Jump to content

Sysinspector.esil


Recommended Posts

Dear colleagues,

is there a detailed description of the functions of the ESETSysinspector version for working with the new SysInspector.esil log format?

Were the functions of creating and executing a script to clean up the system preserved?

SysInspector_esil.thumb.jpg.0ac5aff1bc7e793ba58a0a0e8fec53a2.jpg

Link to comment
Share on other sites

  • Administrators

ESI v2 doesn't support service scripts. It basically allows only collecting and viewing logs with advanced filtering options not present in ESI v1.

Link to comment
Share on other sites

Will a separate v2 utility be released to work with the esil format? Or v1 will continue to be updated and developed?

Link to comment
Share on other sites

  • Administrators

ESIL logs can be opened with ESI2. No other tool to work with ESIL logs is planned.

Link to comment
Share on other sites

The first impression - is that it is unusual to work with the new version, but due to the speed of work and advanced search, it compares favorably with version 1.

. I would very much like the mechanism for creating a script in the new version to be revised and added in the future to work with the new format.

Link to comment
Share on other sites

ESI v1 will gradually go away, as more and more users switch to new versions of products, and then ESI v2 will become the main utility.

Link to comment
Share on other sites

  • 2 weeks later...
Posted (edited)

Hi,

Question: Why are processes marked with state 6 if all loaded modules are clean and have state 1? :)

cmd.exe, 3180, COMP-BDA\Дмитрий, , Windows Command Processor, Microsoft Corporation, "C:\Windows\system32\cmd.exe"

dllhost.exe, 3492, COMP-BDA\Дмитрий, , COM Surrogate, Microsoft Corporation, "C:\Windows\system32\dllhost.exe"

SysInspector.esil.log

Edited by safety
Link to comment
Share on other sites

  • Administrators

From the look of it I assume the log was generated during installation of a particular sofware and two dlls in the temp folder were already removed when ESI attempted to gather details about them. Try to generate another log when not installing software.

Link to comment
Share on other sites

 

You may be right, because the antivirus deletes the dll all the time

03.08.2022 16:21:50    Advanced memory scanner    file    Operating memory » C:\Users\Дмитрий\AppData\Local\Temp\28e86510.dll    a variant of Win32/Spy.Agent.QGW trojan    cleaned by deleting            E270A42E0B87887376DE25E48312CFF2571DB9A3   

But she is recovering.

08/03/2022 04:21:55 PM Advanced memory scanner file Operating memory » C:\Users\Dmitry\AppData\Local\Temp\28e86510.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting 5F66A0781CDCECDF6C65F348E189362EF587274F

Here, either the image of the executable file is being replaced, or threads are embedded in these processes.

The initiator here is, oddly enough, a clean file. I can send you the log

 

eis_logs.zip

Link to comment
Share on other sites

The problem is most likely related to this task:

c:\windows\system32\tasks\java

c:\users\Dmitry\appdata\roaming\java.exe /pj=9757386 /zgvlo=92 /nbw /mkj=13105, ,

I have quarantined files that I assume are related to running the task.

ZOO_2022-08-04_12-31-02.rar

Link to comment
Share on other sites

  • Administrators
1 hour ago, safety said:

c:\users\Dmitry\appdata\roaming\java.exe /pj=9757386 /zgvlo=92 /nbw /mkj=13105, ,

It's a legitimate java.exe file, digitally signed and popular.

Please provide a Procmon boot log. After a reboot, stop logging after the threat has been detected. Then compress the log and provide it along with fresh ELC logs.

Link to comment
Share on other sites

Posted (edited)

Dear Marcos,

unfortunately, in this case, this is no longer possible. The system was cleared, the detection stopped. The launch chain of the malicious dll could not be understood.

Quote

It's a legitimate java.exe file, digitally signed and popular.

Microsoft Defender (MpCmdRun.exe) is also legitimate, but sometimes it loads malicious modules.

 

Edited by safety
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...