Prasannamad 0 Posted September 25, 2018 Share Posted September 25, 2018 Hi, we use Eset endpoint security 6.6 versions and today we experienced a virus inflection on some of our machines. As symptoms, we identified that unable to open any application on machines and error appearing "you do not have permission to open this file".After that machine restarts automatically and unable to boot OS. Both Windows 7 and 10 pro machines have been infected and also unable to run system restore as well as windows repair. The thing is ESET already up to date and runs on these machines normally before threat inflection. Did anyone experience this scenario recently? We also sent inflected machine logs to eset for further inspection. Furthermore, did anyone have a recovery tool to restore the OS?? Quick responses highly appreciated. Thanks! Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted September 25, 2018 Most Valued Members Share Posted September 25, 2018 (edited) Try to load this into a USB and then do a scan for the infected PCs : https://www.eset.com/int/support/sysrescue/ Remember to unplug the infected PCs from the network so the virus cannot spread itself through the network, for more information about Windows recovery you can check here : https://support.microsoft.com/en-us/help/12415/windows-10-recovery-options If you could ask the people who work on these PCs what really has happened when the PC got infected , which website did they access or what file they have opened might help you also knowing what really has happened or from where did it come. Edited September 25, 2018 by Rami Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted September 25, 2018 Administrators Share Posted September 25, 2018 Do you know by chance what malware it was? It could be a Filecoder which encrypts also binary files and thus renders the system unusable. In case of ransomware infection, it is very common that an attacker performs a brute-force RDP attack, connects via RDP as an admin, disables or uninstalls the AV and then runs ransomware to encrypt files. The question is if you have RDP disallowed from outside the network, whether ESET's settings were password protected and detection of pot. unsafe applications enabled. Link to comment Share on other sites More sharing options...
itman 1,659 Posted September 25, 2018 Share Posted September 25, 2018 (edited) The most recent of the "file destroyer" ransomware is Armage. These types of ransomware encrypt both PE and non-PE files. However almost all these types of ransomware at least allow the device boot to display the infamous ransomware note message. The fact this is not occurring leads me to believe this incident is not ransomware related. 4 hours ago, Prasannamad said: Furthermore, did anyone have a recovery tool to restore the OS?? In Win 10 if you can access the recovery environment: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference at boot time, you can perfore a system reset. This will preserve all your data and reinstall the OS. However after restoration of the OS, all your applications will have to be manually reinstalled. You should make a practice to perform periodic full image backups of the OS installation drive. Edited September 25, 2018 by itman Link to comment Share on other sites More sharing options...
Recommended Posts