Ahmed Fathi 0 Posted January 24, 2020 Posted January 24, 2020 we have licence for 120 user for my network, i using eset 5 file security for servers windows 2008 r2 .. when i want to upgrade to eset 7 i uninstall eset 5 and install 7 .. and after restart my server i cant access my sharing folder in the server .. i downgrading to eset 5 and i got same problem .. please help
Administrators Marcos 5,455 Posted January 24, 2020 Administrators Posted January 24, 2020 Do you have ESET Endpoint Antivirus or ESET Endpoint Security installed? If the latter, make sure that the subnet 192.168.11.0/24 is in the Trusted zone. By default, sharing is allowed only in the Trusted zone.
Ahmed Fathi 0 Posted January 24, 2020 Author Posted January 24, 2020 i have eset 5.0 endpoint security for client and eset file server 4.5 for server the problem comes after i unintall previous version 4.5 fs and install the eset fs7 to the (domain controller with active directory and DNS) and erp server also .. the dc server and all server cannot access his own sharing folder throw ip and it work when i used the host .. ping command working for all network .. i can't access event the server firewall on or off .. i try to uninstall eset fs7 and i facing same issue .. i try to install old version 4.5 fs and i restore all quarantine file and also same issue .. please advice thanks
itman 1,802 Posted January 24, 2020 Posted January 24, 2020 Based on what I am seeing in your file servers quarantine screen shots, you have never patched them against the Equation Editor vulnerability: Quote The patch for the CVE-2018-0802 exploit permanently “fixes” the vulnerability by eliminating the Equation Editor altogether. https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/
Ahmed Fathi 0 Posted January 24, 2020 Author Posted January 24, 2020 I did a backup the erp server and installed on a new server in the domain and without eset av .. it is working properly and local users can access the system .. When trying to join the new computer to the domain, I got a "The network path was not found" In a (DC server) the DNS are working correctly when I use the (nslookup command) I can got the IP and host .. note: I used eset version 4.5 about 3 years ago and i had no problem..i think that uninstalling or installing eset fs : 1. Block the port 2. Stop the service 3. Delete or change regedit 4. Change the authentication 5. Delete or change the group dash Please help because I am trying for two weeks to fix this problem .. Thanks ..
Administrators Marcos 5,455 Posted January 24, 2020 Administrators Posted January 24, 2020 If uninstalling ESET doesn't resolve the issue, it's very unlikely that ESET would be the culprit. I see that you had the server infected with the Vools virus; it could be that some system files got corrupted and non-functional.
Ahmed Fathi 0 Posted January 24, 2020 Author Posted January 24, 2020 I am almost sure that I have a virus in the network .. But I am Diligence to find out the damage it caused to fix it, and after that I seek a radical solution.. Note that the company has been suspended for this issue for several days. Please strive to reach a solution .. thanks ..
itman 1,802 Posted January 24, 2020 Posted January 24, 2020 (edited) Per this Sophos article: https://community.sophos.com/kb/en-us/132107 , you may also be infected with EternalBlue. Did you ever apply the patch for that? Quote If you see any of the detection names listed below, there are high chances that either the host itself is vulnerable or there's another infected vulnerable host on the network which is infecting other machines including this one: PUA detected: 'Equation Group' at 'C:\Windows\System32\tpmagentservice.dll' Malware detected: 'Troj/Equatio-Q' at 'C:\Windows\SecureBootThemes\Microsoft\tibe-1.dll' Malware detected: 'Troj/Equation-G' at 'C:\Windows\SecureBootThemes\Microsoft\spoolsv.exe' Malware detected: 'Troj/Eqdrug-AC' at 'C:\Windows\SecureBootThemes\Microsoft\adfw-2.dll' Malware detected: 'Troj/Eternal-A' at 'C:\Windows\SecureBootThemes\Microsoft\svchost.exe' Edited January 24, 2020 by itman
Administrators Marcos 5,455 Posted January 25, 2020 Administrators Posted January 25, 2020 Unlike v4.5, EFSW v7 can protect from exploitation of vulnerabilities in network protocols, such as the infamous EternalBlue but WFSW 4.5 cannot. Moreover, v4.5 has already reached EOL and was not even suitable for modern server operating systems where it could cause various issues.
