Namoh 0 Posted June 2, 2020 Share Posted June 2, 2020 Probably a very stupid question...………..but where do I find the Eset Filtered Website Log? How to enable it? I'm running ESET Smart Security Premium 13.1.21.0 Btw, thanks for your help Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 2, 2020 Share Posted June 2, 2020 1 minute ago, Namoh said: Probably a very stupid question...………..but where do I find the Eset Filtered Website Log? Right mouse click on Eset desktop toolbar icon and select "Log files." Then select Filtered website log. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 2, 2020 Share Posted June 2, 2020 Well, I don't have an eset icon on my desktop. And when I right mouse click on eset in the start menu or the toolbar there's no "Log Files" option. I've attached screenshots to show what I get. Probably doing something wrong. I'm on a paid license btw. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 2, 2020 Share Posted June 2, 2020 19 minutes ago, Namoh said: Well, I don't have an eset icon on my desktop. Open Eset GUI. Mouse click on Tools -> More Tools -> Log Files. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 2, 2020 Share Posted June 2, 2020 Found it!! I think. There's 3 that have a huge amount of blocked numbers behind them. svchost.exe 572x unknown device 192...…. 282x unknown device fe80...… 280x Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 2, 2020 Share Posted June 2, 2020 @Marcos , Eset needs to contact Cloudfare and tell them this IP needs to be shutdown; 104.18.32.75:8880 The attack is being launched from their backend servers. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 2, 2020 Share Posted June 2, 2020 and found this via your path. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 2, 2020 Share Posted June 2, 2020 Looks like the pop-ups has been stopped……... Is this because of you..?? Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 2, 2020 Share Posted June 2, 2020 22 minutes ago, Namoh said: Is this because of you..?? No. But maybe Eset finally contacted Cloudflare about the issue and they shut down the source on their servers. The problem is you still have this JavaScript malware on your device. Run a full Eset scan as Administrator per the below screen shot: Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 2, 2020 Share Posted June 2, 2020 (edited) The problem for Cloudflare is determine who is the real "culprit:" Edited June 2, 2020 by itman Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 2, 2020 Share Posted June 2, 2020 27 minutes ago, itman said: No. But maybe Eset finally contacted Cloudflare about the issue and they shut down the source on their servers. The problem is you still have this JavaScript malware on your device. Run a full Eset scan as Administrator per the below screen shot: Already did this and it came up with no hits / results 😕 Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 2, 2020 Share Posted June 2, 2020 Did it again. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 2, 2020 Share Posted June 2, 2020 2 hours ago, Namoh said: Already did this and it came up with no hits / results 😕 Open Eset GUI. Select Setup -> Computer protection -> Click on the gear symbol for HIPS. Scroll down to the "Rules" setting and mouse click on "Edit." Create a new HIPS rule as follows: 1. Click on the Add tab. 2. On the first screen display, enter the following; Rule name - User rule: block wscript.exe startup Action - Block Operations affecting: Applications - enable the setting Logging severity - Warning Click on the Next tab 3. On the Source Applications screen, select "All Applications" from the drop down box. Click on the Next tab. 4. On the Application operation screen, enable the "Start new application"setting. Click on the Next tab. 5. On the Applications screen, click on the Add tab. Enter each of the following clicking on the OK tab after each entry; C:\Windows\System32\wscript.exe C:\Windows\SysWOW64\wscript.exe Note: the above assumes you installed Windows on the C drive. 6. Click on the Finish tab to create the HIPS rule. 7. Click on any subsequently displayed OK tab to save your settings. From this point on, monitor your Eset HIPS log for entries related to the above rule. What is needed is to determine what Application is attempting to start wscript.exe. Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 2, 2020 Share Posted June 2, 2020 Per Hybrid-Analysis, appears one of the URLs shown is most likely the "culprit:" Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 2, 2020 Share Posted June 2, 2020 (edited) There is also something of a puzzle about this malware. As shown by the below Hybrid-Analysis screen shot, this malware first drops a script in the C:\ root directory. It then runs that script (method unknown) to run two PowerShell scripts to copy the script and corresponding .lnk version to Startup directory and %AppData directory: The problem here is you can't drop a .js file or any other file for that matter into the C:\ root directory in Win 10: So either the payload delivery is different in Win 10 or the malware is performing other activities such as privilege escalation prior to dropping the payload into the C:\ root directory. So it appears there is more to this malware than just JavaScript execution. Edited June 2, 2020 by itman Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 3, 2020 Share Posted June 3, 2020 (edited) 11 hours ago, itman said: Open Eset GUI. Select Setup -> Computer protection -> Click on the gear symbol for HIPS. Scroll down to the "Rules" setting and mouse click on "Edit." Create a new HIPS rule as follows: 1. Click on the Add tab. 2. On the first screen display, enter the following; Rule name - User rule: block wscript.exe startup Action - Block Operations affecting: Applications - enable the setting Logging severity - Warning Click on the Next tab 3. On the Source Applications screen, select "All Applications" from the drop down box. Click on the Next tab. 4. On the Application operation screen, enable the "Start new application"setting. Click on the Next tab. 5. On the Applications screen, click on the Add tab. Enter each of the following clicking on the OK tab after each entry; C:\Windows\System32\wscript.exe C:\Windows\SysWOW64\wscript.exe Note: the above assumes you installed Windows on the C drive. 