Jump to content

Recommended Posts

You need to find the source process that is running and kill it, then remove tmp files in the users account.

 

Customer of mine just been hit big time, encrypted 58000 Files. According to Eset it should also delete all VSS shadow copies but that doesn't seem to have happen as I am able to restore from previous versions.

Link to post
Share on other sites

i've already the latest version/definitions for sure

my eset config is ok

my question is : why when i ask eset (in hips) to block files it doesn't work

Link to post
Share on other sites
  • Administrators

my question is : why when i ask eset (in hips) to block files it doesn't work

 

Could you please clarify what you mean? Did you create a block HIPS rule and it didn't work, ie. it failed to block a particular file ?

Link to post
Share on other sites
  • ESET Insiders

i speak about .locky files (second screen capture)

The only requirement is the 'drive:\' prefix

Anyway I'm not sure if that is recursive for all nested directory levels

Link to post
Share on other sites
  • ESET Insiders

HIPS is for geek users.

I created a HIPS rule as a mitigation for the LOCKY threat (Filecoder):

---> Log enabled, notification enabled

---> Registry keys [blocked] for

√[Renaming]

√[Modify] operations

HKEY_USERS\*\software\LOCKY\*

Then make sure to remove any existing LOCKY regkey at that location

Edited by toxinon12345
Link to post
Share on other sites
  • ESET Insiders

We even could block application execution from %temp% folder.

Create a rule blocking application start for :

---> [userFolder]\appData\Local\Temp\svchost.exe

as far as I know, Locky writes to this path as part of its install

Edited by toxinon12345
Link to post
Share on other sites
  • ESET Insiders

Ok, another plus would make a Directory tree Read-only.

For example, I designed my HD partition 'F:' as Read only by creating this rule:

Blocked file writes for:

This source app

----> [userFolder]\appData\Local\temp\svchost.exe

These file path

---> F:\*.*

So F: and any subfolder would be protected against Locky

Edited by toxinon12345
Link to post
Share on other sites

i've not ask for this...w

why don't you answer correctly ? :/
block execution of temp .exe isn't a right solution for sur

create a partition for 300 computer ??

so i've just ask how to block creation of .locky files (block this extention in HIPS eset rules) because it does't do what i add

Link to post
Share on other sites
  • 2 weeks later...
  • 4 weeks later...
  • Administrators

Hello my computer infected by ransomware. please guide me to remove !

 

If you are a paying user, submit the following stuff to samples@eset.com:

1, the output from ESET Log Collector (hxxp://support.eset.com/kb3466/)

2, examples of encrypted files (ideally some Office documents)

3, payment instructions

Link to post
Share on other sites
  • 3 weeks later...

Is there a way toi recover the files with the now extension .locky For the most part I do not care for the files that were encrypted but there are a few that I would really like to have back.

Link to post
Share on other sites
  • Administrators

Unfortunately, files encrypted by Filecoder.Locky cannot be decrypted. As instructed above, feel free to provide me with the output from ESET Log Collector for a check to make sure that you have ESET configured for maximum protection.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...