Jump to content

Eset VS Miner


Recommended Posts

Hello!
I, demonstrated and tested ESET.

The first thing :

1) Eset does not know how to install the system when the miner is running on a charged machine.
2) DisallowRun branch - registry blocks eset.
3) Does not know how to unlock folder permissions.
4) Can't install if Eset antivirus is blocking miner.
5) Setup Eset can not genet random name, i.e. Eset can not install names because of the miner.

Link to comment
Share on other sites

Eset - does not provide complete protection against Miner, Miner is stronger than Eset.

Unfortunately , Eset - remains a problematic installer, because there is no generated filename , that is bypassing restrictions.

Link to comment
Share on other sites

  • Administrators

1, If malware is already running it could prevent any antivirus or program from running so it may be necessary to clean the machine first. However, honestly I haven't heard about any such real case for a long time, if ever.

2, I don't think malware could misuse DisallowRun to block the crucial process ekrn.exe, especially not if ESET is installed and protecting the machine. More info would be needed on if and how you managed to block ekrn, if at all.

3, An antivirus is not supposed to modify permissions on existing files or folders.

4, See point 1. In certain cases it may be necessary to clean malware first, e.g. by running an online scanner or an offline scan after booting from a clean disk.

5, See point 4 and 1.

6, What Miner are you referring to? Any hash, sample or a link to VirusTotal? Without more information, we can't tell if it's really: a) subject to detection, b) undetected by ESET even upon execuction and with PUA/PUsA enabled.

Link to comment
Share on other sites

Hello Macros!

I regret that Eset is not qualified enough .
The problem, Miner - knows how to disable any Eset installer.
Group policy banned because of the Miner action in DisallowRun- where Explorer is spelled out.
Eset - does not generate files , bypassing the Eset installer.
Reason Miner - Miner killing install Esets, and disable process for active . Eset - will not be able to execute on safe mode.
This scanner function is very old as safe startup does not work.  This vulnerable eset without gui interface and will not work in safe mode - another failure .
 

Link to comment
Share on other sites

14 hours ago, Malware Hunter said:

I, demonstrated and tested ESET.

We need a proof of concept write up here.

1. Current device configuration; OS and version installed; any other security software installed other than Microsoft Defender, etc..

2. Proof a coin miner is installed and running prior to attempted Eset installation. As noted previously, we need specifically to identify what coin miner is installed.

