Jump to content

sdnian

Members
 View Profile  See their activity

  • Posts

    185

  • Joined

  • Last visited

  • Days Won

    1

 Content Type 

Posts posted by sdnian

    Can't block YouTube from Chrome

    in ESET Endpoint Products

    Posted · Edited by sdnian

    I'd like to block https://www.youtube.com/. In URL ADDRESS MANAGEMENT, I add a record *.youtube.com. I've tried IE/Firefox/Vivaldi, https://www.youtube.com/ been blocked. But if I use Chrome to browse https://www.youtube.com/, EEA don't block it.

    If I block others domain, for example: *.facebook.com, then https://www.facebook.com/ been blocked in IE/Firefox/Vivaldi/Chrome.

    EEA version: 7.2.2055

    How can block YouTube form Chrome?

     

    Endpoint Security Anti phishing non functional

    in ESET Endpoint Products

    Posted · Edited by sdnian

    8 minutes ago, rudyooms said:

    Really soon? :) about 9 hours ago... Please finish the fix for the other 6.5 versions..

    About 7 hours ago, there is a new version fixing tool. It works these versions now:

    6.5.2094.0
    6.5.2094.1
    6.5.2107.0
    6.5.2107.1
    6.5.2118.0
    6.5.2118.1
    6.5.2118.2
    6.5.2118.3
    6.5.2118.4
    6.5.2123.5
    6.5.2123.7
    6.5.2123.8
    6.5.2128.0
    6.5.2132.1
    6.5.2132.2

    Read this: https://support.eset.com/en/alert7396-legacy-products-startup-issue

    MirrorTool Error Code 4100

    in ESET PROTECT On-prem (Remote Management)

    Posted · Edited by sdnian

    Since yesterday, the MirrorTool (Windows version) could not get updated with error code 4100. I checked several ESMC servers and all showed the same error. If something wrong? How to fix this situation?

    PS: The Linux version of Mirrortool still works. 

    Mirror Tool, Copyright (c) ESET, spol. s r.o. 1992-2018. All rights reserved.

Creating mirror for product: ep7.

Mirror type changed to regular
Initialization
Initialization finished
Perform full mirror started

Update status for product 'ep7' changed to: Preparing structures and analyzing

Update status for product 'ep7' changed to: Finished

Perform full mirror finished
Uninitialization
Uninitialization finished

Error: Perform full mirror failed with error: Error extracting file. Error code
is: 4100
Error occured.

    Module update compiler error 1b5a

    in ESET Products for Windows Servers

    Posted

    3 hours ago, Marcos said:

    Probably you have insufficient free memory or the available memory is too fragmented. Please collect logs with ESET Log Collector and upload the generated archive. Try rebooting the server.

    You are right. It can be updated successfully after a reboot. I will consider how to avoid memory problems. Thank you for your help.

    Activation fail. ECP.20006

    in ESET PROTECT On-prem (Remote Management)

    Posted

    Product activation failed.

    The two days ago, I just installed a new server, ESMC 7.0.577, the client is EEA 7.1.2045. I tried to activate the product many times. But don't work all the time. I entered the license key directly in the Client and got the error code of ECP.20006.

    On the ESMC, use Wireshark to find the red line below, always get the 404 Not Found error, the full content can be found in the attachment. Please help me to resolve this problem, thanks!

    Screenshot_2019-06-13_12-44-48.thumb.png.f09d0cb9e4e0bf7814b203bd512a93f8.png

    activation.zip

    BSOD

    in ESET Products for Windows Servers

    Posted

    37 minutes ago, Marcos said:

    Please provide the dump for analysis so that we can determine the cause of the crash. Although it seems to have been caused by the firewall, there's a chance it was caused by stack exhaustion because of another driver.

    PM sent, please check it.

    BSOD

    in ESET Products for Windows Servers

    Posted

    Hello,

    I've a Windows Server 2012 R2, it happened BSOD. Could someone help to take a look whether it is caused by EFSW? Thanks!