6. Click on the Finish tab to create the HIPS rule. 7. Click on any subsequently displayed OK tab to save your settings. From this point on, monitor your Eset HIPS log for entries related to the above rule. What is needed is to determine what Application is attempting to start wscript.exe. Did all above, hopefully correct. About your other posts………..way above my IT knowledge. Edited June 3, 2020 by Namoh Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 3, 2020 Share Posted June 3, 2020 7 hours ago, Namoh said: Did all above, hopefully correct. Now you have to regularly monitor the Eset HIPS log for entries related to this rule. What you need to look for is what application is attempted to start wscript.exe. Copy those log entries and post a reply with those shown. Note that this HIPS rule could block legit wscript.exe use. This is most applicable if one has coded custom JavaScript, VB scripts, etc.. I doubt this applies to you. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 3, 2020 Share Posted June 3, 2020 I did all of the above, the messages keep popping up, but I don't see any hits when I scan my pc with Administrator rights. I don't see anything in the HIPS log, but I do see a lot of hits in the Network security log (Netwerkbeveiliging). Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 3, 2020 Share Posted June 3, 2020 I've scanned svchost.exe separately, still nothing (didn't expect anything but just to be sure). What to do? Link to comment Share on other sites More sharing options...
itman 1,754 Posted June 3, 2020 Share Posted June 3, 2020 (edited) 6 hours ago, Namoh said: I don't see anything in the HIPS log, but I do see a lot of hits in the Network security log (Netwerkbeveiliging). I should have paid more attention to your Eset Filtered website log entries you posted previously: https://forum.eset.com/topic/23573-eset-is-agressively-blocking-url-cant-find-app/?do=findComment&comment=115004 . Previous various sandbox analysis of the malware does show it modifies network settings among other things. Something is running that is using wscript.exe to connect to the botnet. One possibility is the malware has created a backdoor on your device. It is then connecting to its remote C&C server via this backdoor. From this remote server, the attacker is running wscript.exe remotely to execute the malicious script. As such the created Eset HIPS rule is not detecting the startup of wscript.exe since it can only detect local device initiated startups. First, let's verify you created the HIPS rule correctly. Navigate to the HIPS rule you created. Mouse click on the rule to highlight it. Then mouse click on the Edit tab. This will display the first screen used in a multi-display sequence. For each screen displayed, do the following: 1. Take a screen shot of the display screen. Save the screen shot. 2. Click on the Next tab. Note: do not change anything on any displayed screen. When the screen is displayed with the Finish tab on it, take that screen shot. Then mouse click on the Cancel tab. This will cancel any changes made to the rule and return you to the HIPS screen showing all existing rules. You can now exit the Eset GUI at this point. Finally, post all saved HIPS rule screen shots in the order they were saved in your next reply. Edited June 3, 2020 by itman Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 4, 2020 Share Posted June 4, 2020 (edited) I've done all of the above, see below screenshots. Hope I've added the rule correctly. Just to give all info, I've deleted a file from the folder: C:\Users\sande\AppData\Roaming Everytime I'm starting up my pc it now gives an Windows Script Host message. I've attached this as well. These messages started after I installed a program related to this file, that's why I deleted it (finger was quicker than my brain). Don't know if it's related to this issue but thought it was worth mentioning. Edited June 4, 2020 by Namoh Screenshots where taking up lots of space Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 4, 2020 Administrators Share Posted June 4, 2020 You could create a Procmon boot log for perusal as per https://support.eset.com/en/kb6308-using-process-monitor-to-create-log-files. Create it without filters and save it in the native pml format. When done, compress the log, upload it to a safe location and provide a download link. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 4, 2020 Share Posted June 4, 2020 Hope I did the right thing. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted June 4, 2020 Administrators Share Posted June 4, 2020 The Procmon log is not from a boot. Make sure to enable Options->Boot logging, reboot the machine, wait until the threat is detected, launch Procmon, save the log, compress it and upload it again. Since it may be too big to upload here, consider uploading it elsewhere and provide a download link. Link to comment Share on other sites More sharing options...
Namoh 0 Posted June 4, 2020 Share Posted June 4, 2020 The weird part is, yesterday it went crazy again with all the pop-ups. Today………………….so far nothing!! I've changed to Boot Logging, will restart pc, and see if anything happens. Link to comment Share on other sites More sharing options...
Recommended Posts