Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seemingly encrypted files or fakes.


  • Please log in to reply
12 replies to this topic

#1 dannyboy950

dannyboy950

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:11:56 PM

Posted 18 November 2015 - 06:05 PM

Nod 32 found a little over 24 files labled  Crypto\RSA\Machine keys and a few others.

 

c:\Program Data\Microsoft\Crypto\RSA\Machine keys\ a really long hash numbers and then ends error opening[4]

A summary file I guess with a lot shorter hash string and a 2 picture folders. all files unable to open[4]

 

Why I think it may be fake is everything opens and works on here. Even all the few pictures I had mostly snips.

Either they were incorrectly coded or they got interrupted before they finished.

 

Any of this ring a bell with any of you guys and gals.

Also no ransom note and no I did not encrypt any files on this machine ever.


Edited by dannyboy950, 18 November 2015 - 06:06 PM.

HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 AM

Posted 18 November 2015 - 06:09 PM

Someone had the same question back in May and I provided the answer there.

http://www.bleepingcomputer.com/forums/t/577279/what-is-this-microsoftcryptorsamachinekeys/

Funny thing is that she was also using ESET Nod32.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:11:56 PM

Posted 18 November 2015 - 06:41 PM

Ahhhh so this is an Eset thing. Thanks for the heads up.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 AM

Posted 18 November 2015 - 06:41 PM

It isn't an ESET thing. It's a folder where Microsoft is keeping private and public keypairs related to the system, accounts, etc.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:11:56 PM

Posted 18 November 2015 - 07:16 PM

Ok next dump question how do I turn off ssl scanning?  I have the trial version and I can't find  where any of the settings are.

I just been using whatever it's defaults were.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:56 AM

Posted 18 November 2015 - 07:18 PM

The C:\ProgramData\Microsoft\Crypto\RSA\MachineKey folder is where Windows stores SSL certificate pair keys for the computer and all users. Whenever a connection is established and a certificate request is generated, a new file is created and stored in that sub-directory.

If there is a large number of files in that folder it could be caused by SSL checking performed by ESET NOD32 Antivirus. ESET utilizes a Man-in-the-middle attack (MITM) to decrypt SSL traffic so it can scan the contents. In order to do this, it must generate a fake key for each SSL website visited so the browser does not indicate with an alert that the connection has been compromised. Disabling SSL scanning in ESET will prevent these files from accumulating in large numbers.

BTW...Files that are showing in a security scan log as being locked, skipped, unable to open, not tested, unable to scan, etc usually are not indicative of a malware infection.

"Object is locked skipped", "File locked", "Locked file. Not tested", "file cannot be accessed, "Access Denied", "Some files could not be scanned", "file could not be opened", "Error Opening", "unable to open", "Password Protected" or "Encrypted" notations in an anti-virus/anti-malware scan are not uncommon. Some files and services are locked by the operating system or running programs during use for protection, so scanners cannot access them. Other legitimate files, especially those used by security programs, may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access as a protective measure. When the scanner finds such an object, it makes a note and then just skips to the next one. That explains why it may show with such notations but no action taken in certain anti-virus or anti-malware log scan reports. These are normal when using many security scanning programs so there is seldom a need for concern.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:11:56 PM

Posted 18 November 2015 - 08:05 PM

Will it cause any problems leaving ssl scanning off?


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 AM

Posted 18 November 2015 - 08:20 PM

It won't cause any issues to the system,, you're just turning off a layer of protection.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:56 AM

Posted 18 November 2015 - 08:22 PM

Per ESET...

Disabling SSL Scanning will remove a layer of security provided by ESET Smart Security and could expose your system to security risks.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:11:56 PM

Posted 18 November 2015 - 08:36 PM

So it is better to leave it on and just know to ignor the warnings/log entrys?


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:56 AM

Posted 18 November 2015 - 08:39 PM

IMO it is.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:11:56 PM

Posted 18 November 2015 - 09:17 PM

Thanks both of ya. Now I gotta go back and change it.lol


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,948 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:56 AM

Posted 19 November 2015 - 12:58 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users