3. Proof coin miner is what prevented Eset from being installed.

Link to comment
Share on other sites

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ограничение <==== ВНИМАНИЕ
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Ограничение <==== ВНИМАНИЕ
HKLM\SOFTWARE\Policies\Microsoft\MRT: Ограничение <==== ВНИМАНИЕ
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Ограничение <==== ВНИМАНИЕ
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center: Ограничение <==== ВНИМАНИЕ
GroupPolicy: Ограничение ? <==== ВНИМАНИЕ
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Ограничение <==== ВНИМАНИЕ
Policies: C:\ProgramData\NTUSER.pol: Ограничение <==== ВНИМАНИЕ
Policies: D:\ProgramData\NTUSER.pol: Ограничение <==== ВНИМАНИЕ
Policies: F:\ProgramData\NTUSER.pol: Ограничение <==== ВНИМАНИЕ
Policies: %ProgramData%\NTUSER.pol: Ограничение <==== ВНИМАНИЕ
IFEO\CompatTelRunner.exe: [Debugger] C:\Windows\system32\systray.exe
C:\ProgramData\Windows Tasks Service\winserv.exe
C:\Windows\SysWow64\unsecapp.exe
C:\ProgramData\ReaItekHD\taskhost.exe
C:\ProgramData\ReaItekHD\taskhostw.exe
C:\ProgramData\WindowsTask\MicrosoftHost.exe
C:\ProgramData\WindowsTask\audiodg.exe
C:\ProgramData\WindowsTask\AppModule.exe
C:\ProgramData\WindowsTask\AMD.exe
C:\Program Files\RDP Wrapper
The Folder of block and disable install.
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Users\Никита\Downloads\AV_block_remover
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Users\Никита\Downloads\AutoLogger
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Users\Никита\Desktop\AV_block_remover
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Users\Никита\Desktop\AutoLogger
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\WavePad
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\RobotDemo
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\PuzzleMedia
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\Norton
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\McAfee
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\MB3Install
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\Malwarebytes
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\grizzly
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\Evernote
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\Doctor Web
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\AVAST Software
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\ProgramData\360safe
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\SpyHunter
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Ravantivirus
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Rainmeter
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Process Lasso
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Malwarebytes
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Loaris Trojan Remover
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\HitmanPro
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\ESET
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Enigma Software Group
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\DrWeb
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\COMODO
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Common Files\McAfee
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Common Files\Doctor Web
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Common Files\AV
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Cezurity
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\ByteFence
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\Bitdefender Agent
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\AVG
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\AVAST Software
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files\7-Zip
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\SpyHunter
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\Microsoft JDX
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\GRIZZLY Antivirus
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\Cezurity
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\AVG
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\AVAST Software
2023-05-20 12:08 - 2023-05-20 12:08 - 000000000 __SHD C:\Program Files (x86)\360
2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\ProgramData\ESET
2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files\SUPERAntiSpyware
2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files\RogueKiller
2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files\Process Hacker 2
2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files\EnigmaSoft
2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files (x86)\Transmission
2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files (x86)\SpeedFan
2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files (x86)\Panda Security
2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files (x86)\Moo0
2023-05-20 12:09 - 2023-05-20 12:09 - 000000000 __SHD C:\Program Files (x86)\IObit
                                                          

It is list of miner's block eset install and more.

 

Run them on Windows Hyper-V.
1) Install Eset - without database updates.
2) Run Malware Miner.
3) Run base updates - most likely malware will not give eset and will disable ekrn and eset.
4) Observe it.

Unfortunately your Eset won't be able to handle it.

Link to comment
Share on other sites

  • Administrators

No antivirus program can clean a machine before it's actually run or installed. Moreover, I hardly remember a real case when there was a problem installing ESET on an already infected machine. I recollect there were some cases in the past when activation was prevented by malware, however, the user must clean the machine first in such case.

Still, we'd be interested in getting a hash or the sample of the miner which prevented installation of ESET.

Link to comment
Share on other sites

Is AMD.exe your coin miner: https://www.greatis.com/appdata/d/_/_common appdata__windowstask_amd.exe.htm ?

As far as RDP Wrapper use goes: https://www.ncomputing.com/blog-post/rdp-wrapper-safe . 

-EDIT- Use of RDP Wrapper also "doesn't' play nicely" with Windows Update. Assume the same is true for AV installer update processing. Uninstall it since its use is illegal anyway. Then retest.

Edited by itman
Link to comment
Share on other sites

18 hours ago, Malware Hunter said:

Install Eset - without database updates.

No.

You install Eset as designed. Part of the installation process is to immediately run a full system scan. Did Eset detect your coin miner during the scan processing?

Edited by itman
Link to comment
Share on other sites

5 hours ago, itman said:

You install Eset as designed.

Let's elaborate a bit.

You shouldn't use AV web based installer on a PC with known malware. Instead, use Eset offline installer to install the product of your choice: https://support.eset.com/en/kb2885-download-and-install-eset-offline-or-install-older-versions-of-eset-products . Prior to saving the installer to your PC, name the installer download something else.

Better yet, do the above download on a PC known be malware free. Copy the download to external media. On the infected PC, copy external media saved download to the infected PC and run it.

On 7/5/2023 at 3:01 PM, Malware Hunter said:

Run Malware Miner.

Err ........ You don't manually start a coin miner. Most run at system startup time via registry run key option or via a scheduled task. Therefore, this coin miner should be running prior to running Eset offline installer.

