hungtt 1 Posted February 4, 2017 Share Posted February 4, 2017 Hi ! I've scan with eset after infected .wallet file ransomware virus, but eset did not detect this ransomware. Please help me ! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted February 4, 2017 Administrators Share Posted February 4, 2017 Files with the .wallet extension are legitimate files encrypted by Filecoder.Crysis and therefore are not subject to detection. Decryption will not be possible. You can pm me the output from ESET Log Collector according to the instructions in my signature for a review. Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 6, 2017 Author Share Posted February 6, 2017 Hi ! I've installed ESET from 9/2016. Client (win 8) and server ( win 2012 R2) have infected this ransomware. Please check attachment. Thank you. P/s : because it > 10MB ( ~ 50MB), I upload this link : hxxp://www.mediafire.com/file/ae7ne1hzpiviles/log+virus.rar Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 6, 2017 Author Share Posted February 6, 2017 Hi ! As I know, this virus sign has detected by eset in : hxxp://www.virusradar.com/en/Win32_Filecoder.Crysis/detail So why my client infected this. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted February 6, 2017 Administrators Share Posted February 6, 2017 Files were encrypted by Filecoder.Crysis. Unfortunately, decryption is not possible. Both logs show a problem with LiveGrid, therefore I'd recommend testing LiveGrid's functionality by downloading the CloudCar test file which should be detected as Suspicious object. Also payment instructions were not enclosed. If possible, please re-send. Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 6, 2017 Author Share Posted February 6, 2017 Hi Marcos ! As I know, when install eset, LiveGrid will be enable during setup process. Can you check the root cause in client's log ? Because my system have 130 clients, just this 2 clients have infected this rasomware. Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 6, 2017 Author Share Posted February 6, 2017 Hi Marcos ! I've test on new client : enable live grid.But access your link test, eset not scan. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted February 6, 2017 Administrators Share Posted February 6, 2017 Let's start with temporarily changing logging verbosity to Diagnostics (Tools -> Log files -> Minimum logging verbosity). The re-download CloudCar. When done, send me "C:\ProgramData\ESET\ESET File Security\Logs\warnlog.dat" and change the logging verbosity back to Informative. Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 6, 2017 Share Posted February 6, 2017 (edited) 15 hours ago, Marcos said: Files were encrypted by Filecoder.Crysis. Unfortunately, decryption is not possible. Both logs show a problem with LiveGrid, therefore I'd recommend testing LiveGrid's functionality by downloading the CloudCar test file which should be detected as Suspicious object. Also payment instructions were not enclosed. If possible, please re-send. I just observed some interesting behavior in regard to the Clouldcar test using IE11. Download attempt is detected by Eset. However, I additionally get a SmartScreen popup that occurs for any download. 1. If I exit the web page at this point, no trace of Clouldcar test file in the Downloads folder. 2. If I click on Save in the SmartScreen popup, SmartScreen detects the download and blocks it as malicious. Examination of the Downloads folder shows a null Cloudcar file created as shown in the below screen shot. This implies to me that the Clouldcar file is still in the browser buffer and the download not fully blocked by Eset. Something to check out. Edited February 6, 2017 by itman Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 7, 2017 Author Share Posted February 7, 2017 Hi Marcos, This my log. warnlog.rar Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted February 7, 2017 Administrators Share Posted February 7, 2017 5 hours ago, hungtt said: This my log.warnlog.rar There are no records created with logging verbosity set to Diagnostic. Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 7, 2017 Author Share Posted February 7, 2017 (edited) Hi Marco ! Before it disabled.I've enable. This new log. warnlog.rar Edited February 7, 2017 by hungtt Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 7, 2017 Author Share Posted February 7, 2017 HI Marco, This new log. warnlog.rar Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 8, 2017 Author Share Posted February 8, 2017 Hi Marcos ! Please help me check this. Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 9, 2017 Author Share Posted February 9, 2017 Hi Marcos ! Please help me clear this issue. Thanks Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 10, 2017 Author Share Posted February 10, 2017 Hello ! Anyone can help me . Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted February 10, 2017 Administrators Share Posted February 10, 2017 Please create a Wireshark log during an attempt to download CloudCar. Couldn't it be that a firewall is blocking communication with LiveGrid servers? For a list of addresses that ESET communicates with, see http://support.eset.com/kb332. Link to comment Share on other sites More sharing options...
hungtt 1 Posted February 13, 2017 Author Share Posted February 13, 2017 Hi Marcos ! I've turn off firewall on my server.It's still download normal. Please check my log ( wireshark + warnlog). log.rar Link to comment Share on other sites More sharing options...
Recommended Posts