Upload
lynhan
View
217
Download
0
Embed Size (px)
Citation preview
Microsoft Windows 10 / 8.1 / 8 / 7 / Vista / Home Server 2011Microsoft Windows 10 / 8.1 / 8 / 7 / Vista / Home Server 2011Microsoft Windows 10 / 8.1 / 8 / 7 / Vista / Home Server 2011
http://help.eset.com/essp/12/zh-TW/http://help.eset.com/essp/12/zh-TW/http://help.eset.com/essp/12/zh-TW/
2018 ESET, spol. s r. o.
www.eset.com/support
2018/9/25
http://www.eset.com/support
ESET LiveGrid
ESET NOD32 Antivirus ESET Internet Security
ESET NOD32
Antivirus
ESET Internet
Security
ESET Smart Security
[HIPS] )
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=kb6564http://support.eset.com/kb3152/
ESET Password Manager
ESET Secure Data
Microsoft Windows 10
Microsoft Windows 8.1
Microsoft Windows 8
Microsoft Windows 7
Microsoft Windows Vista
Live Installer
.exe
Live Installer
ESET LiveGrid ESET LiveGrid
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN146http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN146
ESET LiveGrid ESET LiveGrid
ESET LiveGrid
C:\Program Files\ESET\ESET Smart Security Premium\
ESET LiveGrid
http://help.eset.com/license_manager/zh-TWhttp://go.eset.eu/installerror
>
>
http://go.eset.eu/knowledgebase?lng=1028&segment=home
http://go.eset.eu/online-help?product=antitheft&lang=zh-TW&topic=device_optimization.htmhttp://go.eset.eu/knowledgebase?lng=1028&segment=home
F5
> >
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN3754
>
http://go.eset.eu/at-howto?lng=1028
[HIPS] HIPS
Password Manager Secure Data
.xml
http://help.eset.com/getHelp?product=essp&version=10&lang=zh-TW&topic=pwmng_intro.htmhttp://help.eset.com/getHelp?product=essp&version=10&lang=zh-TW&topic=enc_intro.htm
rootkits
>
F5 >
>
( > >
http://www.eicar.org/download/eicar.com
http://www.eicar.org/download/eicar.com
>
(F5 >
> >
>
> > > >
> > > >
pagefile.sys
https://support.eset.com/kb2155/
> > >
>
> >
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2.
> >
>
2. F5
http://go.eset.eu/knowledgebase?lng=1028&segment=business&KBID=SOLN3152
http://go.eset.eu/knowledgebase?lng=1028&segment=business&KBID=SOLN2629
10.
.edb, .eml .tmp
tmp
> >
)
> >
CD/DVD
(F5) >
>
>
(F5) > > [HIPS] >
>
1.
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN3755
>
(F5) > >
/ /
>
>
(F5) > >
(F5) > > >
SSL/TLS >
[SSL/TLS]
(F5) > > >
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2138http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2138
>
>
SSL/TLS >
[SSL/TLS]
> >
"[virus]" "Hello" "[virus] Hello" %VIRUSNAME%
> >
> >
SSL/TLS >
[SSL/TLS]
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2138
[ESET Smart Security Premium] > > >
> [SSL/TLS]
192.168.0.10
192.168.0.1 192.168.0.99
255.255.255.0 192.168.1.0/24 192.168.1.1 192.168.1.254
2001:718:1c01:16:214:22ff:fec9:ca5
2002:c0a8:6301:1::1/64
> >
> >
(F5) > > [SSL/TLS] >
(F5) > > SSL/TLS >
>
http://go.eset.eu/knowledgebase?lng=1028&segment=business&KBID=SOLN3100
> > >
> F5
http://phishing.eset.com/report/chthttp://phishing.eset.com/remove/chtmailto:[email protected]
(F5) > > >
(F5) > > >
(F5) > >
>
(F5) > >
(
> >
> > >
.
http://download.eset.com/download/eas/authserver_enu.msi
> > [ESET] > [ESET
> >
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2501
>
>
>
> >
(F5) > > (F5) > > >
> >
C:\ProgramData\ESET\ESET Smart Security Premium\Diagnostics\
Microsoft Windows XP
C:\Documents and Settings\All Users\...
https://www.gmail.com/intl/en/mail/help/about.html
Password Manager Secure Data
https://www.gmail.com/intl/en/mail/help/about.htmlhttp://help.eset.com/getHelp?product=essp&version=10&lang=zh-TW&topic=pwmng_intro.htmhttp://help.eset.com/getHelp?product=essp&version=10&lang=zh-TW&topic=enc_intro.htm
o > > o >
> >
> >
1.