Link to comment
Share on other sites

Itman , Unfortunately Eset can not generate a random number, i.e. names can not generate random, i.e.
Miner kills eset_installer.exe and other classifications associated with Esets.
The Miner self-destructs the Eset installer and blocks access to them during the first installation.
So, the Eset-packer is not enough to install and bypass the Miner and can not destroy it, i.e. the Miner 2023 is aggressive.
Eset - is not comprehensive, there is no complete base.

Miner block Eset...

 

O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun:  [1] = eav_trial_rus.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun:  [2] = avast_free_antivirus_setup_online.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun:  [3] = eis_trial_rus.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun:  [4] = essf_trial_rus.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun:  [5] = hitmanpro_x64.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun:  [6] = ESETOnlineScanner_UKR.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun:  [7] = ESETOnlineScanner_RUS.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun:  [8] = HitmanPro.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun:  [9] = 360TS_Setup_Mini.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [10] = Cezurity_Scanner_Pro_Free.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [11] = Cube.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [12] = AVbr.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [13] = AV_br.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [14] = KVRT.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [15] = cureit.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [16] = FRST64.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [17] = eset_internet_security_live_installer.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [18] = esetonlinescanner.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [19] = eset_nod32_antivirus_live_installer.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [20] = MBSetup.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [21] = PANDAFREEAV.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [22] = bitdefender_avfree.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [23] = drweb-12.0-ss-win.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [24] = Cureit.exe
O7 - Policy: HKCU\..\Policies\Explorer\DisallowRun: [25] = TDSSKiller.exe
O7 - Policy: HKLM\Software\Microsoft\Windows Defender: [DisableAntiSpyware] = 1
O7 - Policy: HKLM\Software\Microsoft\Windows Defender: [DisableAntiVirus] = 1
O7 - Taskbar policy: HKCU\..\Policies\Explorer: [DisallowRun] = 1

 

Link to comment
Share on other sites

28 minutes ago, Malware Hunter said:

Itman , Unfortunately Eset can not generate a random number, i.e. names can not generate random, i.e.

I stated you rename the Eset installer .exe prior to downloading it. You do this by setting your browser to prompt you where to save downloads to;

Eset_Install.thumb.png.2f51dad9f2f5b5ec4df484c5283eaef4.png

Finally, your whole scenario is ludicrous.

What you're stating is you downloaded a coin miner without knowing it was malicious I assume. Then you just happened to manually start this coin miner while Eset was installing.

Edited by itman
Link to comment
Share on other sites

You need to first look for a game, for example, a torrent miner, let's say ru torrent or some kind of .

Need you to run as exe  - waiting to malicously attack system , after wait for finish malwared.

And, then the last install Eset - test him...  Eset isnt 100% installed..  The process have disable with eset...

Because , The Live USB ESets remove miner , after miner back on the restart on the tcp port...  Because , miner calling computer and miner back...

Edited by Malware Hunter
Link to comment
Share on other sites

Since you mentioned AVZ, it can be downloaded from Kaspersky's web site: https://support.norton.com/sp/en/us/home/current/solutions/kb20100824120155EN. It requires malware detection expertise to use the tool effectively.

Another more friendly alternative is Norton's Power Eraser: https://support.norton.com/sp/en/us/home/current/solutions/kb20100824120155EN .

Tools like this have the potential to do more harm than good in unskilled hands.

The bottom line is the longer undetected malware exists on a device, the more harm will be done. One would be better off in the long run just wiping the hard drive and reinstalling Windows.

Link to comment
Share on other sites

This script is specially made for cleaning and unlocking after a charged virus.However, this script is specially made by regist specialists, which is made to clean up viruses that are not installed by Eset and the scanner.

 

Kaspersky developers have already added a signature database for cleaning and unlocking all types of anti-miners and anti-john.

You can take AVBR - it collects the current version for cleaning up after unsuccessful installations of antiviruses.

Попробуйте у себя протестировать эту файл @Marcos @itman

AVbr.zip

Link to comment
Share on other sites

@Marcos

It pops up every day with a new threat, AVBR - starts in safe mode with or without networking for complete disinfection of viruses.

https://avbr.safezone.cc/AVbr.zip  - Every updating and actually bases and cleaning.

