Administrators Marcos 5,266 Posted May 15, 2022 Administrators Share Posted May 15, 2022 1 hour ago, oscarr said: Interesting! Don't think if it's of any use but this was the powershell script I found in that pNYnr7eT1 directory. Like said I think it's just a thing to help hiding the execution of something from the user. Since I don't get a nervous ESET anymore I think renaming the directory this thing was in helped. Or, something else got changed. This is a slightly modified standard system file SyncAppvPublishingServer.vbs. It's not subject to detection. Link to comment Share on other sites More sharing options...
itman 1,746 Posted May 15, 2022 Share Posted May 15, 2022 2 hours ago, Marcos said: This is a slightly modified standard system file SyncAppvPublishingServer.vbs. It's not subject to detection. And I have a problem with this. The only app that uses the script is MS Access 2010 that isn't supported anymore: https://www.exefiles.com/en/vbs/syncappvpublishingserver-vbs/ Link to comment Share on other sites More sharing options...
Administrators Marcos 5,266 Posted May 15, 2022 Administrators Share Posted May 15, 2022 C:\Windows\System32\SyncAppvPublishingServer.vbs is a standard part of Windows. It's found even on the latest Windows 11: Link to comment Share on other sites More sharing options...
itman 1,746 Posted May 15, 2022 Share Posted May 15, 2022 4 minutes ago, Marcos said: C:\Windows\System32\SyncAppvPublishingServer.vbs is a standard part of Windows. It's found even on the latest Windows 11 It falls into the category that Microsoft refers to as "deprecated" software. It goes w/o saying that a large chunk of known WIN LOL binary attacks deploy deprecated MS software. Link to comment Share on other sites More sharing options...
itman 1,746 Posted May 15, 2022 Share Posted May 15, 2022 Here's a list of Win LOL binaries that Microsoft itself recommends be blocked from execution: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules . Aryeh Goretsky 1 Link to comment Share on other sites More sharing options...
oscarr 0 Posted May 16, 2022 Share Posted May 16, 2022 @Marcosusing Win 11 with all latest updates here as well, have them as well. @itman That's quite a list. I googled on how to exclude the programs on that list from execution but got already tired about all the steps or is there an easy way as well? For now I just rely on NOD32, never let me down. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,266 Posted May 16, 2022 Administrators Share Posted May 16, 2022 1 minute ago, oscarr said: @itman That's quite a list. I googled on how to exclude the programs on that list from execution but got already tired about all the steps or is there an easy way as well? For now I just rely on NOD32, never let me down. System files are not subject to detection so excluding them should not be needed. Exclusions could be even dangerous in case they are not bound to SHA1; in case the system files got infected with a file infector, it would run undetected. Likewise excluding them as processes would be dangerous since it would allow for running any scripts undetected. Link to comment Share on other sites More sharing options...
itman 1,746 Posted May 16, 2022 Share Posted May 16, 2022 1 hour ago, oscarr said: @itman That's quite a list. I googled on how to exclude the programs on that list from execution but got already tired about all the steps or is there an easy way as well? For now I just rely on NOD32, never let me down. First, the Microsoft article is addressed to users of Windows Defender Application Control in regard to blocking undesirable system processes. I only posted it as an example of system processes Microsoft itself recommends be blocked. For the average user concerned about malware based attacks misusing Win system binaries and like other misuses, I recommend OSArmor: https://www.osarmor.com/ . I use it myself. Out-of-the-box using its default rules, it will protect you against all known Win based living-off-the-land-attacks. Additionally, one can create their own custom rules using features I have asked Eset for since I started using it in 2014. These are global wildcard support and the like for the HIPS. Additionally, the developer constantly updates the product when a newly discovered attack is found. Unfortunately, a free version of the product no longer exists. I have a lifetime 50% off purchase price license which makes its cost a bit more acceptable. Finally, note that OSA works like Eset's HIPS in block mode. When a detection is triggered, the activity is first blocked. You are then offered an Exclude option, if selected, will auto create an exclusion rule. This will allow you to rerun the prior blocked process w/o issue thereafter. Link to comment Share on other sites More sharing options...
sharif 0 Posted May 21, 2022 Share Posted May 21, 2022 On 5/12/2022 at 8:33 PM, JamesR said: I would not recommend deleting powershell and replacing it. Powershell is not infected, it is just being misused. As it has been about a week, can you generate a new ESET Log Collector to provide here? When running ESET Log Collector, please ensure to select the profile "All" before clicking the "Collect" button. This will ensure we get as many logs as possible for this: hi I attached the latest logs . But what schedule was under microsoft deleted but was under windows was not found eis_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,266 Posted May 21, 2022 Administrators Share Posted May 21, 2022 Please run Windows Scheduler and delete the task Microsoft\Windows\7pggoez. Link to comment Share on other sites More sharing options...
sharif 0 Posted May 27, 2022 Share Posted May 27, 2022 I can confirm that the issue was finally solved . Thank you for all for you Link to comment Share on other sites More sharing options...
Recommended Posts