spacesnow 0 Posted March 17 Share Posted March 17 So I have an quite old PC which I kept on Windows 7 and I have bought Nod32 Antivirus software. And yesterday arriving home I found "Your computer is encrypted bla bla bla" on screen. Computer was left on when last time accessed remotely by myself. It has been like this about 25 years :). My own fault and quite interesting it didn't happen during the last decades. My point here is that latest updated version of NOD32 which works for Win7 didn't helped to avoid that. Maybe it helped last 10 years I paid for it, You never know... Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted March 17 Administrators Share Posted March 17 Microsoft ended support for Windows 7 on Jan 14, 2020: https://support.microsoft.com/en-us/windows/windows-7-support-ended-on-january-14-2020-b75d4580-2cc7-895a-2c9c-1466d9a53962 As of then the OS became vulnerable since no security updates were released. Also you have NOD32 Antivirus installed which provides basic protection, ie. network protection is missing as well as ESET LiveGuard (available in ESET Smart Security Premium) which performs analysis of suspicious downloaded files in a cloud sandbox before the files are allowed to run. peteyt and el el amiril 2 Link to comment Share on other sites More sharing options...
rotaru 10 Posted March 18 Share Posted March 18 On 3/17/2023 at 1:04 PM, Marcos said: Also you have NOD32 Antivirus installed which provides basic protection NOD 32 has an "Ransomware Shield" which , for 1000 times proves again to be just a fancy thing! Link to comment Share on other sites More sharing options...
itman 1,630 Posted March 18 Share Posted March 18 (edited) There are strong suspicions that the initial attack vector was a brute force RDP attack. Of note is both EIS and ESSP Network Protection include Network and Brute-force attack protection: Edited March 18 by itman Link to comment Share on other sites More sharing options...
rotaru 10 Posted March 19 Share Posted March 19 1 hour ago, itman said: There are strong suspicions As always, not ESET's fault...... Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted March 19 Most Valued Members Share Posted March 19 4 hours ago, rotaru said: As always, not ESET's fault...... If someone can log into RDP and disable ESET , then ESET is not capable of defending anything Still it is not recommended to be using Windows 7 at all , since if ESET missed the threat since that can happen with any AV available on the market , then there is no way of defense against that malware Since Microsoft doesn't fix anything with 7 and 8 anymore , you are better of with 10 and 11 , or even Linux if you are against using those two systems , but not 7 and 8. Link to comment Share on other sites More sharing options...
rotaru 10 Posted March 19 Share Posted March 19 10 hours ago, Nightowl said: If someone can log into RDP and disable ESET , then ESET is not capable of defending anything You are right! But... ESET doesn't have a true anti ransomware shield ; it is just rebranded part of HIPS to satisfy the market . Absolutely every time when an user complained about having his files encrypted , ESET blamed somebody else. Link to comment Share on other sites More sharing options...
itman 1,630 Posted March 19 Share Posted March 19 More FYI on ransomware attacks; https://www.eset.com/fileadmin/ESET/US/resources/ESET_MSP_Advanced_Anti-ransomware_Settings.pdf Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 198 Posted March 19 Most Valued Members Share Posted March 19 Firewalling the RDP port to specific IP addresses , password protecting ESET , account auto lock for failures for RDP , it will limit the attack space for RDP attacks. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 388 Posted March 23 Most Valued Members Share Posted March 23 On 3/19/2023 at 3:55 PM, rotaru said: You are right! But... ESET doesn't have a true anti ransomware shield ; it is just rebranded part of HIPS to satisfy the market . Absolutely every time when an user complained about having his files encrypted , ESET blamed somebody else. While there's things I'd like to see added to eset which have been debated on and off for a while by others, part of the issue is a lot of the complaints of eset not protecting well are made by people who don't know the factors for the issue. As mentioned here, the requester has already confirmed they are using windows 7 a version that is no longer supported and updated so there will be vulnerabilities. Using an unsupported OS is like having a prison with a hole in the fence. It can have security but there's a gapping hole. The requester has also mentioned using remote access. This may have been using a weak or even a leaked password and might have not been set up to block things like certain IPs and also multiple unsuccessful login attempts. As mentioned if Eset was not password protected, they could easily remote on, disable Eset protections that would have possibly blocked the ransomware and then cleared any logs to hide what they had done. As mentioned they used Nod32 so no network protection or brute force protection and there's no mention of the version of eset so it could have been an older version with less protection. The thing is Eset may or may not have blocked it if it was on a newer OS with the features mentioned enabled, but security starts with the user and you can't blame an AV when your using old unsupported stuff with bad habits. Peter Randziak 1 Link to comment Share on other sites More sharing options...
rotaru 10 Posted March 24 Share Posted March 24 (edited) Hello Peteyt, In your answer you mentioned: The requester has also mentioned using remote access. This may have been.... and might have not to block things like certain IPs if Eset was not password protected and there's no mention of the version of eset so it could have been By using lots of may, might, if, you could you can create any scenario...Point is, I have been using ESET for years , with HIPS in "Smart mode" and I never got a single alert HIPS related. I am strongly convinced that HIPS and consequently anti ransomware module (just rebranded part of HIPS) are sub par , close to doing nothing. I still have 8 NOD32 licences , unused , bought this year , for $9 each Edited March 24 by rotaru Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted March 24 Administrators Share Posted March 24 Let me sum it up: If you install a security system to your house and put the code in front of the house, don't blame the security system because the theft was able to disarm it and steal things from your house. I barely remember a case where the encryption was caused by ESET's fault. An unpatched system where the attacker was able to remote in and disable ESET prior to running ransomware. In order for ESET to protect users, the following conditions must be met: - using a fully supported operating system and applications with all available security updates installed - secured RDP allowing access only from the local network or from specific IP addresses - using a password to protect ESET settings when other users can access the machine - enabling detection of potentially unsafe applications to detect and block tools that might kill or remove the AV - practicing safe computing when it comes to passwords, permissions, applications that one installs and uses, etc. We recommend using a higher tier product that ESET NOD32 Antivirus which provides only essential security and comes without network protection that is able to stop brute-force attacks. Having said that, we'll draw this topic to a close. peteyt, Peter Randziak and LesRMed 3 Link to comment Share on other sites More sharing options...
Recommended Posts