Jump to content

Aryeh Goretsky

ESET Moderators
  • Posts

  • Joined

  • Last visited

  • Days Won



  1. Upvote
    Aryeh Goretsky gave kudos to Chaichana in Win64/CoinMiner.ZF   
    After I did manually updated and then reboot the machine. the problem is fixed.
  2. Upvote
    Aryeh Goretsky gave kudos to JamesR in Win64/CoinMiner.ZF   
    I agree with Marcos, this looks like a WMI persistent threat.  Manually telling ESET to update its detection engine, should correct the issue of the threat continually being detected.  Although, there is a good chance you may already have the update (ESET checks for these updates once per hour).
    If this does not fix the issue, definitely generate an Autoruns log.
    Lastly, its not uncommon for Servers to have been infected due to unexpected ports being exposed to the internet.  I highly recommend you audit your public IP Addresses with some simple nmap scans to verify what ports are exposed to the internet.
    nmap -sV -Pn -F %PublicIPAddress%
  3. Upvote
    Aryeh Goretsky gave kudos to RJanata in Dropbox can't establish secure internet connection   
    Same problem here (Dropbox v111 - the lastest stable to the date). On the second computer, no problem with Dropbox v112 (early updates enabled).
    It's apparently a problem on Dropbox side since they have release the version 112 fixing this issue:
    If you cannot update to Dropbox version 112, you can temporarily set Dropbox client to ignore in SSL/TLS filter.
  4. Upvote
    Aryeh Goretsky gave kudos to Marcos in Win64/CoinMiner.PO   
    This is a wrong assumption. We clean malware from the system completely, including unregistering possibly malicious tasks from the system, WMI or autostart locations.
  5. Upvote
    Aryeh Goretsky gave kudos to Marcos in Updated programs - Keep Rules   
    We are aware of the problem with Windows applications and the changing path with each update. There is a plan to come with up a solution to this in long term. Also I can assure you that we value any constructive feedback or suggestion and it's discussed with product managers and developers.
  6. Upvote
    Aryeh Goretsky gave kudos to itman in Eternal Blue checker help?   
    Here's a Microsoft article detailing Windows versions vulnerable to EternalBlue: https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed
    Also I realized why srv.sys no longer exists on my device. Windows will auto remove SMBv1 10 days after installation if it is not used. Additionally if srv.sys exists on later Win 10 installations, you are not vulnerable since this driver has been patched against this exploit.
  7. Upvote
    Aryeh Goretsky gave kudos to Marcos in Your LiveGrid system needs tweaking   
    Reputation has no effect on protection and showing for instance Windows or other popular applications as red after an update would not be good.
  8. Upvote
    Aryeh Goretsky gave kudos to itman in Hoping ESET will work   
    Eset scans the boot sectors; e.g. MBR, for malware on BIOS based devices. It does not scan the BIOS since those settings are firmware related and are retained in chip memory on the motherboard. There is no way Eset can physically access that area.
    BIOS based malware is very rare and usually is a result of a hacked BIOS firmware update. If you have reason to believe you have BIOS based malware, you should download the latest BIOS firmware update from your device manufacturer's web site and re-flash the BIOS.
    Note that BIOS setting corruption is often caused by a dead battery attached physically to the motherboard. This battery supplies power to the chip memory when the device is A/C powered off to retain existing BIOS settings in the chip memory.
    UEFI based systems also deploy a BIOS like component but add an interface component to the OS stored in a hidden partition on the drive Windows is installed on. Ref.: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions . Eset scans this UEFI partition for malware. It again has no way to physically access settings stored in firmware.
    Also note that the source of the Lojax UEFI malware was a firmware setting built in by the device's manufacture. As far as the second known UEFI malware, it requires physical access to the device;
    Here's a good article on the difference between BIOS and UEFI based systems: https://www.howtogeek.com/56958/HTG-EXPLAINS-HOW-UEFI-WILL-REPLACE-THE-BIOS/
