santoso 6 Posted February 18, 2019 Share Posted February 18, 2019 Hello, We have windows server with eset file security v 7 installed and updated. in notification always detect trojan. Real-time file system protection file C:\Windows\system32\srv64 Win64/Vools.F trojan cleaned by deleting NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Windows\System32\lsass.exe Scan with in dept scan mode, reboot server. but Eset always detect this kind trojan How to solved this case, thank you Link to comment Share on other sites More sharing options...
Administrators Marcos 4,919 Posted February 18, 2019 Administrators Share Posted February 18, 2019 Probably the server does not have all critical security updates installed. Please gather logs with ESET Log Collector. Also do the following: - disconnect the computer from network - run a full disk scan and clean found malware - reboot the server - run a full disk scan. Let us know if no threats were found during the second scan. Link to comment Share on other sites More sharing options...
itman 1,629 Posted February 18, 2019 Share Posted February 18, 2019 (edited) Eset doesn't have a detailed write up on this variant, Win64/Vools.F trojan, but does have one for an earlier variant: https://www.virusradar.com/en/Win64_Vools.B/description . It appears this malware is designed to exploit the well publicized SMBv1 vulnerability disclosed here and patched in 2017: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 Edited February 18, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,629 Posted February 21, 2019 Share Posted February 21, 2019 If you need further inducement to apply the above SMBv1 mentioned patch, here's another one attacking Italian concerns: https://blog.trendmicro.com/trendlabs-security-intelligence/monero-miner-malware-uses-radmin-mimikatz-to-infect-propagate-via-vulnerability/ Link to comment Share on other sites More sharing options...
Recommended Posts