pruiz 0 Posted May 24, 2019 Share Posted May 24, 2019 (edited) Hello team, We have realized that we have a computer from our technical support team that shows a threat alarm about what it looks like a filecoder.crysis sample (eei filecoder.png) the problem is that when we look at the registry in the computer or in the esmc (esmc threat.png) this sample doesn't show up, so we are worried that the eei is making information up. I have added the logs from the afected computer and the eei server from that day, the day before and the day after to this file in our ftp: link: https://cloud.protegerse.com/s/id75SJPaKYZ3DJL password: name of the file:"eei 22-05-19.zip" password: "clean" Best regards Edited May 24, 2019 by Marcos Password removed Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted May 24, 2019 Administrators Share Posted May 24, 2019 Does the user on the machine in question receive files from customers for instance and processes them? Are there any files that had been on the machine and were encrypted? What is the ESET subfolder in the Downloads folder intended for? Link to comment Share on other sites More sharing options...
pruiz 0 Posted May 24, 2019 Author Share Posted May 24, 2019 1 hour ago, Marcos said: Does the user on the machine in question receive files from customers for instance and processes them? Are there any files that had been on the machine and were encrypted? What is the ESET subfolder in the Downloads folder intended for? Hello Marcos, Yes, the computer belongs to one of the members of our technical support and we sometimes receive encrypted files to send them to the lab to check if they can be decripted. We don't know how knowing what that folder is used for will help, but that folder is used to store information that he has to send to ESET Bratislava. Regards Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted May 24, 2019 Administrators Share Posted May 24, 2019 Ok, so this is most likely what happened: - the support agent received encrypted files from a customer - upon saving the encrypted files on a disk, Ransomware shield detected a suspicious behavior and triggered a detection which was not logged locally in the Detection log due to a bug but it was reported to EEI What I would suggest: - Excluding the ESET folder in which files from customers are saved to - Editing ACL and denying the permission to read & execute files in the folder to prevent the support agent from executing malicious files that might be saved there. Link to comment Share on other sites More sharing options...
pruiz 0 Posted May 24, 2019 Author Share Posted May 24, 2019 Ok, we will try the suggestions but I find it hard to believe that this bug happens once a week, everyweek. Regards Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted May 24, 2019 Administrators Share Posted May 24, 2019 Of course the bug when Ransomware shield detection is not logged on clients manifests every time a suspicious (encrypted) file has been created by renaming, however, that's the only bug related to your report. I don't see any problems with the records you marked with the red rectangle. Please clarify and post a screen shot with alarm details. Link to comment Share on other sites More sharing options...
pruiz 0 Posted May 27, 2019 Author Share Posted May 27, 2019 This is what I have understood, so please correct me if I'm wrong. There is a bug that makesit that when there is a Ramsomware shield detection it doesn't get registered in either the local client or the esmc but it gets registered in the EEI. The records I marked in the red rectangle are the times when there should have been a record about a ramsomware according to the registry in the EEI Link to comment Share on other sites More sharing options...
Recommended Posts