> >
https:// [Web
> [SSL/TLS]
> >
> >
(examplepage.com examplepage.sk
sub.examplepage.com
F5 >
>
> >
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2850
( (F5) > >
[HTTP Proxy]
> >
>
>
( (F5) > >
>
[Password Manager]
[Secure Data]
http://help.eset.com/getHelp?product=essp&version=10&lang=zh-TW&topic=pwmng_intro.htmhttp://help.eset.com/getHelp?product=essp&version=10&lang=zh-TW&topic=enc_intro.htmhttp://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=KB5657
Web
Password Manager
>
>
a.
b.
> >
CTRL+ALT+L
Enter
> > Password Manager
> [Password Manager]
[Password Manager]
Microsoft Internet Explorer Mozilla Firefox Google Chrome Chromium Opera Seamonkey Yandex Comodo Dragon Pale Moon
Password Manager
>
CTRL+ALT+K
CTRL+ALT+R
[Secure Data]
[Secure Data]
> [Secure Data]
3.
4.
6.
.eed
4.
5.
ESET SysInspector
ESET SysRescue Live
>
[HIPS] HIPS
Ctrl + C Ctrl Shif t
> > >
virlog.txt
[CSV]
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN3466
ThreatSense
Ctrl+Shift+Esc
[PID]
>
Password Manager Secure Data
>
> >
> >
[+]
localhost
ESET SysInspector
.xml .xml
> >
)
1.
ESET SysInspector
.doc .xls
[F5]
> ESET LiveGrid
>
> > > >
smtp.provider.com:587
%TimeStamp% %Scanner% %ComputerName% %ProgramName% %InfectedObject% %VirusName% %Action% %ErrorDescription%
%InfectedObject% %VirusName% %ErrorDescription%
GUI
xml
xml xml xml
mailto:[email protected]
Error executing command.
ecmd /getcfg c:\config\settings.xml
ecmd /setcfg c:\config\settings.xml
xml
XmlSignTool
xmlsigntool.exe
xml xmlsigntool /version 1|2
/version
/version 1 /version 2
xml
xmlsigntool /version 1 c:\config\settings.xml
https://download.eset.com/com/eset/tools/installers/xmlsigntool/latest/xmlsigntool.exe
xml
>
>
>
> > >
>
ekrn
C:\ProgramData\ESET\ESET Smart Security Premium\Diagnostics\ C:
\Documents and Settings\All Users\...
.xml
>
[...]
>
export.xml
.xml
> ESET SysInspector
SysInspector.exe
ESET Online Scanner
http://go.eset.eu/onlinescanner?lng=1028
Ctrl+O
Ctrl+G
Ctrl+0
Ctrl+5
Ctrl+T
Ctrl+Alt+O
F1
>
>
>
>
current.xml
>
SysIsnpector.exe current.xml previous.xml
/gen
/privacy
/zip
/silent
/blank
Sysinspector.exe [load.xml] [/gen=save.xml] [/privacy] [/zip] [compareto.xml]
SysInspector.exe .\clientlog.xml
SysInspector.exe /gen=.\mynewlog.xml
SysInspector.exe /gen=.\mynewlog.zip /privacy /zip
SysInspector.exe new.xml old.xml
>
01) Running processes:
- \SystemRoot\System32\smss.exe *4725*
- C:\Windows\system32\svchost.exe *FD08*
+ C:\Windows\system32\module32.exe *CF8A*
[...]
02) Loaded modules:
- c:\windows\system32\svchost.exe
- c:\windows\system32\kernel32.dll
+ c:\windows\system32\khbekhb.dll
- c:\windows\system32\advapi32.dll
[...]
03) TCP connections:
- Active connection: 127.0.0.1:30606 -> 127.0.0.1:55320, owner: ekrn.exe
- Active connection: 127.0.0.1:50007 -> 127.0.0.1:50006,
- Active connection: 127.0.0.1:55320 -> 127.0.0.1:30606, owner: OUTLOOK.EXE
- Listening on *, port 135 (epmap), owner: svchost.exe
+ Listening on *, port 2401, owner: fservice.exe Listening on *, port 445 (microsoft-ds), owner:
System
[...]
