stop sharing folder

[Ahmed Fathi 0]

we have licence for 120 user for my network,  i using eset 5 file security  for servers windows  2008 r2 ..
when i want to upgrade to eset 7 i uninstall eset 5 and install 7  .. and after restart my server i cant access my sharing folder  in the server ..

i downgrading to eset 5 and i got same problem ..

 

please help 

 

[Marcos 5,069]

Do you have ESET Endpoint Antivirus or ESET Endpoint Security installed? If the latter, make sure that the subnet 192.168.11.0/24 is in the Trusted zone. By default, sharing is allowed only in the Trusted zone.

[Ahmed Fathi 0]

i have eset 5.0 endpoint security for client  and eset file server 4.5 for server 

the problem comes  after i unintall previous version 4.5 fs and  install the eset fs7 to the (domain controller with active directory and DNS) and erp server also  ..

the dc server and all server   cannot access his own sharing folder throw ip and it work when i used the host ..

 ping command working for all  network ..

i can't access event the server firewall on or off ..

i try to uninstall eset fs7 and i facing same issue ..

i try to install old version 4.5 fs and i restore all quarantine file and also same issue ..

please advice

thanks 

 

[itman 1,659]

Based on what I am seeing in your file servers quarantine screen shots, you have never patched them against the Equation Editor vulnerability:

Quote

The patch for the CVE-2018-0802 exploit permanently “fixes” the vulnerability by eliminating the Equation Editor altogether.

https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/

[Ahmed Fathi 0]

I did a backup the erp server and installed on a new server in the domain and without eset av ..
it is working properly and local users can access the system ..

When trying to join the new computer to the domain, I got a "The network path was not found"

In a (DC server) the DNS are working correctly when I use the (nslookup command) I can got the IP and host ..

note:

I used eset version 4.5 about 3 years ago and i had no problem..i think that uninstalling or installing eset fs :

1. Block the port 2. Stop the service 3. Delete or change regedit

4. Change the authentication 5. Delete or change the group dash

Please help because I am trying for two weeks to fix this problem ..

Thanks ..

[Marcos 5,069]

If uninstalling ESET doesn't resolve the issue, it's very unlikely that ESET would be the culprit. I see that you had the server infected with the Vools virus; it could be that some system files got corrupted and non-functional.

[Ahmed Fathi 0]

I am almost sure that I have a virus in the network ..
But I am Diligence to find out the damage it caused to fix it, and after that I seek a radical solution..
Note that the company has been suspended for this issue for several days.
Please strive to reach a solution ..

thanks ..

[itman 1,659]

Per this Sophos article: https://community.sophos.com/kb/en-us/132107 , you may also be infected with EternalBlue. Did you ever apply the patch for that? 

Quote

If you see any of the detection names listed below, there are high chances that either the host itself is vulnerable or there's another infected vulnerable host on the network which is infecting other machines including this one:

PUA detected: 'Equation Group' at 'C:\Windows\System32\tpmagentservice.dll'
Malware detected: 'Troj/Equatio-Q' at 'C:\Windows\SecureBootThemes\Microsoft\tibe-1.dll'
Malware detected: 'Troj/Equation-G' at 'C:\Windows\SecureBootThemes\Microsoft\spoolsv.exe'
Malware detected: 'Troj/Eqdrug-AC' at 'C:\Windows\SecureBootThemes\Microsoft\adfw-2.dll'
Malware detected: 'Troj/Eternal-A' at 'C:\Windows\SecureBootThemes\Microsoft\svchost.exe'

 

Edited January 24, 2020 by itman

[Marcos 5,069]

Unlike v4.5, EFSW v7 can protect from exploitation of vulnerabilities in network protocols, such as the infamous EternalBlue but WFSW 4.5 cannot. Moreover, v4.5 has already reached EOL and was not even suitable for modern server operating systems where it could cause various issues.

[Ahmed Fathi 0]

the URL https://community.sophos.com/kb/en-us/132107 

  403 Forbidden

i didn't patch EternalBlue before , how can i do it ?

I want to know that there is any option to cancel the protection or
Unblocking network discovery for a while to backup the server .
In EFSW 7or 4.5 even without AV

 

[Ahmed Fathi 0]

please find attached  sysinspector.rar for ESET fs 7 and 4.5 ..

please tell me if you find any error related to my problem

thanks 

Sysinspecor.rar

[itman 1,659]

12 hours ago, Ahmed Fathi said:

the URL https://community.sophos.com/kb/en-us/132107 

This link works OK for me.

