Jump to content

Address has been blocked

Rep

By Rep
in Malware Finding and Cleaning

 Share

Recommended Posts

itman

itman 1,665

Posted
Posted
4 minutes ago, murko said:

Already checked, nothin there. Also scanned all drives for such files/folders, nothing except the mentioned before

My best guess at this point is it arrived as part of another app installer.

Link to comment
Share on other sites
murko

murko 0

Posted
Posted
1 minute ago, itman said:

My best guess at this point is it arrived as part of another app installer.

Most probably. Btw, is there some kind of scan option in Eset Endpoint, which could find all files containing such malware, based on some kind of its fingerprint? (layman speaking)

Link to comment
Share on other sites
itman

itman 1,665

Posted
Posted
Just now, murko said:

Btw, is there some kind of scan option in Eset Endpoint, which could find all files containing such malware, based on some kind of its fingerprint? (layman speaking)

LoL! I can only dream of such capability.

Link to comment
Share on other sites
murko

murko 0

Posted
Posted
1 minute ago, itman said:

LoL! I can only dream of such capability.

Ha, maybe in future. It would be really handy to have such tool.

Link to comment
Share on other sites
itman

itman 1,665

Posted
Posted

Referring to the command line string associate with conhost.exe, it looks like packed code to me. If that's the case, no code injection occurred to conhost.exe. When conhost.exe loaded, the packed code loaded into its memory space. Then the attacker unpacked it in memory and executed it.

Link to comment
Share on other sites
murko

murko 0

Posted
Posted
3 minutes ago, itman said:

Referring to the command line string associate with conhost.exe, it looks like packed code to me. If that's the case, no code injection occurred to conhost.exe. When conhost.exe loaded, the packed code loaded into its memory space. Then the attacker unpacked it in memory and executed it.

In such case, would the firewall/ids rules be still effective?

Link to comment
Share on other sites
itman

itman 1,665

Posted
Posted (edited)
1 hour ago, murko said:

In such case, would the firewall/ids rules be still effective?

Yes, because as far as Windows is concerned, it is conhost.exe doing the network communication.

Now infected conhost.exe could spawn a malicious child process that could perform network communication, but that's another discussion. However, since ver. 16.2 firewall includes child process option, you're covered.

Edited by itman
Link to comment
Share on other sites
murko

murko 0

Posted
Posted
11 hours ago, itman said:

Yes, because as far as Windows is concerned, it is conhost.exe doing the network communication.

Now infected conhost.exe could spawn a malicious child process that could perform network communication, but that's another discussion. However, since ver. 16.2 firewall includes child process option, you're covered.

Thanks for clarification. About the ver. 16.2 - I am bit confused, as our ESET Endpoint Security shows latest  ver. 10.1.2050.0.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,085

Posted
  • Administrators
Posted
6 minutes ago, murko said:

Thanks for clarification. About the ver. 16.2 - I am bit confused, as our ESET Endpoint Security shows latest  ver. 10.1.2050.0.

V16.2.15 is the latest version of consumer products whereas v10.1.2050 is the latest version of Endpoint.

Link to comment
Share on other sites
itman

itman 1,665

Posted
Posted
3 hours ago, murko said:

Thanks for clarification. About the ver. 16.2 - I am bit confused, as our ESET Endpoint Security shows latest  ver. 10.1.2050.0.

Sorry about that. The same firewall rule child process option also now exists in EES 10.1.2050.0.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...