     

    Microsoft (R) Windows Debugger Version 10.0.17763.132 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\Users\Administrator\Desktop\MEMORY.DMP]
    Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


    ************* Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       SRV* C:\Symbols *hxxp://msdl.microsoft.com/download/symbols
    Symbol search path is: SRV* C:\Symbols *hxxp://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 8.1 Kernel Version 9600 MP (24 procs) Free x64
    Product: Server, suite: TerminalServer SingleUserTS
    Built by: 9600.19228.amd64fre.winblue_ltsb.181208-0600
    Machine Name:
    Kernel base = 0xfffff800`ee20c000 PsLoadedModuleList = 0xfffff800`ee4d05f0
    Debug session time: Wed Mar  6 04:50:55.765 2019 (UTC + 8:00)
    System Uptime: 12 days 2:08:33.568
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ...............
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 00007ff6`eea09018).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    .........
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 133, {0, 501, 500, 0}

    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for em008k_64.dll - 
    *** ERROR: Module load completed but symbols could not be loaded for epfw.sys
    *** ERROR: Module load completed but symbols could not be loaded for epfwwfp.sys
    *** ERROR: Module load completed but symbols could not be loaded for b57nd60a.sys
    Page ffe3b7 not present in the dump file. Type ".hh dbgerr004" for details
    Probably caused by : em008k_64.dll ( em008k_64!module_init_entry+25858 )

    Followup:     MachineOwner
    ---------

    14: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    DPC_WATCHDOG_VIOLATION (133)
    The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
    or above.
    Arguments:
    Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending
        component can usually be identified with a stack trace.
    Arg2: 0000000000000501, The DPC time count (in ticks).
    Arg3: 0000000000000500, The DPC time allotment (in ticks).
    Arg4: 0000000000000000, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains
        additional information regarding this single DPC timeout

    Debugging Details:
    ------------------


    KEY_VALUES_STRING: 1


    STACKHASH_ANALYSIS: 1

    TIMELINE_ANALYSIS: 1


    DUMP_CLASS: 1

    DUMP_QUALIFIER: 401

    BUILD_VERSION_STRING:  9600.19228.amd64fre.winblue_ltsb.181208-0600

    SYSTEM_MANUFACTURER:  Dell Inc.

    SYSTEM_PRODUCT_NAME:  PowerEdge R620

    SYSTEM_SKU:  SKU=NotProvided;ModelName=PowerEdge R620

    BIOS_VENDOR:  Dell Inc.

    BIOS_VERSION:  2.5.4

    BIOS_DATE:  01/22/2016

    BASEBOARD_MANUFACTURER:  Dell Inc.

