Arakasi 549 Posted September 13, 2013 Posted September 13, 2013 (edited) Hey my friends, This post is for Eset staff. I am examining the activities of some malware i found that seems to be performing silent operations i would like to diffuse. The malware is creating objects in c:\windows\temp I have started an ACL examiner on the directory for changes. Can someone provide a confirmation on the following and if this is an action that always happens during update : Eset Nod32 ver 7.0.104.0 created temp files during vsd update: C:\Windows\Temp\NSFF577.tmp C:\Windows\Temp\NSFF578.tmp Create event. Change attributes event hidden readonly sysfile & archive. Followed by delete event. Also, if possible, what impersonation and/or acl workgroup can be safely applied to the directory for Eset SYSTEM works "Authenticated Users" works, however i want to remove one and limit the scope of permissions on the directory. I would like to use the group of least propagation or the group Eset uses definitively for the file creation to minimize what possible group or user account the malware may be running an impersonationLevel=impersonate command on. Thanks for any help provided Edited September 13, 2013 by Arakasi
Arakasi 549 Posted September 13, 2013 Author Posted September 13, 2013 So far i removed CreatorOwner, Users, and Administrators workgroup. I added my current user workgroup and/or my user account so i can continue to modify. Changed ownership from SYSTEM to my user account. Removed inheriting permission so the directory is alone with ACL and nothings propagated. So far the folder is no longer being modifed by the malware, and i will continue to modify to find out what executable or service this malware is using to make changes.
Recommended Posts