marcel.germann

We've got infected by a new Ransomware called "Mischa". It encrypts all Files on the connected Networkshares with endings .3P7m, .aRpt, .eQTz, 3RNu. And it creates two Files with the Content: The Ransomware was delivered by an E-Mail with a german domain (@maills.de) masked as an job application with a link to a file in the Cloud (magentacloud.de/share/...) Our lucky that the user rebootet the computer what stopped the encryption. We were able to recover all files from the backup, so we don't need help with that. But we want ESET to recognize, that it won't happen again. Do you already know this Ransomware? Which is the best way to give you more information (encrypted files, links, ...)?

after testing a lot of things i reverted my ERA to an older state from backup and everything worked well. Then i looked for all the changes and found that samba update with CentOS 6.7 has a problem. after downgrading to 3.5.23-25 everything is working again. command to downgrade: yum downgrade samba-3.6.23-25.el6_7.x86_64 samba-common-3.6.23-25.el6_7 samba-winbind-clients-3.6.23-25.el6_7 samba-client-3.6.23-25.el6_7 samba-winbind-3.6.23-25.el6_7 source: hxxp://serverfault.com/questions/771163/update-to-samba-3-6-23-30-on-redhat-server-6-7-breaks-connections-from-clients-o Nevertheless, many thanks for your help, MartinK

Yeah i found an entry for creating remote installer service: * Removing previous instance of remote installer service 'ESET Remote Administrator 6 Remote Installation Service' + LANG= + net -i -k rpc service delete eset-remote-installer -W lvstga -U domainadmin -S computername.domain Enter domainadmin's password: Could not connect to server computername.domain Connection failed: NT_STATUS_ACCESS_DENIED -------------------------------------------------------------------------- * Creating remote installer service 'ESET Remote Administrator 6 Remote Installation Service' + LANG= + net -i -k rpc service create eset-remote-installer 'ESET Remote Administrator 6 Remote Installation Service' '%SYSTEMROOT%\era_rd_AKiKWg8O\RemoteInstallService.exe' -W lvstga -U domainadmin -S computername.domain Enter domainadmin's password: Could not connect to server computername.domain Connection failed: NT_STATUS_ACCESS_DENIED * [Exit code = 255] I found an old Log (23.03.2016) which looks different: 2016-03-23 15:01:05 Error: CRemoteInstallModule [Thread 7f8bddfcf700]: UnixWindowsNetworkRemoteInstall: remote deployment to 'oldcomputer.domain' terminated with 1 2016-03-23 15:01:05 Error: CRemoteInstallModule [Thread 7f8bddfcf700]: UnixWindowsNetworkRemoteInstall: output of '"/var/opt/eset/RemoteAdministrator/Server/Scripts/UnixWindowsNetworkRemoteInstall.sh" 2>&1': * Created temporary directory /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC * Creating command input/ouput redirection pipes + mkfifo /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cmd.in.pipe + mkfifo /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cmd.out.pipe -------------------------------------------------------------------------- * Mounting remote share '//oldcomputer.domain/ADMIN$' to '/tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs' + mkdir /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs + LANG= + mount -t cifs -o domain=lvstga,username=domainadmin '//oldcomputer.domain/ADMIN$' /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs * [Exit code = 0] -------------------------------------------------------------------------- * Creating remote directory '/tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/era_rd_3Ms9R5Jd' + LANG= + mkdir /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/era_rd_3Ms9R5Jd * [Exit code = 0] -------------------------------------------------------------------------- * Copying files to remote dir '/tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/era_rd_3Ms9R5Jd' + cp /tmp/a9a1-56aa-a2bc-0ea4/EraAgentInstaller.bat /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/era_rd_3Ms9R5Jd * [Exit code = 0] + cp /opt/eset/RemoteAdministrator/Server/RemoteInstallService.exe /tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/era_rd_3Ms9R5Jd * [Exit code = 0] -------------------------------------------------------------------------- * Removing previous instance of remote installer service 'ESET Remote Administrator 6 Remote Installation Service' + LANG= + net -i -k rpc service delete eset-remote-installer -W lvstga -U domainadmin -S oldcomputer.domain Enter domainadmin's password: Failed to open service. [WERR_NO_SUCH_SERVICE] -------------------------------------------------------------------------- * Creating remote installer service 'ESET Remote Administrator 6 Remote Installation Service' + LANG= + net -i -k rpc service create eset-remote-installer 'ESET Remote Administrator 6 Remote Installation Service' '%SYSTEMROOT%\era_rd_3Ms9R5Jd\RemoteInstallService.exe' -W lvstga -U domainadmin -S oldcomputer.domain Enter domainadmin's password: Successfully created Service: eset-remote-installer * [Exit code = 0] -------------------------------------------------------------------------- * Creating remote installer arguments file '/tmp/era_remote_deploy_wn_rFURl5e4rPrD9nlC/cifs/eset-remote-installer.args' + echo '%SYSTEMROOT%\era_rd_3Ms9R5Jd\EraAgentInstaller.bat' + echo '%SYSTEMROOT%\era_rd_3Ms9R5Jd\EraAgentInstaller.bat' * [Exit code = 0] -------------------------------------------------------------------------- * Starting remote installer service 'ESET Remote Administrator 6 Remote Installation Service' + LANG= + net -i -k rpc service start eset-remote-installer -W lvstga -U domainadmin -S oldcomputer.domain Enter domainadmin's password: . Successfully started service: eset-remote-installer * [Exit code = 0] -------------------------------------------------------------------------- i used the same domain-admin user. In the Event Log of the target computer there is no error or any other log at the installation time, except for the successfully login of the domainadmin user. The local firewall is disabled.