    BASEBOARD_PRODUCT:  0PXXHP

    BASEBOARD_VERSION:  A03

    DUMP_TYPE:  1

    BUGCHECK_P1: 0

    BUGCHECK_P2: 501

    BUGCHECK_P3: 500

    BUGCHECK_P4: 0

    DPC_TIMEOUT_TYPE:  SINGLE_DPC_TIMEOUT_EXCEEDED

    CPU_COUNT: 18

    CPU_MHZ: 7d0

    CPU_VENDOR:  GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: 2d

    CPU_STEPPING: 7

    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

    BUGCHECK_STR:  0x133

    PROCESS_NAME:  wermgr.exe

    CURRENT_IRQL:  d

    ANALYSIS_SESSION_HOST:  ESMC

    ANALYSIS_SESSION_TIME:  03-06-2019 18:29:20.0409

    ANALYSIS_VERSION: 10.0.17763.132 amd64fre

    LAST_CONTROL_TRANSFER:  from fffff800ee368e96 to fffff800ee34c1a0

    STACK_TEXT:  
    ffffd000`20b94c88 fffff800`ee368e96 : 00000000`00000133 00000000`00000000 00000000`00000501 00000000`00000500 : nt!KeBugCheckEx
    ffffd000`20b94c90 fffff800`ee249311 : 00000000`00000000 00000000`03fc0864 00000000`00000001 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x7fa6
    ffffd000`20b94d20 fffff800`ee992ac5 : ffffd000`215cf7a0 00000000`00000001 ffffe001`e359e660 ffffd000`20b55180 : nt!KeClockInterruptNotify+0x91
    ffffd000`20b94f40 fffff800`ee2be713 : fffffb90`54a625a8 fffff800`ee2de201 00000000`00000000 ffffd000`20b8ac60 : hal!HalpTimerClockIpiRoutine+0x15
    ffffd000`20b94f70 fffff800`ee34d6aa : ffffe001`e2607bc0 ffffd000`2604c918 ffffd000`20b8acd8 ffffd000`20b8ac60 : nt!KiCallInterruptServiceRoutine+0xa3
    ffffd000`20b94fb0 fffff800`ee34db57 : ffffe002`0f456d38 00000000`00000001 ffffe001`e359e260 fffff801`68736154 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea
    ffffd000`2604c4e0 fffff800`ee28b54f : 00000000`00000000 ffffaaf6`9894f0ac ffffaaf6`9894f0cc 00000000`00000005 : nt!KiInterruptDispatchNoLockNoEtw+0x37
    ffffd000`2604c670 fffff801`6872aa08 : 00000000`014db5d8 00000000`00000002 ffffc000`27bcf010 fffff801`67bd7737 : nt!KxWaitForLockOwnerShip+0x27
    ffffd000`2604c6a0 fffff801`68729e0b : ffffc000`27bcf010 ffffd000`0000005c ffffd000`28e70ed8 00000000`00000000 : em008k_64!module_init_entry+0x25858
    ffffd000`2604c9a0 fffff801`6873c1a7 : ffffd000`20b8a960 00000000`00000000 00000000`00000000 00000000`00400000 : em008k_64!module_init_entry+0x24c5b
    ffffd000`2604ced0 fffff801`6873c0db : ffffd000`20b8a870 00000000`00000040 ffffe801`dc33a880 ffffd000`20b8a740 : em008k_64!module_init_entry+0x36ff7
    ffffd000`2604cf40 fffff800`ee34fc87 : ffffd000`266173f0 00000038`b0cddf20 00000000`40000000 00000000`00000000 : em008k_64!module_init_entry+0x36f2b
    ffffd000`2604cf80 fffff800`ee34fc4d : ffffd000`20b8a902 ffffd000`2604d000 ffffe801`dc33a880 fffff800`ee25670a : nt!KxSwitchKernelStackCallout+0x27
    ffffd000`20b8a740 fffff800`ee25670a : 00000000`00000002 ffffd000`20b80001 fffff6e8`00130230 ffffd000`20b8ab70 : nt!KiSwitchKernelStackContinue
    ffffd000`20b8a760 fffff801`6873c185 : fffff801`6873c0b0 ffffd000`20b8a870 00000000`00000000 fffff801`00000004 : nt!KeExpandKernelStackAndCalloutInternal+0x4ba
    ffffd000`20b8a840 fffff801`6873c335 : ffffd000`20b8a928 ffffd000`20b8ab20 ffffe001`e3386340 ffffe001`e3386340 : em008k_64!module_init_entry+0x36fd5
