LNK/Exploit.CVE-2010-2568 not deleted

[hungtt 1]

Hi all,

My client is windows server 2012 R2 install ESET File Security 6.5.

It infected "LNK/Exploit.CVE-2010-2568" and ESET can not deleted it completed ( just alert : clean by deleting).

Althought i scan with mode : smart scan , In-depth scan but it can not deleted this virus.When i deteled it in Quarantine, it reappear in Quarantine again.

I run this tool : https://help.eset.com/eset_tools/ESETEternalBlueChecker.exe. --> display : Your computer is safe, Microsoft security update is already installed.

Please help me this.

Thanks.

[Marcos 5,074]

It looks like something is generating / modifying those shortcuts. Please provide a complete record (whole row) from the Detected threats log so that we can see all information related to the detection.

[hungtt 1]

Hi Marcos,

I'll give this log as soon.

Thanks.

[hungtt 1]

Hi Marcos,

This my log.

P/s : my server use FILE SERVER for clients access.

Some FOLDER share on this server alert with  "LNK/Exploit.CVE-2010-2568"

Thanks.

1011.zip

[itman 1,659]

This is interesting in that only up to Server 2008 were supposedly vulnerable to this CVE-2010-2568 exploit.

[JamesR 52]

From the log you provided, only the E: drive appears to be affected.  This is likely a drive that is hosting shares to the network.  If this is true, then it is not the Server itself which is infected and there is another computer on your network which is infected and likely not protected by a security product.

These can be tricky to resolve, but if you examine the Threat Logs in the ESET Security product installed on the server, instead of ERA, then you should see a column indicating a user name which is generating the threat alert.  As long as it shows an actual username (not "NT Authority/System") you will now have the user account which is creating the malicious .lnk files and you simply need to identify which computer that user is logged in from.

If the above doesn't work, you can try and isolate which computers are not protected by an ESET Product in ERA and then install ESET on those computers.  However, this isn't fool proof as a computer which is on your network, but not in Active Directory wont show in ERA.  Attached screen shows where to go in ERA to sort your lists to find computers which don't have ESET Security products installed.

 

 

In short, your server is protected but you have at least 1 or more computers on your network, which are not protected by ESET.  Once you find these computers, you will be able to remedy your situation.

[hungtt 1]

Hi JamesR,

Thanks your information.It's helpfull.

[HienKieu 2]

@JamesR As followed your advice in this case, i have checked on ERA and even login these user account on their computer, ESET product has been installed (ESET Endpoint Antivirus ver 6.5.2017.1) and fully updated.

Ensures that the computer is protected. So how can we prevent this kind of detection again?

Please give me some advice!

Thanks a lot.

[itman 1,659]

5 hours ago, HienKieu said:

So how can we prevent this kind of detection again?

Please give me some advice!

 

Quote

Install the patch provided on Aug. 2.

Ref.: https://www.scmagazine.com/lnkexploitcve-2010-2568/article/558054/

Verify all your endpoints are patched.

[HienKieu 2]

14 hours ago, itman said:

 

Ref.: https://www.scmagazine.com/lnkexploitcve-2010-2568/article/558054/

Verify all your endpoints are patched.

@itman All ESET endpoint were installed with ver 6.5.2107.1. The computers had detected and move them to Quarantine folder, but it can't delete.. And continues to detect when accessing share files to the server. Make sure that the endpoint was fully updated DB!

[itman 1,659]

9 hours ago, HienKieu said:

@itman All ESET endpoint were installed with ver 6.5.2107.1. The computers had detected and move them to Quarantine folder, but it can't delete.. And continues to detect when accessing share files to the server. Make sure that the endpoint was fully updated DB!

I was referring to the Windows patch for CVE-2010-2568. Ref.: https://technet.microsoft.com/en-us/library/security/ms10-046.aspx

Note that in the previous EternalBlue attack, all that was required to be vulnerable was one unpatched device in the corp. network.

Edited October 20, 2017 by itman