MHRSFI
Members-
Posts
29 -
Joined
-
Last visited
About MHRSFI
-
Rank
Newbie
Profile Information
-
Location
USA
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
-
MHRSFI reacted to a post in a topic: ESET Protect migration from 11.0 to 11.1+ ( CentOS -> Rocky) failed
-
MHRSFI reacted to a post in a topic: EDR Purchase Without Security Team
-
MHRSFI reacted to a post in a topic: ESET Home fails ransomware test
-
How can I prevent a Linux user in the sudoers group from uninstalling ESET?
-
MHRSFI reacted to a post in a topic: URL/Urlik.AAR Object - pastebin - virus?
-
URL/Urlik.AAR Object - pastebin - virus?
MHRSFI replied to Nataniell's topic in Malware Finding and Cleaning
I don't see anything wrong with the log in your picture. Could you try adding another rule similar to the previous one? For step 5, instead of adding cmd.exe, select All applications. On the next page, enable All application operations. Then, click Add and enter C:\Windows\System32\cmd.exe If you find these rules unhelpful, you should remove them. -
URL/Urlik.AAR Object - pastebin - virus?
MHRSFI replied to Nataniell's topic in Malware Finding and Cleaning
I believe we can use HIPS rules to identify which file is executing the command to connect to pastebin.com Here's how you can do it: 1. Navigate to Settings > HIPS > Rules 2. Click Add 3. Enter a name for the rule 4. For the action, select Block 5. Enable the Application toggle, the Enable toggle, and the Notify user toggle 6. Set the logging severity to Warning 7. In the Source applications window, click Add and enter C:\Windows\System32\cmd.exe 8. On the next page, enable the Start new application toggle 9. Select All applications from the drop-down menu and click Finish After this, you will be able to see in the HIPS logs which application is executing cmd.exe -
For inbound connections, specifying source IPs can significantly reduce the attack surface without the same performance concerns. For example, if only one IP address needs to connect to RDP on a server, the firewall should ideally restrict the rule to only allow that IP. This practice enhances security by ensuring only authorized sources can initiate connections to critical services.
-
When I enable learning mode in the firewall, it primarily adds a rule with the application selected and often sets other parameters to "any". Occasionally, it will select a specific destination port if it's a single port rather than multiple ports. This raises the question: why doesn't the firewall also select the source IP to minimize the attack surface? For instance, if only one IP address is meant to connect to RDP on a server, why doesn't the firewall restrict the rule to only allow that specific IP? This approach would significantly enhance security by limiting access to only known and trusted IP addresses.
-
I am experiencing a problem with the learning mode on my firewall. I have the latest version of Server Security (11.0.12012.0) installed, and the policy for firewall learning mode is set to force. When it tries to create firewall rules, it fails and gives an error.
-
Is it possible to support other mail servers such as MDaemon, SmarterMail, and KerioConnect?
-
Activate Workstations Without Internet
MHRSFI replied to MHRSFI's topic in ESET PROTECT On-prem (Remote Management)
It is worth pointing out that I just enabled the use of a proxy server on the client policy and enabled the proxy on the server (Rocky appliance) without installing a bridge application or configuring a bridge policy. Is this correct? -
I don't disagree with you about how bad Psiphon is as a product. However, all I'm saying is that Psiphon does what it claims to do. Similarly, Internet Explorer has numerous problems such as performance issues, security vulnerabilities, infrequent updates, and more. While these issues are significant, they aren't enough to classify IE as a PUA, they are simply reasons why no one should use it.
-
Activate Workstations Without Internet
MHRSFI replied to MHRSFI's topic in ESET PROTECT On-prem (Remote Management)
I've enabled "Use proxy server" in the policy for the clients and entered the server address, but it didn't work. Did I miss something? -
I don't want to defend Psiphon, but I don't think bad performance alone makes it a PUA. If the application does what it claims, it shouldn't be labeled as such. It's like listing all the cons of Internet Explorer and flagging it as a PUA because of that.