    ffffd000`20b8a8b0 fffff801`68705144 : ffffd000`20b8aa70 fffff800`ee277c4e ffffffff`00000000 fffff800`ee353945 : em008k_64!module_init_entry+0x37185
    ffffd000`20b8a8f0 fffff801`686f0aea : 00000000`00002711 ffffd000`20b8ac60 00000000`00000040 ffffd000`20b8acd8 : em008k_64+0x3144
    ffffd000`20b8a920 fffff801`686f154f : ffffe001`e33864f0 ffffd000`20b8ac60 00000000`00000040 ffffd000`20b8acd8 : epfw+0x1aea
    ffffd000`20b8a9b0 fffff801`686f1973 : ffffd000`20b8ab70 fffff801`686f1930 ffffd000`20b8ab90 00000000`00000011 : epfw+0x254f
    ffffd000`20b8aa40 fffff801`67807239 : ffffd000`20b8ab90 00000000`00000002 ffffd000`20b8aba0 ffffe001`e305b4b0 : epfw+0x2973
    ffffd000`20b8aaa0 fffff801`6780753e : 00000011`00000000 00000000`00000000 ffffd000`20b8ac60 fffffb00`000012ff : epfwwfp+0x7239
    ffffd000`20b8ab50 fffff801`6780ea0a : ffffe001`e45e542a 00000000`00000004 00000000`00000021 00000000`00000000 : epfwwfp+0x753e
    ffffd000`20b8ac10 fffff801`6780eb16 : ffffe002`1f3cc770 ffffe002`1f3cc610 00000000`00000000 00000000`00000000 : epfwwfp+0xea0a
    ffffd000`20b8acc0 fffff801`6780b556 : ffffd000`20b8b0f8 ffffd000`20b8ad90 ffffe001`e3944f50 ffffe801`dab05a68 : epfwwfp+0xeb16
    ffffd000`20b8ad10 fffff801`6780b5d2 : ffffe001`e2dd9b40 00000000`00000000 ffffe002`1f3cc610 ffffd000`20b8b6b0 : epfwwfp+0xb556
    ffffd000`20b8adc0 fffff801`6773d902 : ffffe001`e2dd9b40 ffffd000`20b8af10 ffffd000`20b8b2d0 ffffd000`20b8b1d0 : epfwwfp+0xb5d2
    ffffd000`20b8ae10 fffff801`67724549 : ffffe002`1f3c0018 ffffd000`20b8b698 ffffe801`b0e80860 ffffe002`1f3cc610 : NETIO!ProcessCallout+0x8b2
    ffffd000`20b8af80 fffff801`67723250 : 00000000`00000000 ffffd000`20b8b698 00000000`00000000 ffffd000`20b8b3f0 : NETIO!ArbitrateAndEnforce+0x2c9
    ffffd000`20b8b180 fffff801`67fd3c81 : ffffd000`00000001 00000000`00000000 ffffe002`1f3cc610 00000000`00000001 : NETIO!KfdClassify+0x831
    ffffd000`20b8b640 fffff801`67f4c834 : 00000000`00000000 ffffe801`d2c24a00 00000000`00000001 00000000`00000000 : tcpip!WFPDatagramDataShimV4+0x44d
    ffffd000`20b8ba40 fffff801`67f0943b : 00000000`00001500 ffffd000`20b8be70 00000000`00000000 00000000`00000000 : tcpip!ProcessALEForTransportPacket+0x49e24
    ffffd000`20b8bd20 fffff801`67f06cb9 : 00000000`00000000 ffffd000`20b8c4f8 00000000`0000004c ffffd000`20b8c508 : tcpip!WfpProcessInTransportStackIndication+0xd9b
    ffffd000`20b8c180 fffff801`67f05dcf : 00000000`00000000 ffffe801`dad158c0 ffffd000`20b8c3b0 ffffe001`e33773c0 : tcpip!InetInspectReceiveDatagram+0x269
    ffffd000`20b8c2b0 fffff801`67f06945 : ffffd000`20b8c550 ffffd000`20b8c550 ffffe801`b0df9140 ffffe801`dad158c0 : tcpip!UdpBeginMessageIndication+0x7f
    ffffd000`20b8c450 fffff801`67f06fe8 : 00000000`0000eb00 ffffe801`dad158c0 ffffe001`00000018 ffffd000`20b8c668 : tcpip!UdpDeliverDatagrams+0x3f5
    ffffd000`20b8c600 fffff801`67f0797d : 00000000`00000000 00000000`00000000 ffffe001`e324e0b0 00000000`00000000 : tcpip!UdpReceiveDatagrams+0x298
    ffffd000`20b8c840 fffff801`67f0364b : ffff4f03`12d8ad1f ffffd000`20b8d208 ffffe801`b0e83cd0 00000000`00000003 : tcpip!IppDeliverListToProtocol+0x5d
