AtBroker.exe startup

[Kulibali 0]

hello

i noticed after installing eset internet security AtBroker.exe start running at startup pc anyone noticed the same i never seen this file running before

[itman 1,602]

Eset has no use for that process but malware can be deployed via it: https://lolbas-project.github.io/lolbas/Binaries/Atbroker/

You might want to use SysInternals Autoruns and see if you can find any reference to AtBroker.exe in any of the Windows startup locations; e.g. registry keys, startup directories, etc..

Is your copy of Eset legit and downloaded from the Eset web site?

[Kulibali 0]

8 minutes ago, itman said:

Eset has no use for that process but malware can be deployed via it: https://lolbas-project.github.io/lolbas/Binaries/Atbroker/

You might want to use SysInternals Autoruns and see if you can find any reference to AtBroker.exe in any of the Windows startup locations; e.g. registry keys, startup directories, etc..

Is your copy of Eset legit and downloaded from the Eset web site?

yes i downloaded ESET from official site eset.com this file appears on startup just after installing ESET when i reboot my PC and starts always very weird

Edited April 9, 2019 by Kulibali

[itman 1,602]

Use of Windows "Assistive Technologies" such as Magnifier, On-Screen Keyboard, etc.. are most likely the reason for AtBroker.exe to load at boot time. Are you using any of those features?

[Kulibali 0]

1 hour ago, itman said:

Use of Windows "Assistive Technologies" such as Magnifier, On-Screen Keyboard, etc.. are most likely the reason for AtBroker.exe to load at boot time. Are you using any of those features?

no i never used those features

Edited April 9, 2019 by Kulibali

[itman 1,602]

If you don't want to use Autoruns to determine what is starting AtBroker.exe at boot time, do the following. Create on a test basis an Eset HIPS rule to allow the startup of AtBroker.exe.  Make sure you enable logging for the rule and set its severity level to "Warning." After you boot, check the Eset HIPS log for any log entries from this rule. Those entries will inform you what process is starting AtBroker.exe. You can now delete the HIPS rule for AtBroker.exe.

If ekrn.exe is not starting AtBroker.exe, then Eset is not the source of the activity.

Edited April 9, 2019 by itman

[Kulibali 0]

2 hours ago, itman said:

If you don't want to use Autoruns to determine what is starting AtBroker.exe at boot time, do the following. Create on a test basis an Eset HIPS rule to allow the startup of AtBroker.exe.  Make sure you enable logging for the rule and set its severity level to "Warning." After you boot, check the Eset HIPS log for any log entries from this rule. Those entries will inform you what process is starting AtBroker.exe. You can now delete the HIPS rule for AtBroker.exe.

If ekrn.exe is not starting AtBroker.exe, then Eset is not the source of the activity.

i used Autoruns and i didn't noticed anything related to atbroker.exe will try the second method next

[Kulibali 0]

19 hours ago, itman said:

If you don't want to use Autoruns to determine what is starting AtBroker.exe at boot time, do the following. Create on a test basis an Eset HIPS rule to allow the startup of AtBroker.exe.  Make sure you enable logging for the rule and set its severity level to "Warning." After you boot, check the Eset HIPS log for any log entries from this rule. Those entries will inform you what process is starting AtBroker.exe. You can now delete the HIPS rule for AtBroker.exe.

If ekrn.exe is not starting AtBroker.exe, then Eset is not the source of the activity.

i added both atbroker.exe files from windows system32 and syswow64 to ESET HIPS rule and nothing in logs 0 maybe i did it wrong ?

[itman 1,602]

In regards to the HIPS rule it should begin with "User rule:" followed by some descriptive text. For example;

User rule: allow atbroker.exe startup

 As far as the first rule screen goes:

Action = Allow

Operations affecting - checkmark "Applications"

Enabled - checkmark

Logging severity - Warning

Click on the "Next" tab

The next screen shown is titled "Source Applications"

In the drop down box select "All Applications"

Click on the "Next" tab

The next screen shown is titled "Application Operations"

Check mark "Start New Application"

Click on the "Next" tab

The next screen shown is titled "Applications"

Click on the "Add" tab

Enter both atbroker.exe files from windows system32 and syswow64 directories

Click on the "Finish" button

Click on any subsequently displayed "OK" button to save your newly created rule.

Verify your newly created HIPS rule conforms to the above settings by reopening the HIPS rule you just created.

Edited April 12, 2019 by itman

[Kulibali 0]

On 4/11/2019 at 1:08 AM, itman said:

In regards to the HIPS rule it should begin with "User rule:" followed by some descriptive text. For example;

User rule: allow atbroker.exe startup

 As far as the first rule screen goes:

Action = Allow

Operations affecting - checkmark "Applications"

Enabled - checkmark

Logging severity - Warning

Click on the "Next" tab

The next screen shown is titled "Source Applications"

In the drop down box select "All Applications"

Click on the "Next" tab

The next screen shown is titled "Application Operations"

Check mark "Start New Application"

Click on the "Next" tab

The next screen shown is titled "Applications"

Click on the "Add" tab

Enter both atbroker.exe files from windows system32 and syswow64 directories

Click on the "Finish" button

Click on any subsequently displayed "OK" button to save your newly created rule.

Verify your newly created HIPS rule conforms to the above settings by reopening the HIPS rule you just created.

i did the test and unistalled ESET and atbroker.exe stopped running at the boot so ESET was causing this

[itman 1,602]

2 hours ago, Kulibali said:

i did the test and unistalled ESET and atbroker.exe stopped running at the boot so ESET was causing this

Eset is not causing atbroker.exe to run at boot time; that I know as a fact. I have spent enough time on this thread.