Jump to content

Recommended Posts

Posted (edited)

Hey my friends,

 

This post is for Eset staff.

I am examining the activities of some malware i found that seems to be performing silent operations i would like to diffuse.

The malware is creating objects in c:\windows\temp

I have started an ACL examiner on the directory for changes.

 

Can someone provide a confirmation on the following and if this is an action that always happens during update :
 

Eset Nod32 ver 7.0.104.0 created temp files during vsd update:

C:\Windows\Temp\NSFF577.tmp

C:\Windows\Temp\NSFF578.tmp

Create event.

Change attributes event hidden readonly sysfile & archive.

Followed by delete event.

:P

 

Also, if possible, what impersonation and/or acl workgroup can be safely applied to the directory for Eset

SYSTEM works

"Authenticated Users" works, however i want to remove one and limit the scope of permissions on the directory.

I would like to use the group of least propagation or the group Eset uses definitively for the file creation to minimize what possible group or user account the malware may be running an impersonationLevel=impersonate command on.

 

Thanks for any help provided ^_^

Edited by Arakasi
Posted

So far i removed CreatorOwner, Users, and Administrators workgroup.

I added my current user workgroup and/or my user account so i can continue to modify.

Changed ownership from SYSTEM to my user account.

Removed inheriting permission so the directory is alone with ACL and nothings propagated.

So far the folder is no longer being modifed by the malware, and i will continue to modify to find out what executable or service this malware is using to make changes.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...