    ffffd000`20b8c900 fffff801`67f01aa2 : 00000000`00000000 ffffd000`20b8ca19 00000000`00000011 ffffe001`e47ff3f0 : tcpip!IppProcessDeliverList+0x6b
    ffffd000`20b8c960 fffff801`67effe80 : 00000000`fc0000e0 ffffe001`e3c2bae0 ffffe001`e331c000 ffffe001`e331c000 : tcpip!IppReceiveHeaderBatch+0x232
    ffffd000`20b8ca80 fffff801`67efeba2 : ffffe001`e6472370 00000000`00000000 ffffd000`20b8ce01 00000000`00000000 : tcpip!IppFlcReceivePacketsCore+0x680
    ffffd000`20b8ce00 fffff801`67eff5c5 : ffffe001`e64b0002 00000000`00000000 fffff801`67eff610 ffffd000`00000101 : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x318
    ffffd000`20b8cee0 fffff800`ee256529 : ffffd000`20b8d028 ffffe001`e32ae9c0 ffffe001`e33bec12 ffffe801`dc33a880 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x155
    ffffd000`20b8d010 fffff801`67eff7b6 : fffff801`67eff470 ffffd000`20b8d120 00000000`00000000 ffffe001`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x2d9
    ffffd000`20b8d0f0 fffff801`6760ba53 : 00000000`00000000 ffffd000`20b8d1d1 00000000`00000004 fffff801`6761b2e5 : tcpip!FlReceiveNetBufferListChain+0xb6
    ffffd000`20b8d170 fffff801`6760be7f : ffffe001`e644a601 ffffd000`20b80008 00000000`00000000 ffffe001`00000004 : NDIS!ndisMIndicateNetBufferListsToOpen+0x123
    ffffd000`20b8d230 fffff801`6760c6b2 : ffffe001`e4ffe1a0 ffffe001`e43fa501 fffff801`67618560 00000000`00000000 : NDIS!ndisMTopReceiveNetBufferLists+0x22f
    ffffd000`20b8d2c0 fffff801`68c0f814 : ffffd000`20b8d610 ffffe001`e4feb510 ffffe001`e43fa590 ffffe001`e4fb9460 : NDIS!NdisMIndicateReceiveNetBufferLists+0x732
    ffffd000`20b8d4b0 fffff801`68c0f23e : ffffe001`e4ff01f0 ffffe001`e4fec000 00000000`00000001 ffffe001`00000004 : NdisImPlatform!implatTryToIndicateReceiveNBLs+0x1e8
    ffffd000`20b8d520 fffff801`6760ba53 : 00000000`0001ff00 00000000`00000000 ffffd000`20b8d601 ffffd000`00000004 : NdisImPlatform!implatReceiveNetBufferLists+0x1a2
    ffffd000`20b8d5a0 fffff801`6760bf19 : ffffd000`20b8d6e0 fffff801`67ec4071 ffffe001`00000000 ffffe002`00000004 : NDIS!ndisMIndicateNetBufferListsToOpen+0x123
    ffffd000`20b8d660 fffff801`6760c6b2 : ffffe801`b0c451a0 00000000`00000001 fffff801`67618560 fffff801`67ec43b2 : NDIS!ndisMTopReceiveNetBufferLists+0x2c9
    ffffd000`20b8d6f0 fffff801`68ab67f4 : 00000000`00000000 ffffd000`20b55180 ffffd000`20b8d978 fffff801`68a8c0de : NDIS!NdisMIndicateReceiveNetBufferLists+0x732
    ffffd000`20b8d8e0 fffff801`68ab6108 : ffffe001`e411d000 ffffd000`20b8d9b9 00000000`00000004 00000000`00000001 : b57nd60a+0x497f4
    ffffd000`20b8d930 fffff801`68a79553 : 00000000`00000004 ffffe001`e411d001 00000000`00000000 fffff800`00000000 : b57nd60a+0x49108
    ffffd000`20b8da20 fffff801`68a701ac : ffffe001`e411d000 00000000`0000000e 00000000`00000003 00000000`00000004 : b57nd60a+0xc553
    ffffd000`20b8da60 fffff801`68a70b8c : 000cc49c`d9773b6f ffffe001`e411d000 ffffd000`20b8db79 00000000`00000000 : b57nd60a+0x31ac
    ffffd000`20b8dab0 fffff801`6760de12 : ffffe801`b0c451a0 ffffd000`20b8db79 00000000`00000000 00000000`0000ffff : b57nd60a+0x3b8c
    ffffd000`20b8db00 fffff800`ee24b5f0 : 00000000`0000ffff 00000000`00000000 ffffd000`20b8de90 ffffd000`20b5ae68 : NDIS!ndisInterruptDpc+0x1a3
