ESET I.S. Agressively blocking URL, can't find app

[Namoh 0]

Probably a very stupid question...………..but where do I find the Eset Filtered Website Log?

How to enable it?

I'm running ESET Smart Security Premium 13.1.21.0

Btw, thanks for your help

[itman 1,659]

1 minute ago, Namoh said:

Probably a very stupid question...………..but where do I find the Eset Filtered Website Log?

Right mouse click on Eset desktop toolbar icon and select "Log files." Then select Filtered website log.

[Namoh 0]

Well, I don't have an eset icon on my desktop.

And when I right mouse click on eset in the start menu or the toolbar there's no "Log Files" option.

I've attached screenshots to show what I get. Probably doing something wrong.

I'm on a paid license btw.

[itman 1,659]

19 minutes ago, Namoh said:

Well, I don't have an eset icon on my desktop.

Open Eset GUI. Mouse click on Tools -> More Tools -> Log Files.

[Namoh 0]

Found it!! I think.

There's 3 that have a huge amount of blocked numbers behind them.

svchost.exe     572x

unknown device 192...….    282x

unknown device fe80...…    280x

 

[itman 1,659]

@Marcos , Eset needs to contact Cloudfare and tell them this IP needs to be shutdown;

104.18.32.75:8880

The attack is being launched from their backend servers.

[Namoh 0]

and found this via your path.

[Namoh 0]

Looks like the pop-ups has been stopped……...

Is this because of you..??

[itman 1,659]

22 minutes ago, Namoh said:

Is this because of you..??

No. But maybe Eset finally contacted Cloudflare about the issue and they shut down the source on their servers.

The problem is you still have this JavaScript malware on your device. Run a full Eset scan as Administrator per the below screen shot:

[itman 1,659]

The problem for Cloudflare is determine who is the real "culprit:"

Edited June 2, 2020 by itman

[Namoh 0]

27 minutes ago, itman said:

No. But maybe Eset finally contacted Cloudflare about the issue and they shut down the source on their servers.

The problem is you still have this JavaScript malware on your device. Run a full Eset scan as Administrator per the below screen shot:

Already did this and it came up with no hits / results 😕

[Namoh 0]

Did it again.

[itman 1,659]

2 hours ago, Namoh said:

Already did this and it came up with no hits / results 😕

Open Eset GUI. Select Setup -> Computer protection -> Click on the gear symbol for HIPS. Scroll down to the "Rules" setting and mouse click on "Edit."

Create a new HIPS rule as follows:

1.  Click on the Add tab.

2. On the first screen display, enter the following;

Rule name - User rule: block wscript.exe startup

Action - Block

Operations affecting: Applications - enable the setting

Logging severity - Warning

Click on the Next tab

3. On the Source Applications screen, select "All Applications" from the drop down box. Click on the Next tab.

4. On the Application operation screen, enable the "Start new application"setting. Click on the Next tab.

5. On the Applications screen, click on the Add tab. Enter each of the following clicking on the OK tab after each entry;

C:\Windows\System32\wscript.exe

C:\Windows\SysWOW64\wscript.exe

Note: the above assumes you installed Windows on the C drive.

6. Click on the Finish tab to create the HIPS rule.

7. Click on any subsequently displayed OK tab to save your settings.

From this point on, monitor your Eset HIPS log for entries related to the above rule.  What is needed is to determine what Application is attempting to start wscript.exe.

[itman 1,659]

Per Hybrid-Analysis, appears one of the URLs shown is most likely the "culprit:"

[itman 1,659]

There is also something of a puzzle about this malware. As shown by the below Hybrid-Analysis screen shot, this malware first drops a script in the C:\ root directory. It then runs that script (method unknown) to run two PowerShell scripts to copy the script and corresponding .lnk version to Startup directory and %AppData directory:

The problem here is you can't drop a .js file or any other file for that matter into the C:\ root directory in Win 10:

So either the payload delivery is different in Win 10 or the malware is performing other activities such as privilege escalation prior to dropping the payload into the C:\ root directory.

So it appears there is more to this malware than just JavaScript execution. 

Edited June 2, 2020 by itman

[Namoh 0]

11 hours ago, itman said:

Open Eset GUI. Select Setup -> Computer protection -> Click on the gear symbol for HIPS. Scroll down to the "Rules" setting and mouse click on "Edit."