I don't even find the command that ERA is trying to install. ... + net -i -k rpc service delete eset-remote-installer -W lvstga -U domainadmin -S computer.domain Enter domainadmin's password: Could not connect to server computer.domain Connection failed: NT_STATUS_ACCESS_DENIED * [Exit code = 255] -------------------------------------------------------------------------- * Removing remote directory '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6' + LANG= + rm -r /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6 * [Exit code = 0] -------------------------------------------------------------------------- * Umounting remote share '//computer.domain/ADMIN$' from '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs' + LANG= + umount /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs * [Exit code = 0] -------------------------------------------------------------------------- * Removing command input/ouput redirection pipes + unlink /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cmd.in.pipe + unlink /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cmd.out.pipe -------------------------------------------------------------------------- * Removed temporary directory /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76 2016-04-21 08:00:47 Error: CRemoteInstallModule [Thread 7f95223c9700]: Executing remote deployment of agent 579b73bf-c8be-4573-93c4-2a653230cae7 on 'computer.domain' Windows network remote deployment failed. - Verify that 'computer.domain' is responding to 'ping'. - Verify that 'computer.domain' can be resolved with 'nslookup' if it is a DNS name. - Verify that firewall is not blocking communication and file sharing between server and the target machine. - Verify that "File and Print Sharing for Microsoft Networks" is enabled on the target machine. - Verify that "Remote Procedure Call (RPC)" service is running on the target machine. - Make sure that simple file sharing is turned off on the target machine. - Activate sharing resource ADMIN$ on the target machine. - Verify that 'lvstga\domainadmin' has administrator rights or use local 'Administrator' account that is enabled on the target machine. - Verify that 'lvstga\domainadmin' password is not blank. - Verify that you can remotely log on to the workstation from the server. - Verify that from server machine you can access 'net use \\computer.domain\IPC$' from the Command Prompt. - Change 'ESET Remote Administrator Server' service credentials from 'Network Service' to user with domain administrator permissions temporarily for deployment. * Error details: UnixWindowsNetworkRemoteInstall: remote deployment to 'computer.domain' terminated with 255 SSH remote deployment failed because CONNECTION CAN NOT BE ESTABLISHED to the target LINUX or MAC machine. - Verify that 'computer.domain' is responding to 'ping'. - Verify that SSH daemon is enabled on the target machine and is running on the port 22. - Verify that firewall is not blocking SSH communication between server and the target machine. * Error details: connect: Connection refused Agent deployment failed. Please go through the checklist above for specific platform (WINDOWS, LINUX or MAC) that is on the target machine. 2016-04-21 08:00:47 Error: CRemoteInstallModule [Thread 7f95255ce700]: Remote deployment failed on 1 targets On the target i don't find a ESET Log.

