Mike45 1 Posted March 17, 2016 Share Posted March 17, 2016 HI, how to block process that create .locky files HIPS seems not working for this thanks Link to comment Share on other sites More sharing options...
MrWrighty 6 Posted March 17, 2016 Share Posted March 17, 2016 You need to find the source process that is running and kill it, then remove tmp files in the users account. Customer of mine just been hit big time, encrypted 58000 Files. According to Eset it should also delete all VSS shadow copies but that doesn't seem to have happen as I am able to restore from previous versions. Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted March 17, 2016 ESET Staff Share Posted March 17, 2016 Hi @Mike45, ESET Live Grid should be active to ensure protection against new waves of threats, also keeping the ESET in latest version help too. Check your ESET config. Link to comment Share on other sites More sharing options...
Mike45 1 Posted March 17, 2016 Author Share Posted March 17, 2016 i've already the latest version/definitions for sure my eset config is ok my question is : why when i ask eset (in hips) to block files it doesn't work Link to comment Share on other sites More sharing options...
Administrators Marcos 4,347 Posted March 17, 2016 Administrators Share Posted March 17, 2016 my question is : why when i ask eset (in hips) to block files it doesn't work Could you please clarify what you mean? Did you create a block HIPS rule and it didn't work, ie. it failed to block a particular file ? Link to comment Share on other sites More sharing options...
Mike45 1 Posted March 17, 2016 Author Share Posted March 17, 2016 yes, i've test many rules, nothing work is there anyone that could make it work ? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,347 Posted March 17, 2016 Administrators Share Posted March 17, 2016 I'm sorry but it's still not clear what you're trying to achieve. What exactly doesn't work? Please clarify. Link to comment Share on other sites More sharing options...
Mike45 1 Posted March 18, 2016 Author Share Posted March 18, 2016 (edited) i want to block/disable .locky files creation/rename like this :hxxp://www.netstaff.fr/blog/?p=768 Edited March 18, 2016 by Mike45 Link to comment Share on other sites More sharing options...
ESET Insiders toxinon12345 32 Posted March 19, 2016 ESET Insiders Share Posted March 19, 2016 (edited) HIPS is for geek users. It seems you must use the notation HKEY_USERS rather than HKEY_CURRENT_USER. Edited March 19, 2016 by toxinon12345 Link to comment Share on other sites More sharing options...
Mike45 1 Posted March 19, 2016 Author Share Posted March 19, 2016 i don't speak about HKCU\Software\lockybut about .locky files (second screen capture) Link to comment Share on other sites More sharing options...
ESET Insiders toxinon12345 32 Posted March 19, 2016 ESET Insiders Share Posted March 19, 2016 i speak about .locky files (second screen capture) The only requirement is the 'drive:\' prefix Anyway I'm not sure if that is recursive for all nested directory levels Link to comment Share on other sites More sharing options...
ESET Insiders toxinon12345 32 Posted March 19, 2016 ESET Insiders Share Posted March 19, 2016 (edited) HIPS is for geek users. I created a HIPS rule as a mitigation for the LOCKY threat (Filecoder): ---> Log enabled, notification enabled ---> Registry keys [blocked] for √[Renaming] √[Modify] operations HKEY_USERS\*\software\LOCKY\* Then make sure to remove any existing LOCKY regkey at that location Edited March 19, 2016 by toxinon12345 Link to comment Share on other sites More sharing options...
Mike45 1 Posted March 19, 2016 Author Share Posted March 19, 2016 ok thanks but how to block locky file creation ? if i block this registry key, locky is totaly blocked ? Link to comment Share on other sites More sharing options...
ESET Insiders toxinon12345 32 Posted March 19, 2016 ESET Insiders Share Posted March 19, 2016 (edited) We even could block application execution from %temp% folder. Create a rule blocking application start for : ---> [userFolder]\appData\Local\Temp\svchost.exe as far as I know, Locky writes to this path as part of its install Edited March 19, 2016 by toxinon12345 Link to comment Share on other sites More sharing options...
ESET Insiders toxinon12345 32 Posted March 19, 2016 ESET Insiders Share Posted March 19, 2016 (edited) Ok, another plus would make a Directory tree Read-only. For example, I designed my HD partition 'F:' as Read only by creating this rule: Blocked file writes for: This source app ----> [userFolder]\appData\Local\temp\svchost.exe These file path ---> F:\*.* So F: and any subfolder would be protected against Locky Edited March 19, 2016 by toxinon12345 Link to comment Share on other sites More sharing options...
Mike45 1 Posted March 21, 2016 Author Share Posted March 21, 2016 i've not ask for this...w why don't you answer correctly ? :/block execution of temp .exe isn't a right solution for sur create a partition for 300 computer ?? so i've just ask how to block creation of .locky files (block this extention in HIPS eset rules) because it does't do what i add Link to comment Share on other sites More sharing options...
macros 1 Posted April 1, 2016 Share Posted April 1, 2016 well, there must be solution from eset for block .locky file creation. why we should do trick from hips. what our antivirus for then? Link to comment Share on other sites More sharing options...
Mark Miller 0 Posted April 26, 2016 Share Posted April 26, 2016 Hello my computer infected by ransomware. please guide me to remove ! Link to comment Share on other sites More sharing options...
Administrators Marcos 4,347 Posted April 26, 2016 Administrators Share Posted April 26, 2016 Hello my computer infected by ransomware. please guide me to remove ! If you are a paying user, submit the following stuff to samples@eset.com: 1, the output from ESET Log Collector (hxxp://support.eset.com/kb3466/) 2, examples of encrypted files (ideally some Office documents) 3, payment instructions Link to comment Share on other sites More sharing options...
karcer 0 Posted May 15, 2016 Share Posted May 15, 2016 Is there a way toi recover the files with the now extension .locky For the most part I do not care for the files that were encrypted but there are a few that I would really like to have back. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,347 Posted May 17, 2016 Administrators Share Posted May 17, 2016 Unfortunately, files encrypted by Filecoder.Locky cannot be decrypted. As instructed above, feel free to provide me with the output from ESET Log Collector for a check to make sure that you have ESET configured for maximum protection. Link to comment Share on other sites More sharing options...
Mike45 1 Posted May 17, 2016 Author Share Posted May 17, 2016 hxxp://www.lemondeinformatique.fr/actualites/lire-des-chercheurs-retrouvent-une-parade-contre-cryptoxxx-64828.html Link to comment Share on other sites More sharing options...
Administrators Marcos 4,347 Posted May 17, 2016 Administrators Share Posted May 17, 2016 hxxp://www.lemondeinformatique.fr/actualites/lire-des-chercheurs-retrouvent-une-parade-contre-cryptoxxx-64828.html This topic is about Locky, not about CryptProjectXXX which we at ESET can decode as well. Link to comment Share on other sites More sharing options...
Recommended Posts