Jump to content

Archived

This topic is now archived and is closed to further replies.

pruiz

EEI making information up

Recommended Posts

Hello team,

We have realized that we have a computer from our technical support team that shows a threat alarm about what it looks like a filecoder.crysis sample (eei filecoder.png) the problem is that when we look at the registry in the computer or in the esmc (esmc threat.png) this sample doesn't show up, so we are worried that the eei is making information up.

I have added the logs from the afected computer and the eei server from that day, the day before and the day after to this file in our ftp:

link: https://cloud.protegerse.com/s/id75SJPaKYZ3DJL
password:
name of the file:"eei 22-05-19.zip"
password: "clean"

Best regards

eei filecoder.png

esmc threat.png

Share this post


Link to post
Share on other sites

Does the user on the machine in question receive files from customers for instance and processes them? Are there any files that had been on the machine and were encrypted?

What is the ESET subfolder in the Downloads folder intended for?

Share this post


Link to post
Share on other sites
1 hour ago, Marcos said:

Does the user on the machine in question receive files from customers for instance and processes them? Are there any files that had been on the machine and were encrypted?

What is the ESET subfolder in the Downloads folder intended for? 

Hello Marcos,

Yes, the computer belongs to one of the members of our technical support and we sometimes receive encrypted files to send them to the lab to check if they can be decripted.

We don't know how knowing what that folder is used for will help, but that folder is used to store information that he has to send to ESET Bratislava.

Regards

Share this post


Link to post
Share on other sites

Ok, so this is most likely what happened:
- the support agent received encrypted files from a customer
- upon saving the encrypted files on a disk, Ransomware shield detected a suspicious behavior and triggered a detection which was not logged locally in the Detection log due to a bug but it was reported to EEI

What I would suggest:
- Excluding the ESET folder in which files from customers are saved to
- Editing ACL and denying the permission to read & execute files in the folder to prevent the support agent from executing malicious files that might be saved there.

Share this post


Link to post
Share on other sites

Ok, we will try the suggestions but I find it hard to believe that this bug happens once a week, everyweek.

 

Regards

9 may eei.png

17 april .png

17 april eei.png

30 april eei.png

30 april.png

9 may.png

Share this post


Link to post
Share on other sites

Of course the bug when Ransomware shield detection is not logged on clients manifests every time a suspicious (encrypted) file has been created by renaming, however, that's the only bug related to your report.

I don't see any problems with the records you marked with the red rectangle. Please clarify and post a screen shot with alarm details.

 

Share this post


Link to post
Share on other sites

This is what I have understood, so please correct me if I'm wrong. There is a bug that makesit  that when there is a Ramsomware shield detection it doesn't get registered in either the local client or the esmc but it gets registered in the EEI.

 

The records I marked in the red rectangle are the times when there should have been a record about a ramsomware according to the registry in the EEI

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...