Search the Community

Hi guys, On this occasion I would like you to clarify this case for me. We have a customer who has an Oracle Linux server and has a problem with this malware. We have performed the installation of ESET File Security and we have these results after the system scan: Here they are in text in case you want to copy it: 14 de octubre de 2021 10:02 file:///u01/Oracle/Middleware/Oracle_Home/coherence/plugins/maven/com/oracle/coherence/coherence-work/o84www Linux/CoinMiner.RT troyano Eliminado 0FE31D4AAA7C108C62532F68BC18DC8427F053A8 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/xmrig Linux/CoinMiner.BK aplicación potencialmente no deseada Desinfectado por eliminación 04FCE56E89D790C3EDAA808E29BDDCE0147962D3 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/config_background.json Win64/CoinMiner.RO aplicación potencialmente no deseada Desinfectado por eliminación 25135CEB79CA61F723029CFA430B3965B91FE1F4 14 de octubre de 2021 10:00 file:///home/oracle/c3pool/config.json Win64/CoinMiner.RO aplicación potencialmente no deseada Desinfectado por eliminación DDBDF28407927F39C16A4E0EB0F731E87C50A408 The problem is that the process that led us to discover that it is a CoinMiner does not disappear and if we stop it it reappears again. Here is a screenshot of the process: As you can see, the entire processor is consumed by this process. We suspect that they may be tasks left by the miner but we don't know how to identify and remove them from the system. Shouldn't the antivirus remove them? I attach the logs taken after the removal of the malware with the ESET File Security antivirus. (customer_info.zip) What should I do in this case? customer_info.zip