    ffffd000`20b8dbe0 fffff800`ee24a937 : ffffd000`20b8de80 00000000`0000000e 00000000`00000000 ffffd000`20b55180 : nt!KiExecuteAllDpcs+0x1b0
    ffffd000`20b8dd30 fffff800`ee34f285 : 00000000`00000000 ffffd000`20b55180 00000000`00000000 ffffe001`e359e210 : nt!KiRetireDpcList+0xd7
    ffffd000`20b8dfb0 fffff800`ee34f089 : fffff800`ee229470 ffffc000`227ab000 ffffc000`2ccbf1d2 fffff801`6794c0f8 : nt!KxRetireDpcList+0x5
    ffffd000`2caf2bf0 fffff800`ee351963 : ffffb001`3f140040 ffffb001`3f1400a8 fffff43a`0cb79c55 ffffb001`3f140178 : nt!KiDispatchInterruptContinue
    ffffd000`2caf2c20 fffff800`ee26ca97 : ffffffff`ffffffd2 fffff801`6874a855 00000000`00000010 00000000`00000286 : nt!KiDpcInterrupt+0x2a3
    ffffd000`2caf2db0 fffff801`6874a96a : ffffe001`e359e210 00000000`00000000 ffffe801`b1f5ae01 00000000`000019cc : nt!KeReleaseInStackQueuedSpinLock+0x67
    ffffd000`2caf2de0 fffff801`6872803c : ffffffff`ffffffff 00000000`00000001 ffffd000`2caf2e73 ffffd000`2caf2f40 : em008k_64!module_init_entry+0x457ba
    ffffd000`2caf2e40 fffff801`687295ab : ffffd000`2caf3301 00000000`00000015 ffffe001`e359de80 00000000`00000000 : em008k_64!module_init_entry+0x22e8c
    ffffd000`2caf3060 fffff801`6873c1a7 : ffffd000`2caf3838 fffff801`69596bc0 00000000`00000000 00000000`00000000 : em008k_64!module_init_entry+0x243fb
    ffffd000`2caf3590 fffff801`6873c0db : ffffd000`2caf3750 00000000`00000015 ffffe801`dc33a880 00000000`00000000 : em008k_64!module_init_entry+0x36ff7
    ffffd000`2caf3600 fffff800`ee256529 : 00000000`00000001 00000000`00000000 fffff800`ee4e7b78 ffffe002`15d018b8 : em008k_64!module_init_entry+0x36f2b
    ffffd000`2caf3640 fffff801`6873c185 : fffff801`6873c0b0 ffffd000`2caf3750 00000000`00000000 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x2d9
    ffffd000`2caf3720 fffff801`6873c335 : ffffd000`2caf3808 fffff800`ee4e7b88 ffffd000`2caf38e8 ffffe001`e3386340 : em008k_64!module_init_entry+0x36fd5
    ffffd000`2caf3790 fffff801`68705144 : 00000000`00000000 fffff960`0022aa6c 00000000`00000001 00000000`00000000 : em008k_64!module_init_entry+0x37185
    ffffd000`2caf37d0 fffff801`686f0949 : ffffe801`00002711 ffffd000`2caf38a0 00000000`00000015 00000000`00000000 : em008k_64+0x3144
    ffffd000`2caf3800 fffff801`686f1b0a : ffffe801`dad80900 00000000`00000001 ffffe801`dc33a880 00000000`00000001 : epfw+0x1949
    ffffd000`2caf3870 fffff800`ee5bb8d4 : ffffe801`dad80900 ffffe801`dad80900 00000000`00000001 ffffe801`dad80900 : epfw+0x2b0a
    ffffd000`2caf38d0 fffff800`ee5bbe73 : 00007ff6`eea0e000 ffffd000`2caf3980 00000000`00000000 ffffe001`e8d40590 : nt!PspExitProcess+0x150
    ffffd000`2caf3920 fffff800`ee80950f : 00000000`00000000 00000000`00000000 ffffe801`dad80900 ffffe801`dc33a880 : nt!PspExitThread+0x52f
    ffffd000`2caf3a30 fffff800`ee35c0a3 : 00000000`00000011 00007ffb`7ac10000 ffffe801`dc33a880 00007ffb`7ac35710 : nt!NtTerminateProcess+0x32f
    ffffd000`2caf3b00 00007ffb`7d9f0a1a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    000000e8`dbc0fac8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`7d9f0a1a


