Win32/Filecoder.Trigona disable Endpoint/AV on Servers and make server attack.

[denpin 0]

My server has been attacked by  Win32/Filecoder.Trigona. Before attack about 5 mins. Endpoint alert disabled. How virus can disable my AV?

[Marcos 5,090]

Please supply me with:
- logs collected with ESET Log Collector
- a couple of encrypted files (ideally Office documents)
- the ransomware note with payment instructions

[itman 1,668]

Since this is the second recent attack: https://forum.eset.com/topic/37441-endpoint-infected-ransomware/ where Eset Endpoint protection has been disabled in Vietnam, a security advisory should be issued to recommend Eset endpoint settings be password protected.

[Marcos 5,090]

As long as a machine is managed by ESET PROTECT Cloud, administrators are presented with a wizard enabling them to set up password protection easily:

[denpin 0]

Thank you @Marcos. My server is shut down and isolated from my environment. I'm trying to turn it on but cannot run Eset Collect. 

 

I'm also enabling set up password protection.

 

[denpin 0]

Thank you information @itman. Very helpful. 

I'm also enabling set up password protection.

[denpin 0]

So, @MarcosHow about Rootkit scanner by Eset? Which is tool can do that? 

[Marcos 5,090]

59 minutes ago, denpin said:

So, @MarcosHow about Rootkit scanner by Eset? Which is tool can do that? 

ESET can detect active rootkits. You can also use Gmer to find suspicious processes that attempt to hide in the systems but it detects also legit applications just based on the behavior so you should interpret the results with a grain of salt.