Create a new HIPS rule as follows:

1.  Click on the Add tab.

2. On the first screen display, enter the following;

Rule name - User rule: block wscript.exe startup

Action - Block

Operations affecting: Applications - enable the setting

Logging severity - Warning

Click on the Next tab

3. On the Source Applications screen, select "All Applications" from the drop down box. Click on the Next tab.

4. On the Application operation screen, enable the "Start new application"setting. Click on the Next tab.

5. On the Applications screen, click on the Add tab. Enter each of the following clicking on the OK tab after each entry;

C:\Windows\System32\wscript.exe

C:\Windows\SysWOW64\wscript.exe

Note: the above assumes you installed Windows on the C drive.

6. Click on the Finish tab to create the HIPS rule.

7. Click on any subsequently displayed OK tab to save your settings.

From this point on, monitor your Eset HIPS log for entries related to the above rule.  What is needed is to determine what Application is attempting to start wscript.exe.

Did all above, hopefully correct.

 

About your other posts………..way above my IT knowledge.

Edited June 3, 2020 by Namoh

[itman 1,659]

7 hours ago, Namoh said:

Did all above, hopefully correct.

Now you have to regularly monitor the Eset HIPS log for entries related to this rule. What you need to look for is what application is attempted to start wscript.exe. Copy those log entries and post a reply with those shown.

Note that this HIPS rule could block legit wscript.exe use. This is most applicable if one has coded custom JavaScript, VB scripts, etc.. I doubt this applies to you.

[Namoh 0]

I did all of the above, the messages keep popping up, but I don't see any hits when I scan my pc with Administrator rights.

I don't see anything in the HIPS log, but I do see a lot of hits in the Network security log (Netwerkbeveiliging).

 

[Namoh 0]

I've scanned svchost.exe separately, still nothing (didn't expect anything but just to be sure).

What to do?

 

[itman 1,659]

6 hours ago, Namoh said:

I don't see anything in the HIPS log, but I do see a lot of hits in the Network security log (Netwerkbeveiliging).

I should have paid more attention to your Eset Filtered website log entries you posted previously: https://forum.eset.com/topic/23573-eset-is-agressively-blocking-url-cant-find-app/?do=findComment&comment=115004 .

Previous various sandbox analysis of the malware does show it modifies network settings among other things. Something is running that is using wscript.exe to connect to the botnet. One possibility is the malware has created a backdoor on your device. It is then connecting to its remote C&C server via this backdoor. From this remote server, the attacker is running wscript.exe remotely to execute the malicious script. As such the created Eset HIPS rule is not detecting the startup of wscript.exe since it can only detect local device initiated startups.

First, let's verify you created the HIPS rule correctly. Navigate to the HIPS rule you created. Mouse click on the rule to highlight it. Then mouse click on the Edit tab. This will display the first screen used in a multi-display sequence.

For each screen displayed, do the following:

1. Take a screen shot of the display screen. Save the screen shot.

2. Click on the Next tab.

Note: do not change anything on any displayed screen.

When the screen is displayed with the Finish tab on it, take that screen shot. Then mouse click on the Cancel tab. This will cancel any changes made to the rule and return you to the HIPS screen showing all existing rules. You can now exit the Eset GUI at this point.

Finally, post all saved HIPS rule screen shots in the order they were saved in your next reply.

Edited June 3, 2020 by itman

[Namoh 0]

I've done all of the above, see below screenshots.

Hope I've added the rule correctly.

Just to give all info, I've deleted a file from the folder: C:\Users\sande\AppData\Roaming

Everytime I'm starting up my pc it now gives an Windows Script Host message.

I've attached this as well.

These messages started after I installed a program related to this file, that's why I deleted it (finger was quicker than my brain).

Don't know if it's related to this issue but thought it was worth mentioning.

 

 

 

 

 

Edited June 4, 2020 by Namoh
Screenshots where taking up lots of space

[Marcos 5,074]

You could create a Procmon boot log for perusal as per https://support.eset.com/en/kb6308-using-process-monitor-to-create-log-files. Create it without filters and save it in the native pml format. When done, compress the log, upload it to a safe location and provide a download link.

[Namoh 0]

Hope I did the right thing.

 

[Marcos 5,074]

The Procmon log is not from a boot. Make sure to enable Options->Boot logging, reboot the machine, wait until the threat is detected, launch Procmon, save the log, compress it and upload it again. Since it may be too big to upload here, consider uploading it elsewhere and provide a download link.

[Namoh 0]

The weird part is, yesterday it went crazy again with all the pop-ups.

Today………………….so far nothing!!

I've changed to Boot Logging, will restart pc, and see if anything happens.