    THREAD_SHA1_HASH_MOD_FUNC:  156cff2b8f7a4e711db6b634c9a7eb045f38fc3e

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  ca2d548a0be612ce6402f432eb4a41723267d3a2

    THREAD_SHA1_HASH_MOD:  dd27c095ddeb040031c7bf0c5597932106e7f4de

    FOLLOWUP_IP: 
    em008k_64!module_init_entry+25858
    fffff801`6872aa08 498b8590960000  mov     rax,qword ptr [r13+9690h]

    FAULT_INSTR_CODE:  90858b49

    SYMBOL_STACK_INDEX:  8

    SYMBOL_NAME:  em008k_64!module_init_entry+25858

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: em008k_64

    IMAGE_NAME:  em008k_64.dll

    DEBUG_FLR_IMAGE_TIMESTAMP:  5c17b304

    IMAGE_VERSION:  0.0.1523.0

    STACK_COMMAND:  .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET:  25858

    FAILURE_BUCKET_ID:  0x133_DPC_em008k_64!module_init_entry

    BUCKET_ID:  0x133_DPC_em008k_64!module_init_entry

    PRIMARY_PROBLEM_CLASS:  0x133_DPC_em008k_64!module_init_entry

    TARGET_TIME:  2019-03-05T20:50:55.000Z

    OSBUILD:  9600

    OSSERVICEPACK:  0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK:  272

    PRODUCT_TYPE:  3

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 8.1

    OSEDITION:  Windows 8.1 Server TerminalServer SingleUserTS

    OS_LOCALE:  

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  2018-12-09 01:18:05

    BUILDDATESTAMP_STR:  181208-0600

    BUILDLAB_STR:  winblue_ltsb

    BUILDOSVER_STR:  6.3.9600.19228.amd64fre.winblue_ltsb.181208-0600

    ANALYSIS_SESSION_ELAPSED_TIME:  4416

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:0x133_dpc_em008k_64!module_init_entry

    FAILURE_ID_HASH:  {0237b88b-a781-f28c-ed3a-0dfc36284ef7}

    Followup:     MachineOwner
    ---------

    windbg> .hh dbgerr001

    Ransomware

    in Malware Finding and Cleaning

    Posted

    Here is another example that ESET can't stop ransomware again.

    There are three key points:

    1. These two ransomware viruses are already detectable by ESET.
    2. ESET does not block it when it starts up.
    3. After startup, ESET can detect it, but it cannot terminate it. Finally, all files been encrypted.

     

     

×
×
  • Create New...