 days after installation if it is not used. Additionally if srv.sys exists on later Win 10 installations, you are not vulnerable since this driver has been patched against this exploit.
Aryeh Goretsky gave kudos to itman in Hoping ESET will work
Eset scans the boot sectors; e.g. MBR, for malware on BIOS based devices. It does not scan the BIOS since those settings are firmware related and are retained in chip memory on the motherboard. There is no way Eset can physically access that area.
BIOS based malware is very rare and usually is a result of a hacked BIOS firmware update. If you have reason to believe you have BIOS based malware, you should download the latest BIOS firmware update from your device manufacturer's web site and re-flash the BIOS.
Note that BIOS setting corruption is often caused by a dead battery attached physically to the motherboard. This battery supplies power to the chip memory when the device is A/C powered off to retain existing BIOS settings in the chip memory.
UEFI based systems also deploy a BIOS like component but add an interface component to the OS stored in a hidden partition on the drive Windows is installed on. Ref.: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions . Eset scans this UEFI partition for malware. It again has no way to physically access settings stored in firmware.
Also note that the source of the Lojax UEFI malware was a firmware setting built in by the device's manufacture. As far as the second known UEFI malware, it requires physical access to the device;
Here's a good article on the difference between BIOS and UEFI based systems: https://www.howtogeek.com/56958/HTG-EXPLAINS-HOW-UEFI-WILL-REPLACE-THE-BIOS/
Finally note that although Eset can detect known UEFI based malware, it cannot remove them. Again, the only way to do so is to re-flash the UEFI with the original or latest device manufacture's update. Ditto for BIOS based boot sector malware. The MBR needs to be restored with a backup of it. If no backup exists, then by rebuilding the individual boot sector components via Win 10 recovery environment.
Aryeh Goretsky gave kudos to itman in Should I be concerned with newly jumpdrive from China?
If the Chinese wanted to embed something on the drive, they would do so in the drive firmware at manufacturing time. Ref.: https://lifehacker.com/how-to-check-your-usb-devices-for-unsafe-firmware-1841773522
As a rule, I reformat new USB drives primarily to get rid of any crud utilities the manufacture's love to load on these drives. Also, to set the drive to NTFS format which is more secure than the default FAT32 format.
Aryeh Goretsky gave kudos to itman in Method of detection
Eset scans files using normal and advanced heuristics at file creation time.
However, some malware may have obfuscated or encrypted code that will not reveal itself until process execution time. As @Marcosnoted, Eset has additional mitigations to scan for malware after it has uncloaked in memory. However, these are post-execution mitigations.
Eset also has a subscription option named Dynamic Threat Defense: https://help.eset.com/edtd/en-US/overview.html that will perform a full cloud sandbox analysis on executable's prior to their actual execution. It can be optionally set to block process execution until full sandbox analysis verdict is rendered.
It also needs to be explored in more detail just how this "solution" is creating these malware samples in this special folder. For example, what makes this folder/directory "special' from any other folder created on the device? If this folder is locked by the OS for some reason, Eset can't access what is being created in it.
Aryeh Goretsky gave kudos to itman in The very nice folks at Eset have told me that my Win 7 32bit OS is out the window.
Also there have been reports that BSOD's were caused by existing driver issues after installing these updates. So all drivers; especially video drivers, should be updated to latest versions prior to installing these updates:
Again this is not an Eset issue. Eset is only responding to what Microsoft has dictated.
Also anyone currently on Win 7 needs to upgrade their OS. Win 7 is no longer supported by Microsoft and even third party support of Win 7 is becoming non-existent.
Aryeh Goretsky gave kudos to Marcos in Mac OS 11 Big Sur **BETA IS LIVE**
Unfortunately even our developers have not received a final version of Big Sur yet so we can't have a version fully compatible with it. It would be great if we got RTM versions of Mac OS in advance which is unfortunately not the case.
Aryeh Goretsky gave kudos to WhiteHat_PT in blitzhandel24.pt - Caution!!!
Hi Jorge Melo. Thanks for your feedback and contacting us at ESET Portugal, Unfortunately we have in fact identified similar situations from other purchases of ESET licenses sold by Blitzhandel24 e-commerce sites.
The situation is under investigation and we advise our customers and potential customers to buy only from ESET official websites or official e-stores - in Portugal that will be https://www.eset.com/pt, as Marcos wrote.
It's likely that one can find other e-commerce websites in Portugal selling ESET solutions (home products) but please be aware if the seller is registered in Portugal and not only using a .PT domain (while having commercial registration in any other country).
* Customer advisory *
Please consider that buying a cheaper ESET license from anywhere else from official websites or partners can result on:
Product activation failure; Lack of official customer support; Unnecessary additional cyber-security risk; Be safe and protected!
Aryeh Goretsky gave kudos to Marcos in Microsoft Teams issues
The firewall logic has not changed over years. We assume that Teams has been updated and now works in the way that a connection is initialized by the server. In automatic mode, all outbound communication is allowed and all non-initiated inbound communication blocked, hence a rule for Teams may need to be created. It is beyond us to have a list of all 3rd party applications where the communication is initiated from outside and maintain the rules for them.
Aryeh Goretsky gave kudos to SteveSi in Sysrescue Boot to USB Problem
Did your Yoga come with Windows 10 32-bit or Windows 10 64-bit?
To UEFI-boot, the USB drive needs to have a FAT32 partition with a \EFI\BOOT folder on it containing one or more .EFI boot files.
For systems with a UEFI 64-bit BIOS - you need \EFI\BOOT\BOOTX64.efi
For systems with a 32-bit UEFI BIOS - you need \EFI\BOOT\BOOTIA32.EFI
If your system came with 64-bit Windows installed then it needs to boot from the BOOTX64.EFI file.
If your system came with 32-bit Windows, it probably has a 32-bit UEFI BIOS and so needs to boot from BOOTIA32.EFI.
Many ISOs are 64-bit UEFI only...
Aryeh Goretsky gave kudos to Marcos in Activation failed - Leaked license
The license indeed leaked. We do not sell on ebay. The license was issued in the US to Otto B. and has been used for activation almost 3,500 times.
Please ask for a refund and purchase a license via www.eset.com or through any of our authorized sellers.
Aryeh Goretsky gave kudos to itman in Blocking IP address 126.96.36.199. Something to do with WPAD
This is related to WPAD DNS activity:
Appears WPAD has a number of security risks with the recommendation it be permanently disabled if not using IE11 or Edge as your browser: https://auth0.com/blog/heads-up-https-is-not-enough-when-using-wpad/
Aryeh Goretsky gave kudos to TomPark in Blocking IP address 188.8.131.52. Something to do with WPAD
Thank you for the information, like has already been said I think the notification from ESET is a side affect of something else that is changing the domain suffix when connect to the VPN.
Something that might be of consideration is disabling the 'Auto-Detect' proxy configuration in Chrome / IE which will then stop the browser from looking for these configurations as 'wpad.domain.com' is the default search browser use if this setting is enabled and the information is not provided via DHCP. This should fix the issue for anyone that is still seeing this on their machine. Please note to disable the setting a browser restart will be required.
As @Marcos said the IP will be unblocked, if anyone is able to test the solution above that would be appreciated.
Aryeh Goretsky gave kudos to TomPark in Blocking IP address 184.108.40.206. Something to do with WPAD
A quick question are all of these machines that are affected domain joined machines?
Also is anyone using wpad to configure a proxy on the machines connecting to the VPN?