Jump to content

Virus Inflection


Recommended Posts

Hi,

we use Eset endpoint security 6.6 versions and today we experienced a virus inflection on some of our machines. As symptoms, we identified that unable to open any application on machines and error appearing "you do not have permission to open this file".After that machine restarts automatically and unable to boot OS. Both Windows 7 and 10 pro machines have been infected and also unable to run system restore as well as windows repair. The thing is ESET already up to date and runs on these machines normally before threat inflection. Did anyone experience this scenario recently? We also sent inflected machine logs to eset for further inspection. Furthermore, did anyone have a recovery tool to restore the OS??

Quick responses highly appreciated.

Thanks!

Link to comment
Share on other sites

  • Most Valued Members

Try to load this into a USB and then do a scan for the infected PCs : https://www.eset.com/int/support/sysrescue/

Remember to unplug the infected PCs from the network so the virus cannot spread itself through the network, for more information about Windows recovery you can check here : https://support.microsoft.com/en-us/help/12415/windows-10-recovery-options

If you could ask the people who work on these PCs what really has happened when the PC got infected , which website did they access or what file they have opened might help you also knowing what really has happened or from where did it come.

Edited by Rami
Link to comment
Share on other sites

  • Administrators

Do you know by chance what malware it was? It could be a Filecoder which encrypts also binary files and thus renders the system unusable. In case of ransomware infection,  it is very common that an attacker performs a brute-force RDP attack, connects via RDP as an admin, disables or uninstalls the AV and then runs ransomware to encrypt files.

The question is if you have RDP disallowed from outside the network, whether ESET's settings were password protected and detection of pot. unsafe applications enabled.

Link to comment
Share on other sites

The most recent of the "file destroyer" ransomware is Armage.

These types of ransomware encrypt both PE and non-PE files. However almost all these types of ransomware at least allow the device boot to display the infamous ransomware note message.  The fact this is not occurring leads me to believe this incident is not ransomware related.

4 hours ago, Prasannamad said:

Furthermore, did anyone have a recovery tool to restore the OS??

 In Win 10 if you can access the recovery environment: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference at boot time, you can perfore a system reset. This will preserve all your data and reinstall the OS. However after restoration of the OS, all your applications will have to be manually reinstalled.

You should make a practice to perform periodic full image backups of the OS installation drive.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...