Jump to content

LNK/Exploit.CVE-2010-2568 not deleted


hungtt
 Share

Recommended Posts

Hi all,

My client is windows server 2012 R2 install ESET File Security 6.5.

It infected "LNK/Exploit.CVE-2010-2568" and ESET can not deleted it completed ( just alert : clean by deleting).

Althought i scan with mode : smart scan , In-depth scan but it can not deleted this virus.When i deteled it in Quarantine, it reappear in Quarantine again.

I run this tool : https://help.eset.com/eset_tools/ESETEternalBlueChecker.exe. --> display : Your computer is safe, Microsoft security update is already installed.

Please help me this.

Thanks.

2568.png

Link to comment
Share on other sites

  • Administrators

It looks like something is generating / modifying those shortcuts. Please provide a complete record (whole row) from the Detected threats log so that we can see all information related to the detection.

Link to comment
Share on other sites

  • ESET Staff

From the log you provided, only the E: drive appears to be affected.  This is likely a drive that is hosting shares to the network.  If this is true, then it is not the Server itself which is infected and there is another computer on your network which is infected and likely not protected by a security product.

These can be tricky to resolve, but if you examine the Threat Logs in the ESET Security product installed on the server, instead of ERA, then you should see a column indicating a user name which is generating the threat alert.  As long as it shows an actual username (not "NT Authority/System") you will now have the user account which is creating the malicious .lnk files and you simply need to identify which computer that user is logged in from.

If the above doesn't work, you can try and isolate which computers are not protected by an ESET Product in ERA and then install ESET on those computers.  However, this isn't fool proof as a computer which is on your network, but not in Active Directory wont show in ERA.  Attached screen shows where to go in ERA to sort your lists to find computers which don't have ESET Security products installed.

image.png

 

 

In short, your server is protected but you have at least 1 or more computers on your network, which are not protected by ESET.  Once you find these computers, you will be able to remedy your situation.

Link to comment
Share on other sites

@JamesR As followed your advice in this case, i have checked on ERA and even login these user account on their computer, ESET product has been installed (ESET Endpoint Antivirus ver 6.5.2017.1) and fully updated.

chilisin2.JPG.445f6c2aec5b27c4496a4a808084505c.JPG

chilisin1.thumb.JPG.a86c80aeea44852512e6360940e11d05.JPG

chilisin3.thumb.JPG.3c682d106eed3dade3e15f78ae9f6b36.JPG

Ensures that the computer is protected. So how can we prevent this kind of detection again?

Please give me some advice!

Thanks a lot.

Link to comment
Share on other sites

5 hours ago, HienKieu said:

So how can we prevent this kind of detection again?

Please give me some advice!

 

Quote

Install the patch provided on Aug. 2.

Ref.: https://www.scmagazine.com/lnkexploitcve-2010-2568/article/558054/

Verify all your endpoints are patched.

Link to comment
Share on other sites

14 hours ago, itman said:

 

Ref.: https://www.scmagazine.com/lnkexploitcve-2010-2568/article/558054/

Verify all your endpoints are patched.

@itman All ESET endpoint were installed with ver 6.5.2107.1. The computers had detected and move them to Quarantine folder, but it can't delete.. And continues to detect when accessing share files to the server. Make sure that the endpoint was fully updated DB!

chilisin2.JPG.bb526b3b727ff881a6471e982728512b.JPG

Link to comment
Share on other sites

9 hours ago, HienKieu said:

@itman All ESET endpoint were installed with ver 6.5.2107.1. The computers had detected and move them to Quarantine folder, but it can't delete.. And continues to detect when accessing share files to the server. Make sure that the endpoint was fully updated DB!

I was referring to the Windows patch for CVE-2010-2568. Ref.: https://technet.microsoft.com/en-us/library/security/ms10-046.aspx

Note that in the previous EternalBlue attack, all that was required to be vulnerable was one unpatched device in the corp. network.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...