Filecoder Stop

[NewbyUser 72]

Did the STOP definition receive any updates? Did a scan last night which was clean. Def 21274 was used. Did a scan tonight with Def 21278 and have a Win32/Filecoder.STOP detection. Hadn't received any detection from RTP in between said scans. 

[itman 1,627]

Are your files encrypted? Hopefully not.

Post a screen shot of the detection from the Eset Detection log.

Edited May 5, 2020 by itman

[NewbyUser 72]

No, they're not. There's no indication of any infection. It's in my Opera Cache, which isn't a known vector of STOP which i'm aware of.

[NewbyUser 72]

[itman 1,627]

You can submit the quarantined entry to Eset for analysis and ask for a verification if its actually malicious.

[NewbyUser 72]

Done. 

[Marcos 4,911]

Unfortunately I was unable to find any Filecoder.STOP-related file among today's submissions. Did you submit it anonymously or with your forum registration email address?

Do you have any files except cache.ndb in "C:\ProgramData\ESET\ESET Security\Charon" ? I've tested file submission myself and it worked.

 

[NewbyUser 72]

No, that's the only files there.

[NewbyUser 72]

Theres the log entry for the submission if that helps track it down. I'm in US Eastern time zone if timestamp helps.

[Marcos 4,911]

I've found it submitted. Actually the problem is that on the website the ransomware note was inserted in a raw form without any html formatting (after <pre> and <code> tags) which triggered the detection.

[NewbyUser 72]

Thanks Marcos

[NewbyUser 72]

Thinking some more, isn't this technically a FP? Is that why RTP didn't alert while I was on the page?