I discovered the same problem. In the Log (/var/log/eset/RemoteAdministrator/Server/) i find the following: * Mounting remote share '//computer.domain/ADMIN$' to '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs' + mkdir /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs + LANG= + mount -t cifs -o domain=lvstga,username=domainadmin '//computer.domain/ADMIN$' /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs * [Exit code = 0] -------------------------------------------------------------------------- * Creating remote directory '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6' + LANG= + mkdir /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6 * [Exit code = 0] -------------------------------------------------------------------------- * Copying files to remote dir '/tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6' + cp /tmp/b212-f983-309f-f4bb/EraAgentInstaller.bat /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6 * [Exit code = 0] + cp /opt/eset/RemoteAdministrator/Server/RemoteInstallService.exe /tmp/era_remote_deploy_wn_7g8EMS8PYCxjkV76/cifs/era_rd_qzyJEIK6 * [Exit code = 0] -------------------------------------------------------------------------- * Removing previous instance of remote installer service 'ESET Remote Administrator 6 Remote Installation Service' + LANG= + net -i -k rpc service delete eset-remote-installer -W lvstga -U domainadmin -S computer.domain Enter domainadmin's password: Could not connect to server computer.domain Connection failed: NT_STATUS_ACCESS_DENIED -------------------------------------------------------------------------- ... It retries the last command 20 times and then aborts and removing the remote directory and share. Because it is a new Windows 7 32bit installation there is no eset-remote-installer Service available on the target computer. I also tried to connect directly with your provided command (mount -t -cifs...) and this works perfectly. We use the ESET Remote Administrator Appliance (CentOS release 6.7). Could it be a problem with CentOS Updates i installed? i remember there was a samba update. Installing the Agent with Agent Live Installer it works to install, but the it can't connect do the ERA Server. In the Agent Log i get the same errors like in the other topics: https://forum.eset.com/topic/8154-agents-not-connecting-to-remote-administrator-no-errors/ and https://forum.eset.com/topic/8114-era-agent-not-working/

Thanks for your answer. I tried to log the protocol filtering, sadly i couldn't reproduce the error. Maybe in the new signature database it's already fixed. But anyway i want to analyse problems with protocol filtering. As i saw in the advanced logging generates two pcapng files, which i can open with Wireshark. How can detect if ESET is blocking something? If i press "Schutz vorübergehend deaktivieren" (temporarily disable protection) i expect ESET to stop working. It is not satisfactory for me if certain services still continue and I do not know if ESET caused the problem i'm looking for or not. What is the easiest and fastest way to disable ESET completely without uninstalling?

With one of the new signature database updates we discovered that a java application is not able anymore to communicate properly with the server over http. It looked like it was an performance problem, sometimes it worked but very slowly, sometimes it didn't work at all. Sadly it didn't help to disable ESET Endpoint Antivirus, only an uninstall helped. To satisfy our users, i rolled back temporary to an older signature database, which helped for the first moment. Now i figured out it helped to exclude the server ip addresses in the "web and email" -> "protocol filtering". 1. What did you change in the signature database that the communication didn't work properly anymore? 2. Why isn't protocol filtering disabled, if i disable ESET Endpoint Antivirus for an hour? 3. How can i debug if protocol filtering is blocking? Is there a log i have to enable?