Jean93 0 Posted November 17, 2020 Share Posted November 17, 2020 I'm using SMC and ESET Endpoint Antivirus Version: 7.3.2044.0 on my clients. I have been receiving constant Potential Unwanted Application notification on a specific client notifying that the HTTP filter scanner terminated a connection. Its always three notification in a row everyday for the past few weeks. I've ran Scan With Cleaning on that specific client twice now and the scan did not pick up any infected file. However the next day I again receive the same notifications as per above. I finally decided to download Malwarebytes and run a scan on the problematic client, after the scan Malwarebytes found 104 infected files which I then paid a license to have them Quarantined and after delete the files. Please advise why ESET is unable to find the infected files, yet it can notify me that it is blocking traffic? I'm using ESET as protection on over 50 Clients. This is a real concern to my company if ESET is unable to deliver the level of protection we expect. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted November 17, 2020 Administrators Share Posted November 17, 2020 You may need to disable extension syncing as per https://support.eset.com/en/kb6551. Link to comment Share on other sites More sharing options...
Jean93 0 Posted November 17, 2020 Author Share Posted November 17, 2020 Marcos, i will try disabling the extension sync if i receive the notifications again. However this does not explain why ESET did not detect the infected files that Malwarebytes did - can you give some clarity on this? Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 17, 2020 Share Posted November 17, 2020 (edited) 1 hour ago, Jean93 said: However this does not explain why ESET did not detect the infected files that Malwarebytes did - can you give some clarity on this? Make sure you Potentially Unsafe Applications set to at least Balanced level per below screen shot. By default, those settings are set to Off. Potentially Unwanted Applications should be set to default Aggressive setting. Also on your client devices, ensure that browsers are not configured to automatically allow extensions/add-ons to be added. Edited November 17, 2020 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted November 17, 2020 Administrators Share Posted November 17, 2020 JS/Mindspark is a potentially unwanted application and since it was detected, detection of PUA should be enabled on the machine. MBAM often detects even benign registry values created by malware or PUAs. In order to tell if the objects detected by MBAM are actually subject to detection, please supply the content of MBAM's quarantine (C:\ProgramData\Malwarebytes\MBAMService\Quarantine) to samples[at]eset.com along with a link to this topic. Link to comment Share on other sites More sharing options...
itman 1,630 Posted November 17, 2020 Share Posted November 17, 2020 (edited) Actually, the Eset KB article referenced sums it up nicely; Quote Details ESET will clean the detected extension, however when Chrome is re-opened the PUA threat alert will return. This happens when the user is logged into Chrome and Chrome attempts to sync the extensions over and over again after ESET deletes it. In other words, Eset is "cleaning" the malware from the extension when the extension loads. It however is not removing the extension. This must be done manually by the user. MBAM on the other hand does have the capability of removing the extension. Based on this posting: https://forums.malwarebytes.com/topic/243104-pupoptionmindspark-blocking-andor-removal/ , appears this is not the case, recommendation given was to permanently disable Chrome's syncing of extensions. Edited November 17, 2020 by itman Link to comment Share on other sites More sharing options...
Jean93 0 Posted November 18, 2020 Author Share Posted November 18, 2020 12 hours ago, itman said: Make sure you Potentially Unsafe Applications set to at least Balanced level per below screen shot. By default, those settings are set to Off. Potentially Unwanted Applications should be set to default Aggressive setting. Also on your client devices, ensure that browsers are not configured to automatically allow extensions/add-ons to be added. Hi itman, Potentially Unsafe Applications was set to Balanced Level. I have now edit the policy to Aggressive level on all counts for the Detection Engine on all my clients using SMC. See below. Link to comment Share on other sites More sharing options...
Jean93 0 Posted November 18, 2020 Author Share Posted November 18, 2020 12 hours ago, Marcos said: JS/Mindspark is a potentially unwanted application and since it was detected, detection of PUA should be enabled on the machine. MBAM often detects even benign registry values created by malware or PUAs. In order to tell if the objects detected by MBAM are actually subject to detection, please supply the content of MBAM's quarantine (C:\ProgramData\Malwarebytes\MBAMService\Quarantine) to samples[at]eset.com along with a link to this topic. Hi Marcos, I've removed all extensions in chrome on the client and cleared cache as per the article you sent yesterday, so far no notification after opening chrome. If the notification comes back i will proceed with the second part of the article by disabling the extension sync option. I have already uninstalled MBAM on the client and deleted the infected files from Quarantine. Link to comment Share on other sites More sharing options...
Recommended Posts