safety 8 Posted July 20, 2022 Share Posted July 20, 2022 Dear colleagues, is there a detailed description of the functions of the ESETSysinspector version for working with the new SysInspector.esil log format? Were the functions of creating and executing a script to clean up the system preserved? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted July 20, 2022 Administrators Share Posted July 20, 2022 ESI v2 doesn't support service scripts. It basically allows only collecting and viewing logs with advanced filtering options not present in ESI v1. safety 1 Link to comment Share on other sites More sharing options...
safety 8 Posted July 20, 2022 Author Share Posted July 20, 2022 Will a separate v2 utility be released to work with the esil format? Or v1 will continue to be updated and developed? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted July 20, 2022 Administrators Share Posted July 20, 2022 ESIL logs can be opened with ESI2. No other tool to work with ESIL logs is planned. Link to comment Share on other sites More sharing options...
safety 8 Posted July 20, 2022 Author Share Posted July 20, 2022 The first impression - is that it is unusual to work with the new version, but due to the speed of work and advanced search, it compares favorably with version 1. . I would very much like the mechanism for creating a script in the new version to be revised and added in the future to work with the new format. Link to comment Share on other sites More sharing options...
safety 8 Posted July 20, 2022 Author Share Posted July 20, 2022 ESI v1 will gradually go away, as more and more users switch to new versions of products, and then ESI v2 will become the main utility. Link to comment Share on other sites More sharing options...
safety 8 Posted August 4, 2022 Author Share Posted August 4, 2022 (edited) Hi, Question: Why are processes marked with state 6 if all loaded modules are clean and have state 1? cmd.exe, 3180, COMP-BDA\Дмитрий, , Windows Command Processor, Microsoft Corporation, "C:\Windows\system32\cmd.exe" dllhost.exe, 3492, COMP-BDA\Дмитрий, , COM Surrogate, Microsoft Corporation, "C:\Windows\system32\dllhost.exe" SysInspector.esil.log Edited August 4, 2022 by safety Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted August 4, 2022 Administrators Share Posted August 4, 2022 From the look of it I assume the log was generated during installation of a particular sofware and two dlls in the temp folder were already removed when ESI attempted to gather details about them. Try to generate another log when not installing software. Link to comment Share on other sites More sharing options...
safety 8 Posted August 4, 2022 Author Share Posted August 4, 2022 You may be right, because the antivirus deletes the dll all the time 03.08.2022 16:21:50 Advanced memory scanner file Operating memory » C:\Users\Дмитрий\AppData\Local\Temp\28e86510.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting E270A42E0B87887376DE25E48312CFF2571DB9A3 But she is recovering. 08/03/2022 04:21:55 PM Advanced memory scanner file Operating memory » C:\Users\Dmitry\AppData\Local\Temp\28e86510.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting 5F66A0781CDCECDF6C65F348E189362EF587274F Here, either the image of the executable file is being replaced, or threads are embedded in these processes. The initiator here is, oddly enough, a clean file. I can send you the log eis_logs.zip Link to comment Share on other sites More sharing options...
safety 8 Posted August 4, 2022 Author Share Posted August 4, 2022 The problem is most likely related to this task: c:\windows\system32\tasks\java c:\users\Dmitry\appdata\roaming\java.exe /pj=9757386 /zgvlo=92 /nbw /mkj=13105, , I have quarantined files that I assume are related to running the task. ZOO_2022-08-04_12-31-02.rar Link to comment Share on other sites More sharing options...
Administrators Marcos 5,288 Posted August 4, 2022 Administrators Share Posted August 4, 2022 1 hour ago, safety said: c:\users\Dmitry\appdata\roaming\java.exe /pj=9757386 /zgvlo=92 /nbw /mkj=13105, , It's a legitimate java.exe file, digitally signed and popular. Please provide a Procmon boot log. After a reboot, stop logging after the threat has been detected. Then compress the log and provide it along with fresh ELC logs. Link to comment Share on other sites More sharing options...
safety 8 Posted August 5, 2022 Author Share Posted August 5, 2022 (edited) Dear Marcos, unfortunately, in this case, this is no longer possible. The system was cleared, the detection stopped. The launch chain of the malicious dll could not be understood. Quote It's a legitimate java.exe file, digitally signed and popular. Microsoft Defender (MpCmdRun.exe) is also legitimate, but sometimes it loads malicious modules. Edited August 5, 2022 by safety Link to comment Share on other sites More sharing options...
Recommended Posts