Ahmed Fathi 0 Posted January 25, 2020 Author Posted January 25, 2020 the URL https://community.sophos.com/kb/en-us/132107 403 Forbidden i didn't patch EternalBlue before , how can i do it ? I want to know that there is any option to cancel the protection or Unblocking network discovery for a while to backup the server . In EFSW 7or 4.5 even without AV
Ahmed Fathi 0 Posted January 25, 2020 Author Posted January 25, 2020 please find attached sysinspector.rar for ESET fs 7 and 4.5 .. please tell me if you find any error related to my problem thanks Sysinspecor.rar
itman 1,802 Posted January 25, 2020 Posted January 25, 2020 (edited) 12 hours ago, Ahmed Fathi said: the URL https://community.sophos.com/kb/en-us/132107 This link works OK for me. 12 hours ago, Ahmed Fathi said: i didn't patch EternalBlue before , how can i do it ? First, Eset has a tool and recommended mitigation procedures here: https://support.eset.com/en/eset-stops-wannacryptor-wannacry-and-eternalblue-use-our-free-tool-to-make-sure-those-windows-vulnerabilities-are-patched Below are additional alternative verification and mitigation sources: -EDIT- Microsoft created a patch for all vulnerable OS versions regardless of if they were end-of-life support status. Verify that it is not installed on all vulnerable devices on your network: https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed . If not installed, patches for vulnerable OS versions can be downloaded from the Microsoft Update Catalog: https://www.catalog.update.microsoft.com/Home.aspx . Enter less the quote marks "MS17-010" in the search box. Displayed will be patches available for all vulnerable OS versions. Also, the Sophos linked article notes how the same vulnerability checking can be done via a PowerShell script: Quote What To Do Verify_MS17-010.ZIP This Powershell script has to be run as an Administrator. Rename the file to .PS1 and Right Click > Run with Powershell: Run this script as an Administrator: On a Vulnerable machine the output would be something like this: On a non-vulnerable machine, the output should look something like this: NOTE: By default you may not have the ability to execute Powershell scripts. You can change the execution policy by running this command on an Administrative Powershell window: Set-ExecutionPolicy <parameter> The parameters can be any of the following: Unrestricted, RemoteSigned, AllSigned, Restricted, Default, Bypass, Undefined You can selectively bypass the ExecutionPolicy for a single script using this command - powershell.exe -ExecutionPolicy ByPass -File Verify_MS17-010.ps1 Note that all vulnerable network devices must be patched to be fully protected from the EternalBlue exploit. Edited January 25, 2020 by itman
Administrators Marcos 5,455 Posted January 25, 2020 Administrators Posted January 25, 2020 You can use these tools by ESET: https://help.eset.com/eset_tools/ESETEternalBlueChecker.exe https://download.eset.com/com/eset/tools/diagnosis/bluekeep_checker/latest/esetbluekeepchecker.exe
itman 1,802 Posted January 25, 2020 Posted January 25, 2020 Also, Eset's repeated detection of Vools malware is another strong indication that your network is being attacked through the EternalBlue exploit: Quote The security firm noted how those responsible for this campaign perpetuate their malicious activity by using a package of tools owned by the Equation Group and subsequently leaked online by the Shadow Brokers. For instance, researchers came across a variant of Vools, a backdoor that leverages the EternalBlue exploit to deliver cryptocurrency miners, ransomware and other typical malware samples. https://securityintelligence.com/news/threat-actors-use-targeted-attack-tools-to-distribute-cryptocurrency-miners-ransomware/
itman 1,802 Posted January 26, 2020 Posted January 26, 2020 (edited) A few other additional comments. You need to determine the source of the EternalBlue attack against your file servers. Primarily if the attack is external against the file servers only or, internally from another device on the network. Note that EternalBlue is a worm. As such, it has the capability of spreading additional malware to one or all devices on your network. Allowing file sharing in the current situation is equivalent to performing network suicide. If the EthernalBlue attack is external against the file servers only, there is the possibility that your network has not been infected further. I state this because it appears Eset is detecting the attack on the servers and removing the malicous components. In this case, you need to secure and lockdown external access to your servers; primarily RDP access to those servers. And most importantly, patch those servers against the EternalBlue exploit. If the EthernalBlue attack against the file servers is originating from an internal network device, assume all devices on your network have been possibly infected. As such, all devices need to be immediately patched against the EternalBlue exploit. Edited January 26, 2020 by itman
itman 1,802 Posted January 26, 2020 Posted January 26, 2020 (edited) Since @Marcos mentioned Eset's Bluekeep vulnerabilty checker, here's Eset's article on details on this RDP vulnerability that your servers and other vulnerable devices should be also immediately patched against: https://www.eset.com/int/about/newsroom/press-releases/research/eset-releases-tool-to-check-whether-your-windows-is-safe-against-bluekeep/ Additional Eset article on how to secure RDP: https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/ Here's Microsoft's article along with links to applicable Bluekeep patches: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 Edited January 26, 2020 by itman
Recommended Posts