12 hours ago, Ahmed Fathi said:

i didn't patch EternalBlue before , how can i do it ?

First, Eset has a tool and recommended mitigation procedures here: https://support.eset.com/en/eset-stops-wannacryptor-wannacry-and-eternalblue-use-our-free-tool-to-make-sure-those-windows-vulnerabilities-are-patched

Below are additional alternative verification and mitigation sources:

-EDIT- Microsoft created a patch for all vulnerable OS versions regardless of if they were end-of-life support status.

Verify that it is not installed on all vulnerable devices on your network: https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed .

If not installed, patches for vulnerable OS versions can be downloaded from the Microsoft Update Catalog: https://www.catalog.update.microsoft.com/Home.aspx . Enter less the quote marks "MS17-010" in the search box. Displayed will be patches available for all vulnerable OS versions.

Also, the Sophos linked article notes how the same vulnerability checking can be done via a PowerShell script:

Quote

What To Do

Verify_MS17-010.ZIP

1. This Powershell script has to be run as an Administrator. Rename the file to .PS1 and Right Click > Run with Powershell:
2. Run this script as an Administrator:

On a Vulnerable machine the output would be something like this:

On a non-vulnerable machine, the output should look something like this:

NOTE: By default you may not have the ability to execute Powershell scripts. You can change the execution policy by running this command on an Administrative Powershell window:

Set-ExecutionPolicy <parameter>

The parameters can be any of the following: Unrestricted, RemoteSigned, AllSigned, Restricted, Default, Bypass, Undefined

You can selectively bypass the ExecutionPolicy for a single script using this command - 

powershell.exe -ExecutionPolicy ByPass -File Verify_MS17-010.ps1

Note that all vulnerable network devices must be patched to be fully protected from the EternalBlue exploit.

Edited January 25, 2020 by itman

[Marcos 5,069]

You can use these tools by ESET:

https://help.eset.com/eset_tools/ESETEternalBlueChecker.exe

https://download.eset.com/com/eset/tools/diagnosis/bluekeep_checker/latest/esetbluekeepchecker.exe

[itman 1,659]

Also, Eset's repeated detection of Vools malware is another strong indication that your network is being attacked through the EternalBlue exploit:

Quote

The security firm noted how those responsible for this campaign perpetuate their malicious activity by using a package of tools owned by the Equation Group and subsequently leaked online by the Shadow Brokers. For instance, researchers came across a variant of Vools, a backdoor that leverages the EternalBlue exploit to deliver cryptocurrency miners, ransomware and other typical malware samples.

https://securityintelligence.com/news/threat-actors-use-targeted-attack-tools-to-distribute-cryptocurrency-miners-ransomware/

[itman 1,659]

A few other additional comments.

You need to determine the source of the EternalBlue attack against your file servers. Primarily if the attack is external against the file servers only or, internally from another device on the network. Note that EternalBlue is a worm. As such, it has the capability of spreading additional malware to one or all devices on your network. Allowing file sharing in the current situation is equivalent to performing network suicide.

If the EthernalBlue attack is external against the file servers only, there is the possibility that your network has not been infected further. I state this because it appears Eset is detecting the attack on the servers and removing the malicous components. In this case, you need to secure and lockdown external access to your servers; primarily RDP access to those servers. And most importantly, patch those servers against the EternalBlue exploit. 

If the EthernalBlue attack against the file servers is originating from an internal network device, assume all devices on your network have been possibly infected. As such, all devices need to be immediately patched against the EternalBlue exploit. 

 

Edited January 26, 2020 by itman

[itman 1,659]

Since @Marcos mentioned Eset's Bluekeep vulnerabilty checker, here's Eset's article on details on this RDP vulnerability that your servers and other vulnerable devices should be also immediately patched against: https://www.eset.com/int/about/newsroom/press-releases/research/eset-releases-tool-to-check-whether-your-windows-is-safe-against-bluekeep/

Additional Eset article on how to secure RDP: https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/

Here's Microsoft's article along with links to applicable Bluekeep patches: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Edited January 26, 2020 by itman