    Finally note that although Eset can detect known UEFI based malware, it cannot remove them. Again, the only way to do so is to re-flash the UEFI with the original or latest device manufacture's update. Ditto for BIOS based boot sector malware. The MBR needs to be restored with a backup of it. If no backup exists, then by rebuilding the individual boot sector components via Win 10 recovery environment.
  9. Upvote
    Aryeh Goretsky gave kudos to itman in Should I be concerned with newly jumpdrive from China?   
    If the Chinese wanted to embed something on the drive, they would do so in the drive firmware at manufacturing time. Ref.: https://lifehacker.com/how-to-check-your-usb-devices-for-unsafe-firmware-1841773522
    As a rule, I reformat new USB drives primarily to get rid of any crud utilities the manufacture's love to load on these drives. Also, to set the drive to NTFS format which is more secure than the default FAT32 format.
  10. Upvote
    Aryeh Goretsky gave kudos to itman in Method of detection   
    Eset scans files using normal and advanced heuristics at file creation time.
    However, some malware may have obfuscated or encrypted code that will not reveal itself until process execution time. As @Marcosnoted, Eset has additional mitigations to scan for malware after it has uncloaked in memory. However, these are post-execution mitigations. 
    Eset also has a subscription option named Dynamic Threat Defense: https://help.eset.com/edtd/en-US/overview.html that will perform a full cloud sandbox analysis on executable's prior to their actual execution. It can be optionally set to block process execution until full sandbox analysis verdict is rendered.
    It also needs to be explored in more detail just how this "solution" is creating these malware samples in this special folder. For example, what makes this folder/directory "special' from any other folder created on the device? If this folder is locked by the OS for some reason, Eset can't access what is being created in it.
  11. Upvote
    Aryeh Goretsky gave kudos to itman in The very nice folks at Eset have told me that my Win 7 32bit OS is out the window.   
    Also there have been reports that BSOD's were caused by existing driver issues after installing these updates. So all drivers; especially video drivers, should be updated to latest versions prior to installing these updates:
    Again this is not an Eset issue. Eset is only responding to what Microsoft has dictated.
    Also anyone currently on Win 7 needs to upgrade their OS. Win 7 is no longer supported by Microsoft and even third party support of Win 7 is becoming non-existent.
  12. Upvote
    Aryeh Goretsky gave kudos to Marcos in ESET For iOS   
    They don't have real-time protection nor on-demand scanner as far as I can see.
  13. Upvote
    Aryeh Goretsky gave kudos to Marcos in Mac OS 11 Big Sur **BETA IS LIVE**   
    Unfortunately even our developers have not received a final version of Big Sur yet so we can't have a version fully compatible with it. It would be great if we got RTM versions of Mac OS in advance which is unfortunately not the case.
  14. Upvote
    Aryeh Goretsky gave kudos to Marcos in Router affected?   
    ESET will not affect your router in any way. While you can check the router for weaknesses via the Connected home feature, ESET will protect only the machine where it is installed.
  15. Upvote
    Aryeh Goretsky gave kudos to Marcos in blitzhandel24.pt - Caution!!!   
    Please contact ESET Portugal: https://www.eset.com/pt/. They should be able to tell if it's an authorized reseller or not.
    As for the licenses that don't work, please provide the public license IDs.
  16. Upvote
    Aryeh Goretsky gave kudos to WhiteHat_PT in blitzhandel24.pt - Caution!!!   
    Hi Jorge Melo. Thanks for your feedback and contacting us at ESET Portugal, Unfortunately we have in fact identified similar situations from other purchases of ESET licenses sold by Blitzhandel24 e-commerce sites.
    The situation is under investigation and we advise our customers and potential customers to buy only from ESET official websites or official e-stores - in Portugal that will be https://www.eset.com/pt, as Marcos wrote.
