Jump to content

Recommended Posts

Posted

HI,

how to block process that create .locky files

HIPS seems not working for this

thanks

Posted

You need to find the source process that is running and kill it, then remove tmp files in the users account.

 

Customer of mine just been hit big time, encrypted 58000 Files. According to Eset it should also delete all VSS shadow copies but that doesn't seem to have happen as I am able to restore from previous versions.

  • ESET Staff
Posted

Hi @Mike45,

 

ESET Live Grid should be active to ensure protection against new waves of threats,

also keeping the ESET in latest version help too.

 

Check your ESET config.

Posted

i've already the latest version/definitions for sure

my eset config is ok

my question is : why when i ask eset (in hips) to block files it doesn't work

  • Administrators
Posted

my question is : why when i ask eset (in hips) to block files it doesn't work

 

Could you please clarify what you mean? Did you create a block HIPS rule and it didn't work, ie. it failed to block a particular file ?

Posted

yes, i've test many rules, nothing work

is there anyone that could make it work ?

  • Administrators
Posted

I'm sorry but it's still not clear what you're trying to achieve. What exactly doesn't work? Please clarify.

  • ESET Insiders
Posted (edited)

HIPS is for geek users.

It seems you must use the notation HKEY_USERS rather than HKEY_CURRENT_USER.

Edited by toxinon12345
Posted

i don't speak about HKCU\Software\locky
but about .locky files (second screen capture)

 

  • ESET Insiders
Posted

i speak about .locky files (second screen capture)

The only requirement is the 'drive:\' prefix

Anyway I'm not sure if that is recursive for all nested directory levels

  • ESET Insiders
Posted (edited)

HIPS is for geek users.

I created a HIPS rule as a mitigation for the LOCKY threat (Filecoder):

---> Log enabled, notification enabled

---> Registry keys [blocked] for

√[Renaming]

√[Modify] operations

HKEY_USERS\*\software\LOCKY\*

Then make sure to remove any existing LOCKY regkey at that location

Edited by toxinon12345
Posted

ok thanks

but how to block locky file creation ?

if i block this registry key, locky is totaly blocked ?

  • ESET Insiders
Posted (edited)

We even could block application execution from %temp% folder.

Create a rule blocking application start for :

---> [userFolder]\appData\Local\Temp\svchost.exe

as far as I know, Locky writes to this path as part of its install

Edited by toxinon12345
  • ESET Insiders
Posted (edited)

Ok, another plus would make a Directory tree Read-only.

For example, I designed my HD partition 'F:' as Read only by creating this rule:

Blocked file writes for:

This source app

----> [userFolder]\appData\Local\temp\svchost.exe

These file path

---> F:\*.*

So F: and any subfolder would be protected against Locky

Edited by toxinon12345
Posted

i've not ask for this...w

why don't you answer correctly ? :/
block execution of temp .exe isn't a right solution for sur

create a partition for 300 computer ??

so i've just ask how to block creation of .locky files (block this extention in HIPS eset rules) because it does't do what i add

  • 2 weeks later...
Posted

well, there must be solution from eset for block .locky file creation.

why we should do trick from hips. what our antivirus for then?

  • 4 weeks later...
  • Administrators
Posted

Hello my computer infected by ransomware. please guide me to remove !

 

If you are a paying user, submit the following stuff to [email protected]:

1, the output from ESET Log Collector (hxxp://support.eset.com/kb3466/)

2, examples of encrypted files (ideally some Office documents)

3, payment instructions

  • 3 weeks later...
Posted

Is there a way toi recover the files with the now extension .locky For the most part I do not care for the files that were encrypted but there are a few that I would really like to have back.

  • Administrators
Posted

Unfortunately, files encrypted by Filecoder.Locky cannot be decrypted. As instructed above, feel free to provide me with the output from ESET Log Collector for a check to make sure that you have ESET configured for maximum protection.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...