I had some issues configuring Active Directory integration (Kerberos etc.) with ESMC so I decided to do a write-up on what I did to get it working. This is for Ubuntu Server 18.04 but it should be applicable to other Debian based distros, adjust where required. Let's assume we have the following environment: ESMC Linux Distribution: Ubuntu Server 18.04 ESMC Hostname: esmc ESMC FQDN: esmc.test.local ESMC IP Address: 10.123.1.2 Active Directory Domain: test.local NetBIOS Domain: TEST Domain Controller: dc.test.local (10.123.1.1) ESET ESMC AD User Account: eset.esmc@test.local (eset.esmc) Ensure the required Server prerequisites (v7.2) are installed. sudo apt-get install krb5-user ldap-utils libsasl2-modules-gssapi-mit samba Configure Samba at /etc/samba/smb.conf Ensure you change workgroup to the NetBIOS Domain, netbios name to the ESMC Hostname and realm to the Active Directory Domain. The following configuration is based on one found in ESMC VA v7.2 [global] workgroup = TEST netbios name = esmc server string = Samba Server Version %v security = ads realm = test.local domain master = no local master = no preferred master = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config TEST : backend = rid idmap config TEST : range = 10000-99999 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash client max protocol = SMB3 client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes client ipc signing = auto Configure Kerberos at /etc/krb5.conf Ensure you change default_realm to Active Directory Domain (Must be capitalised) and the realm definition Active Directory Domain (Must be capitalised). Ensure you specify your Domain Controller as a kdc under the realm definition for your Active Directory Domain, if you have multiple Domain Controllers, specify multiple kdc's. Ensure you map Active Directory Domain (prefixed with ".") to the realm name (Your Active Directory Domain but capitalised) under domain_realm. The following configuration is based on one found in ESMC VA v7.2 [libdefaults] default_realm = TEST.LOCAL ticket_lifetime = 24h forwardable = true [realms] TEST.LOCAL = { kdc = dc.test.local } [domain_realm] .test.local = TEST.LOCAL Configure DNS Resolution. systemd-resolved can cause issues with Kerberos, it can probably be worked around but disabling it as follows also works. sudo systemctl disable systemd-resolved.service sudo systemctl stop systemd-resolved Configure /etc/resolv.conf Specify your Domain Controller as a nameserver, create additional nameserver definitions for each Domain Controller. Specify Active Directory Domain for search nameserver 10.123.1.1 search test.local Ensure Hostname is set correctly If you need to change your hostname, you can use: sudo hostnamectl set-hostname esmc.test.local Configure /etc/hosts Add your ESMC and your Domain Controllers to the hosts file. Take note of the ordering of FQDN and aliases after the IP Address as net join will use the first defined alias for your host as SPNs etc. when joining the system to the domain. All values are tab separated. 127.0.0.1 localhost 10.123.1.2 esmc.test.local esmc 10.123.1.1 dc.test.local dc Configure Time Synchronisation By default, the maximum tolerance for computer clock synchronization for Active Directory Kerberos participants is 5 minutes from a Kerberos Key Distribution Center (KDC; in our case, the Domain Controller) to operate correctly. If ESMC is in a VM, you may already be using a Hypervisor with some VM Agent that handles this but, if not, then systemd-timesyncd should suffice or you can use ntpd. Let's assume you use systemd-timesyncd: Configure /etc/systemd/timesyncd.conf NTP Server addresses are separated by spaces. specify each of your Domain Controllers [Time] NTP=10.123.1.1 Ensure systemd-timesyncd is set to sync and force it to resync. You should see a log entry that it "Sychronized to time server 10.123.1.123" as per your configuration. sudo timedatectl set-ntp on sudo timedatectl status sudo systemctl restart systemd-timesyncd.service systemctl status systemd-timesyncd.service Join System to Domain If you have Webmin you can use Rejoin Domain (VA v7.2) but it more or less just runs the following command (Replace Administrator with an authorised AD User that can join systems to the domain): sudo net join ads join -U Administrator This relies on a correctly configured /etc/smb.conf You will probably want to move the resulting Computer object this creates in your domain from the default Computers OU to a more relevant OU given your OU hierarchy design in your domain. Setup Mapped Domain Security Groups under Access Rights in ESMC Configure Active Directory under Advanced Settings in Server Settings (v7.2) Map Domain Security Groups and assign Permission Setting Map Domain Security Group users (v7.2) Setup a Static Group Synchronization Server Task in ESMC Synchronization mode - Active Directory / Open Directory / LDAP (v7.2) Setup a User Synchronization Server Task in ESMC User Synchronization (v7.2) Troubleshooting The following can be used to test Kerberos login and LDAP GSSAPI whilst showing debug information, useful for troubleshooting. It destroys and existing Kerberos tickets for your user, obtains a Kerberos ticket for the specified AD user, lists obtained Kerberos tickets then performs LDAP Search by authenticating with GSSAPI. When troubleshooting Kerberos, you should always check the system time with the relevant Domain Controller (KDC) to ensure they are within 5 minutes of each other (by default). Replace eset.esmc with the AD User Account that ESET ESMC will connect under. Replace dc.test.local with your Domain Controller. Replace DC=test,DC=local with the Distinguished Name (DN) of the Base OU in your Domain where you want to list all child Computer objects of. kdestroy KRB5_TRACE=/dev/stdout kinit eset.esmc klist -f KRB5_TRACE=/dev/stdout ldapsearch -LLL -Y GSSAPI -h dc.test.local -b 'DC=test,DC=local' '(&(objectCategory=computer))' 'distinguishedName' 'dNSHostName' @tomasS @Peter Randziak

Hello, When I scan a 3.5Go+ zip file with the CLI scan tool (esets_scan) it crash with Trap/Breakpoint trap (Core dumped) error. My PC have enough RAM as the crash occured at ~40% RAM used. I succesfully scanned the same file throught the GUI witch in-depth profile. I succesfully scanned the same file with the option --max-arch-level=3 (3 is the max, 4 crash the scan). I succesfully scanned the same file but unziped before runing the scan. The zip contains multiple file : jar, msi installer, and more. esets_scan version : 4.0.93 System : Ubuntu 18.04.2 Tried with disable apparmor. Tried to copy the "in-depth" profile from the GUI with the command line tool. The used command line : /opt/eset/esets/sbin/esets_scan --aind --clean-mode="none" --no-quarantine --log-all --max-arch-level=10 --preserve-time "FILE" I would really appreciate some insight on this as it may be a bug in the CLI tool itself.

Hello guys, We've a customer that needs to scan his server using ESET SysRescue tool because the server has an active ransomware inside so it's unsafe to run a scan within Windows because more files can be encrypted. The problem is that the Linux doesn't recognize the hard drives. We think that the cause is that server is using a RAID. Is there any way we can scan such a type of units? Is it necessary to load some driver for Linux? Thank you.