    It's likely that one can find other e-commerce websites in Portugal selling ESET solutions (home products) but please be aware if the seller is registered in Portugal and not only using a .PT domain (while having commercial registration in any other country).
    * Customer advisory *
    Please consider that buying a cheaper ESET license from anywhere else from official websites or partners can result on:
    Product activation failure; Lack of official customer support; Unnecessary additional cyber-security risk; Be safe and protected!
  17. Upvote
    Aryeh Goretsky gave kudos to Marcos in Firewall Rules to allow Windows Update   
    Firewalls in general work with IP addresses, not with hostnames. Since IP addresses may change in time, I would not recommend creating firewall rules to restrict communication of the OS with Microsoft's servers.
  18. Upvote
    Aryeh Goretsky gave kudos to Marcos in Microsoft Teams issues   
    The firewall logic has not changed over years. We assume that Teams has been updated and now works in the way that a connection is initialized by the server. In automatic mode, all outbound communication is allowed and all non-initiated inbound communication blocked, hence a rule for Teams may need to be created. It is beyond us to have a list of all 3rd party applications where the communication is initiated from outside and maintain the rules for them.
  19. Upvote
    Aryeh Goretsky gave kudos to SteveSi in Sysrescue Boot to USB Problem   
    Did your Yoga come with Windows 10 32-bit or Windows 10 64-bit?
    To UEFI-boot, the USB drive needs to have a FAT32 partition with a \EFI\BOOT folder on it containing one or more .EFI boot files.
    For systems with a UEFI 64-bit BIOS - you need \EFI\BOOT\BOOTX64.efi
    For systems with a 32-bit UEFI BIOS - you need \EFI\BOOT\BOOTIA32.EFI
    If your system came with 64-bit Windows installed then it needs to boot from the BOOTX64.EFI file.
    If your system came with 32-bit Windows, it probably has a 32-bit UEFI BIOS and so needs to boot from BOOTIA32.EFI.
    Many ISOs are 64-bit UEFI only...
  20. Upvote
    Aryeh Goretsky gave kudos to Marcos in Activation failed - Leaked license   
    The license indeed leaked. We do not sell on ebay. The license was issued in the US to Otto B. and has been used for activation almost 3,500 times.
    Please ask for a refund and purchase a license via www.eset.com or through any of our authorized sellers.
  21. Upvote
    Aryeh Goretsky gave kudos to itman in Blocking IP address Something to do with WPAD   
    This is related to WPAD DNS activity:
    Appears WPAD has a number of security risks with the recommendation it be permanently disabled if not using IE11 or Edge as your browser: https://auth0.com/blog/heads-up-https-is-not-enough-when-using-wpad/
  22. Upvote
    Aryeh Goretsky gave kudos to TomPark in Blocking IP address Something to do with WPAD   
    Hi All,
    Thank you for the information, like has already been said I think the notification from ESET is a side affect of something else that is changing the domain suffix when connect to the VPN.
    Something that might be of consideration is disabling the 'Auto-Detect' proxy configuration in Chrome / IE which will then stop the browser from looking for these configurations as 'wpad.domain.com' is the default search browser use if this setting is enabled and the information is not provided via DHCP. This should fix the issue for anyone that is still seeing this on their machine. Please note to disable the setting a browser restart will be required.
    As @Marcos said the IP will be unblocked, if anyone is able to test the solution above that would be appreciated. 
  23. Upvote
    Aryeh Goretsky gave kudos to TomPark in Blocking IP address Something to do with WPAD   
    Hi Guys, 
    A quick question are all of these machines that are affected domain joined machines?
    Also is anyone using wpad to configure a proxy on the machines connecting to the VPN?
  24. Upvote
    Aryeh Goretsky gave kudos to itman in Best Business VPN for Remote Connection   
  25. Upvote
    Aryeh Goretsky gave kudos to Marcos in Problem updating audio drivers and HIPS   
    Please carry on as follows:
    - enable logging of blocked operations in the advanced HIPS setup
    - reproduce the issue
    - disable logging
    - collect logs with ESET Log Collector and upload the generated archive here.
  • Create New...