Jump to content

Recommended Posts

  • ESET Insiders

Hi,

Why ESET is deleting Ransomware notes ? it contain important info like ID that can be used to decrypt the encrypted files !

Thanks

Link to post
Share on other sites
  • Administrators

Any file that is cleaned is also quarantined so that users can restore it if necessary. Moreover, ransomware notes are not cleaned automatically in default cleaning mode.

Link to post
Share on other sites
  • ESET Insiders
10 minutes ago, Marcos said:

Any file that is cleaned is also quarantined so that users can restore it if necessary. Moreover, ransomware notes are not cleaned automatically in default cleaning mode.

You mean this option ?
Snap1.jpg
Also i know it can be restored but i must disable the protection to restore it

What the point of deleting it ?

Here's an example, it's being deleted via database, and here's virus total
https://www.virustotal.com/gui/file/c65b7b3734f8f42687487c69c50da5ba31915d092ae8bca3ae4d1670300f652c/detection

_readme.rar

Edited by BALTAGY
Link to post
Share on other sites
  • Administrators

The user is asked for an action upon detection. While the best would be to detect and log the detection with no cleaning or promting at all, such behavior is not supported. Adding detection without cleaning just for the sake of ransomware notes would be quite expensive in terms of resources.

Link to post
Share on other sites
  • ESET Insiders
Just now, Marcos said:

The user is asked for an action upon detection. While the best would be to detect and log the detection with no cleaning or promting at all, such behavior is not supported. Adding detection without cleaning just for the sake of ransomware notes would be quite expensive in terms of resources.

Not sure i get what you mean ? Yes the user is asked but if you choose ignore it will keep come up many times until you exclude it or delete it

I just want to know what the point of delete the ransom note ? it's harmless also if ESET can't detect the ransomware it self and only delete the ransom note after sometime while ransom is running and downloading other viruses etc, the user may not be able to recover the note from quarantine

Link to post
Share on other sites
  • Administrators

It must be detected. Unfortunately, that also means that an action has to be selected. The user can exclude a particular file from derection in order to be able to read the notes.

Link to post
Share on other sites
  • ESET Insiders
Just now, Marcos said:

It must be detected. Unfortunately, that also means that an action has to be selected. The user can exclude a particular file from derection in order to be able to read the notes.

Why it must be detected if it harmless ? i'm just curios

Link to post
Share on other sites
  • ESET Insiders
4 minutes ago, Marcos said:

For forensic analysis for instace when trying to find out how encryption occurred.

how encryption occurred is not in ransom note, ransom note only contain info how to pay and emails and the important part is the id

Even if anyone removed the ransomware it self from the system and didn't delete the ransom note it won't do anything but it will help the user to determine the ransom name and version by uploading it to some sites like id ransomware

I hope you consider leaving the note as it contain an important info and if something wrong happen to the system the user may not be able to recover the files without it like GandCrab it's ransom note is important to recover the files

Link to post
Share on other sites

It's not unusual for security products to use the presence of a ransomware note as one criteria in their ransomware behavior evaluation. Therefore, just the presence of a note would be enough to trigger their anti-ransomware detection processing.

Appears in Eset's case, the presence of a note is enough to capture it, upload it for analysis, and then delete it. My concern here is what happens if Eset missed the ransomware, your files are encrypted, and it later detects the ransomware note? Appears the recovery procedure is create a real-time exclusion for the note detection and then remove the note from quarantine to be able to view the note. A bit of a stretch for the average user.

Edited by itman
Link to post
Share on other sites
  • ESET Insiders
5 hours ago, itman said:

Appears the recovery procedure is create a real-time exclusion for the note detection and then remove the note from quarantine to be able to view the note. A bit of a stretch for the average user.

That's what i'm talking about, also many users won't even know it's a ransomware and could be waiting online for sometime then the ransom will keep downloading other viruses etc until the system freeze and you can't open it and for sure the ransom note also will be gone and you can't use it if the Decryptor require it

This scenario can easily happen, if the anti-ransomware need to read the ransom note to be triggered then it also can read it and leave it 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...