04) UDP endpoints:
- 0.0.0.0, port 123 (ntp)
+ 0.0.0.0, port 3702
- 0.0.0.0, port 4500 (ipsec-msft)
- 0.0.0.0, port 500 (isakmp)
[...]
05) DNS server entries:
+ 204.74.105.85
- 172.16.152.2
[...]
06) Important registry entries:
* Category: Standard Autostart (3 items)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HotKeysCmds = C:\Windows\system32\hkcmd.exe
- IgfxTray = C:\Windows\system32\igfxtray.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Google Update = "C:\Users\antoniak\AppData\Local\Google\Update\GoogleUpdate.exe" /c
* Category: Internet Explorer (7 items)
HKLM\Software\Microsoft\Internet Explorer\Main
+ Default_Page_URL = http://thatcrack.com/
[...]
07) Services:
- Name: Andrea ADI Filters Service, exe path: c:\windows\system32\aeadisrv.exe, state: Running,
startup: Automatic
- Name: Application Experience Service, exe path: c:\windows\system32\aelupsvc.dll, state: Running,
startup: Automatic
- Name: Application Layer Gateway Service, exe path: c:\windows\system32\alg.exe, state: Stopped,
startup: Manual
[...]
08) Drivers:
- Name: Microsoft ACPI Driver, exe path: c:\windows\system32\drivers\acpi.sys, state: Running,
startup: Boot
- Name: ADI UAA Function Driver for High Definition Audio Service, exe path: c:
\windows\system32\drivers\adihdaud.sys, state: Running, startup: Manual
[...]
09) Critical files:
* File: win.ini
- [fonts]
- [extensions]
- [files]
- MAPI=1
[...]
* File: system.ini
- [386Enh]
- woafont=dosapp.fon
- EGA80WOA.FON=EGA80WOA.FON
[...]
* File: hosts
- 127.0.0.1 localhost
- ::1 localhost
[...]
10) Scheduled tasks
- c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
- c:\users\admin\appdata\local\google\update\googleupdate.exe
- c:\users\admin\appdata\local\google\update\googleupdate.exe
- c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
- c:\users\admin\appdata\local\google\update\googleupdate.exe /c
- c:\users\admin\appdata\local\google\update\googleupdate.exe /ua /installsource
- %windir%\system32\appidpolicyconverter.exe
- %windir%\system32\appidcertstorecheck.exe
- aitagent
[...]
> %USERPROFILE%\My Documents\
>
%systemroot%\system32\catroot )
C:\Program Files\Windows NT
C:
\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\sp4.cat C:\Program
Files\Windows NT\hypertrm.exe sp4.cat
ecls [OPTIONS..] FILES..
/base-dir=FOLDER
/files
/no-unwanted
/quarantine
/help
0
Downloader Dropper Backdoor Keylogger Dialer
>
2. F5
http://go.eset.eu/knowledgebase?lng=1028&segment=business&KBID=SOLN3152
http://go.eset.eu/knowledgebase?lng=1028&segment=business&KBID=SOLN2629
> >
Mozilla Firefox 24 Internet Explorer 8 Google Chrome 30
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=KB5657
Mozilla Firefox Google Chrome Internet Explorer Microsoft Edge
> >
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=kb6567
>
http://go.eset.eu/knowledgebase?lng=1028&segment=homehttp://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2434http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2792http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2788http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2861http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2228http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN32http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2268http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN2505
> > >
o > > o >
> >
> >
ESET SysInspector
> >
http://go.eset.eu/knowledgebase?lng=1028&segment=home&KBID=SOLN3207
ESET Smart Security Premium
Live Installer
ESET Smart Security Premium ThreatSense
ThreatSense
(HIPS)HIPS
Web Web URL
POP3POP3S
Web IP IPv4 IPv6
SSL/TLS
SSL/TLS
-
- ESET
PCAP
Password Manager Password Manager Password Manager Password Manager
Web
Secure Data
ESET Smart Security Premium
ESET SysInspectorESET SysRescue
Proxy
Microsoft Windows ESET CMD
ESET SysInspectorESET SysInspector ESET SysInspector
ESET SysInspector
Rootkit
DoS DNS PoisoningTCP SMB RelayICMP
ESET ESET LiveGridJava UEFI
ESET Smart Security Premium PC