itman 1,665 Posted October 3, 2023 Share Posted October 3, 2023 4 minutes ago, murko said: Already checked, nothin there. Also scanned all drives for such files/folders, nothing except the mentioned before My best guess at this point is it arrived as part of another app installer. Link to comment Share on other sites More sharing options...
murko 0 Posted October 3, 2023 Share Posted October 3, 2023 1 minute ago, itman said: My best guess at this point is it arrived as part of another app installer. Most probably. Btw, is there some kind of scan option in Eset Endpoint, which could find all files containing such malware, based on some kind of its fingerprint? (layman speaking) Link to comment Share on other sites More sharing options...
itman 1,665 Posted October 3, 2023 Share Posted October 3, 2023 Just now, murko said: Btw, is there some kind of scan option in Eset Endpoint, which could find all files containing such malware, based on some kind of its fingerprint? (layman speaking) LoL! I can only dream of such capability. Link to comment Share on other sites More sharing options...
murko 0 Posted October 3, 2023 Share Posted October 3, 2023 1 minute ago, itman said: LoL! I can only dream of such capability. Ha, maybe in future. It would be really handy to have such tool. Link to comment Share on other sites More sharing options...
itman 1,665 Posted October 3, 2023 Share Posted October 3, 2023 Referring to the command line string associate with conhost.exe, it looks like packed code to me. If that's the case, no code injection occurred to conhost.exe. When conhost.exe loaded, the packed code loaded into its memory space. Then the attacker unpacked it in memory and executed it. Link to comment Share on other sites More sharing options...
murko 0 Posted October 3, 2023 Share Posted October 3, 2023 3 minutes ago, itman said: Referring to the command line string associate with conhost.exe, it looks like packed code to me. If that's the case, no code injection occurred to conhost.exe. When conhost.exe loaded, the packed code loaded into its memory space. Then the attacker unpacked it in memory and executed it. In such case, would the firewall/ids rules be still effective? Link to comment Share on other sites More sharing options...
itman 1,665 Posted October 3, 2023 Share Posted October 3, 2023 (edited) 1 hour ago, murko said: In such case, would the firewall/ids rules be still effective? Yes, because as far as Windows is concerned, it is conhost.exe doing the network communication. Now infected conhost.exe could spawn a malicious child process that could perform network communication, but that's another discussion. However, since ver. 16.2 firewall includes child process option, you're covered. Edited October 3, 2023 by itman Link to comment Share on other sites More sharing options...
murko 0 Posted October 4, 2023 Share Posted October 4, 2023 11 hours ago, itman said: Yes, because as far as Windows is concerned, it is conhost.exe doing the network communication. Now infected conhost.exe could spawn a malicious child process that could perform network communication, but that's another discussion. However, since ver. 16.2 firewall includes child process option, you're covered. Thanks for clarification. About the ver. 16.2 - I am bit confused, as our ESET Endpoint Security shows latest ver. 10.1.2050.0. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted October 4, 2023 Administrators Share Posted October 4, 2023 6 minutes ago, murko said: Thanks for clarification. About the ver. 16.2 - I am bit confused, as our ESET Endpoint Security shows latest ver. 10.1.2050.0. V16.2.15 is the latest version of consumer products whereas v10.1.2050 is the latest version of Endpoint. Link to comment Share on other sites More sharing options...
itman 1,665 Posted October 4, 2023 Share Posted October 4, 2023 3 hours ago, murko said: Thanks for clarification. About the ver. 16.2 - I am bit confused, as our ESET Endpoint Security shows latest ver. 10.1.2050.0. Sorry about that. The same firewall rule child process option also now exists in EES 10.1.2050.0. Link to comment Share on other sites More sharing options...
Recommended Posts