AV block remover or AVbr for short is a utility designed to remove a specific miner, including blocking the installation of antivirus software and access to AV company sites and forums with cures. It can also be used in other cases with similar anti-virus blocking methods.
Symptoms of this miner: The virus does not allow you to download antivirus, blocks sites, closes the task manager and gpedit.msc, closes your browser when you try to find or download cureit and other antivirus utilities, "disappeared" the installed antivirus.
By the way, in addition to mining and anti-virus blocking, this virus installs RMS. So your data could also be stolen.

  1. AV_block_remove_date-time.log - utility log.
  2. quarantine.zip - standard AVZ archive with quarantine of deleted files.
  3. Backup - the folder with the backup copy of some settings changed during the treatment.
  4. The utility removes the miner itself and its derivatives.
  5. Removes bans on installation of antivirus software. Including deletes folders from anti-virus software if they are empty, and if they are not empty, restores the standard access rights to them.
  6. Restores the "Software shadow copy provider (Microsoft)" service.
  7. If the user agrees, it deletes the "John" account that the miner creates, which is not visible in Account Management.
  8. If the Hosts file does not exist, it creates one. If it exists and does not pass the check (changed), depending on the user's choice, it resets it to the default state or opens it for manual editing.
Edited by Malware Hunter
Link to comment
Share on other sites

History :

1) Existing of Hosts file check was added.
a) Tool will create clean Hosts file if it does not exist.
b) Tool will reset Hosts file attributes to default if it exist.
c) Tool will offer to edit, create new Hosts file or ignore changes if Hosts file differs from etalon, same behavior as it was in previous version.
2) Check for existence of hidden account John is added. You will be prompted to delete this account only if it exists
3) Version actuality check is changed. File "Date.ini" is not used anymore.
4) Windows version check is improved.
5) Filewall backup file now contains date and time at the start of file name.
6) Logging is improved.
7) Path length check is added. If it exceed 200 symbols then there will be warning and proposal to run tool from different place.

=============================

1) Added AppLocker policy check and reset if policies are detected.
2) Added resetting Windows Defender settings to defaults if changes made by a mining tool are detected.
3) Improved resetting of the rights for antivirus folders.
4) Improved logging.
5) Various minor improvements and refinements related to the Miner update.

===============================================================

1) Added removal of anti-virus launch blocking added by CertLock type viruses by adding their signatures to untrusted.

 

Edited by Malware Hunter
Link to comment
Share on other sites

1 hour ago, Malware Hunter said:

You can take AVBR - it collects the current version for cleaning up after unsuccessful installations of antiviruses.

Something doesn't appear right here. This coin miner will also block AVBR per your posted screen shot;

Policy: HKCU\..\Policies\Explorer\DisallowRun: [12] = AVbr.exe

I have to assume this coin miner is also running in Safe mode.

Again referring to the above screen shot of file names of security products this coin miner monitors for, none of the Eset off-line consumer products installer file names;

essp_nt64.exe
eis_nt64.exe
eav_nt64.exe

are referenced. As such, I still see no proof these installers would not run successfully with the coin miner installed.

Edited by itman
Link to comment
Share on other sites

@itman Download, unzip and run AV block remover in safe mode with network support (as an administrator).
If it does not start, rename it (for example, to AV_b_r.exe) or use a version with a random file name

When all the procedures are done, the system will reboot. Attach the AV_block_remove.log created by the utility to the next message.

Edited by Malware Hunter
Link to comment
Share on other sites

41 minutes ago, SeriousHoax said:

At what location does ESET Online Scanner installs?

The coin miner blocks it regards of where its installed;

23 hours ago, Malware Hunter said:
Policy: HKCU\..\Policies\Explorer\DisallowRun: [18] = esetonlinescanner.exe

On the other hand, renaming it prior to execution might work. Also, the malware might be checking PE header which would defeat all file renaming activities.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...