BAD REPUTATION

[nile 0]

On our network we have ESET ENDPOINT antivirus with 50 licenses with regular updates. We recently had a Phobos Ransomware virus attack with a (. [Painplain98@protonmail.com] .calix) extension that infected the entire network including the server. How is it possible that ESET ENDPOINT did not detect it? Does the eset not detect these types of viruses ?. All in all a bad reputation for ESET.

[Marcos 5,074]

Phobos is typically run by attackers after brute-forcing RDP, logging in as a user with administrator rights and disabling or killing antivirus.

In order to investigate what happened and to provide you with a list of things to harden the system against such attacks, please email samples[at]eset.com the following:
- a handful of encrypted files (ideally Office documents)
- the ransomware note with payment instructions
- logs collected with ESET Log Collector.

[nile 0]

How to prevent disabling or kiling ESET proceses !!!

[Marcos 5,074]

In the first place, you should secure RDP. Ideally allow it only in your LAN and for connections from outside use VPN or RDP with 2FA. Also I'd recommend enabling the account lockout policy,

As for ESET, you can harden settings by enabling detection of pot. unsafe applications and protecting settings with a password. You can also enforce default real-time protection settings by a policy so that the settings cannot be changed locally on clients by users.

[peteyt 393]

12 minutes ago, nile said:

How to prevent disabling or kiling ESET proceses !!!

As mentioned this ransomware with a few others get in by brute force. Is RDP enabled. What tends to happen is they use brute force to figure out the login to get in. They then attempt to disable eset which is made much easier if eset doesn't have a password set for its settings. You can set it so that RDP has a set number of login attempts before locking a user out. Also it's important to make sure you are fully patched with windows updates

[Marcos 5,074]

And most importantly - back up, back up, back up. By doing so you will protect your data even against sudden hardware failures.

[peteyt 393]

2 hours ago, Marcos said:

And most importantly - back up, back up, back up. By doing so you will protect your data even against sudden hardware failures.

Can I just confirm - would the user in the video have had to disable eset to download this ransomware. Obviously it shows in the video eset didn't detect once run but I presume eset would have blocked it from actually being downloaded in the first place?

[peteyt 393]

Just wanted to share a video by the same user for another AV where the developer of that AV has claimed the user has been using bad practises including in the video secretly whitelisting one of the malicious files

It shows that you have to take tests with a pinch of salt

 

[itman 1,659]

1 hour ago, peteyt said:

Just wanted to share a video by the same user for another AV where the developer of that AV has claimed the user has been using bad practises including in the video secretly whitelisting one of the malicious files

That's the problem with these u-Tube videos. Creator can pause the video and then modify settings in whatever is being tested. Then restart the video and claim the product being tested is deficient.

Also he is running the free version of VoodooShield in default AutoPilot mode. This mode is the least secure mode for VoodoShield and bypasses of it have been publically posted. The paid version of VS uses MS clould Auzure servers for additional sandboxed ML scanning.

[itman 1,659]

11 hours ago, peteyt said:

Can I just confirm - would the user in the video have had to disable eset to download this ransomware. Obviously it shows in the video eset didn't detect once run but I presume eset would have blocked it from actually being downloaded in the first place?

Only if Eset had a full signature for it. Per real-time default settings, advanced heuristics and DNA signatures are only applied at program execution time. Additionally, the ransomware shield is a HIPS protection which also implies it is deployed at program execution time.

Edited November 9, 2019 by itman

[peteyt 393]

35 minutes ago, itman said:

Only if Eset had a full signature for it. Per real-time default settings, advanced heuristics and DNA signatures are only applied at program execution time. Additionally, the ransomware shield is a HIPS protection which also implies it is deployed at program execution time.

I actually posted this in the wrong post. My question was actually in regards to the zerocrypt ransomware from this post 

my question is as the user in the video didn't show us him downloading the ransomware does that mean it was probably detected and he conveniently did not show this part.

 

[itman 1,659]

14 hours ago, peteyt said:

my question is as the user in the video didn't show us him downloading the ransomware does that mean it was probably detected and he conveniently did not show this part.

Most of these malware samples are downloaded from the various malware hubs hosted on sites like VT and malwaretips.com as password protected archives. As such, Eset can't scan the archive on download. I've done the same myself. No security issue here since Eset real-time scanning will scan the .exe at startup using advanced hueristics and DNA signatures. Scripts are a different issue however. On Win 10, Eset will use AMSI to scan and detect any malware in those.