Jump to content

Recommended Posts

On our network we have ESET ENDPOINT antivirus with 50 licenses with regular updates. We recently had a Phobos Ransomware virus attack with a (. [Painplain98@protonmail.com] .calix) extension that infected the entire network including the server. How is it possible that ESET ENDPOINT did not detect it? Does the eset not detect these types of viruses ?. All in all a bad reputation for ESET.

Share this post


Link to post
Share on other sites

Phobos is typically run by attackers after brute-forcing RDP, logging in as a user with administrator rights and disabling or killing antivirus.

In order to investigate what happened and to provide you with a list of things to harden the system against such attacks, please email samples[at]eset.com the following:
- a handful of encrypted files (ideally Office documents)
- the ransomware note with payment instructions
- logs collected with ESET Log Collector.

Share this post


Link to post
Share on other sites

How to prevent disabling or kiling ESET proceses !!!

Share this post


Link to post
Share on other sites

In the first place, you should secure RDP. Ideally allow it only in your LAN and for connections from outside use VPN or RDP with 2FA. Also I'd recommend enabling the account lockout policy,

As for ESET, you can harden settings by enabling detection of pot. unsafe applications and protecting settings with a password. You can also enforce default real-time protection settings by a policy so that the settings cannot be changed locally on clients by users.

Share this post


Link to post
Share on other sites
12 minutes ago, nile said:

How to prevent disabling or kiling ESET proceses !!!

As mentioned this ransomware with a few others get in by brute force. Is RDP enabled. What tends to happen is they use brute force to figure out the login to get in. They then attempt to disable eset which is made much easier if eset doesn't have a password set for its settings. You can set it so that RDP has a set number of login attempts before locking a user out. Also it's important to make sure you are fully patched with windows updates

Share this post


Link to post
Share on other sites

And most importantly - back up, back up, back up. By doing so you will protect your data even against sudden hardware failures.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

And most importantly - back up, back up, back up. By doing so you will protect your data even against sudden hardware failures.

Can I just confirm - would the user in the video have had to disable eset to download this ransomware. Obviously it shows in the video eset didn't detect once run but I presume eset would have blocked it from actually being downloaded in the first place?

Share this post


Link to post
Share on other sites

Just wanted to share a video by the same user for another AV where the developer of that AV has claimed the user has been using bad practises including in the video secretly whitelisting one of the malicious files

It shows that you have to take tests with a pinch of salt

 

Share this post


Link to post
Share on other sites
1 hour ago, peteyt said:

Just wanted to share a video by the same user for another AV where the developer of that AV has claimed the user has been using bad practises including in the video secretly whitelisting one of the malicious files

That's the problem with these u-Tube videos. Creator can pause the video and then modify settings in whatever is being tested. Then restart the video and claim the product being tested is deficient.

Also he is running the free version of VoodooShield in default AutoPilot mode. This mode is the least secure mode for VoodoShield and bypasses of it have been publically posted. The paid version of VS uses MS clould Auzure servers for additional sandboxed ML scanning.

Share this post


Link to post
Share on other sites
11 hours ago, peteyt said:

Can I just confirm - would the user in the video have had to disable eset to download this ransomware. Obviously it shows in the video eset didn't detect once run but I presume eset would have blocked it from actually being downloaded in the first place?

Only if Eset had a full signature for it. Per real-time default settings, advanced heuristics and DNA signatures are only applied at program execution time. Additionally, the ransomware shield is a HIPS protection which also implies it is deployed at program execution time.

Edited by itman

Share this post


Link to post
Share on other sites
35 minutes ago, itman said:

Only if Eset had a full signature for it. Per real-time default settings, advanced heuristics and DNA signatures are only applied at program execution time. Additionally, the ransomware shield is a HIPS protection which also implies it is deployed at program execution time.

I actually posted this in the wrong post. My question was actually in regards to the zerocrypt ransomware from this post 

my question is as the user in the video didn't show us him downloading the ransomware does that mean it was probably detected and he conveniently did not show this part.

 

Share this post


Link to post
Share on other sites
14 hours ago, peteyt said:

my question is as the user in the video didn't show us him downloading the ransomware does that mean it was probably detected and he conveniently did not show this part.

Most of these malware samples are downloaded from the various malware hubs hosted on sites like VT and malwaretips.com as password protected archives. As such, Eset can't scan the archive on download. I've done the same myself. No security issue here since Eset real-time scanning will scan the .exe at startup using advanced hueristics and DNA signatures. Scripts are a different issue however. On Win 10, Eset will use AMSI to scan and detect any malware in those.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...