Jump to content

Security issue with the latest version of Endpoint Antivirus. efwd.exe


Webshaun

Recommended Posts

I just got an alert from Microsoft's security platform that there's a security issue with ESET Endpoint.

"Fix unquoted service path for Windows services" on path C:\Program Files\ESET\ESET Security\efwd.exe.

In the registry in paths 

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\efwd
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\efwd

Name: ImagePath Value: C:\Program Files\ESET\ESET Security\efwd.exe

This should have quotes.  Value should be "C:\Program Files\ESET\ESET Security\efwd.exe"

You can manually add quotes to protect yourself immediately.

 

 

Link to comment
Share on other sites

  • Administrators

Please post a screenshot of the alert for clarification. I'll report your finding to developers, however, it's not a security issue since the said service does nothing. What matters is that it's registered in the registry.

Link to comment
Share on other sites

Attached.  According to Microsoft the potential risk is "An attacker can exploit this misconfiguration in order to perform path interception to gain escalation of privileges and persistency on the machine."

Screenshot 2023-08-12 124017.jpg

Screenshot 2023-08-12 124056.jpg

Link to comment
Share on other sites

  • 2 months later...

I have just had some systems with Eset installed fail a Cyber Essentials Plus audit for this, was there any update? I can fix myself but ideally the software would have a quoted path in the first place so there is no need for manual remediation. Thanks

Link to comment
Share on other sites

17 minutes ago, Marcos said:

It will be fixed in Endpoint v11.

Thanks, is there an ETA for release? I imagine I will need to fix these manually as I have a lot of CE+ audits by year end. 

Link to comment
Share on other sites

Interestingly enough, I just did a clean install of EES 10.1.2058 onto a VM using the standalone downloader on the eset site so I could edit the regkey and export for deployment, and the service is already in quotes - "C:\Program Files\ESET\ESET Security\efwd.exe"

I will check what version my endpoints are using and see if this version has fixed it. I had deployed EES to two of these systems this week from ESET Protect using the agent. 

EDIT: The endpoints are on 10.1.2050, I am pushing an update now. 

Edited by PuterCare
Link to comment
Share on other sites

2 hours ago, PuterCare said:

 I see that EIS is also affected on v16.2.15 at least.

Confirmed on ESSP 15.2.15;

Eset_Reg.thumb.png.cce6b4fc1d67ceb5468488521d959b47.png

If Eset is no longer using the service, it should remove all references to it from Windows.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...