Mike45 1 Posted March 17, 2016 Posted March 17, 2016 HI, how to block process that create .locky files HIPS seems not working for this thanks
MrWrighty 6 Posted March 17, 2016 Posted March 17, 2016 You need to find the source process that is running and kill it, then remove tmp files in the users account. Customer of mine just been hit big time, encrypted 58000 Files. According to Eset it should also delete all VSS shadow copies but that doesn't seem to have happen as I am able to restore from previous versions.
ESET Staff Gonzalo Alvarez 66 Posted March 17, 2016 ESET Staff Posted March 17, 2016 Hi @Mike45, ESET Live Grid should be active to ensure protection against new waves of threats, also keeping the ESET in latest version help too. Check your ESET config.
Mike45 1 Posted March 17, 2016 Author Posted March 17, 2016 i've already the latest version/definitions for sure my eset config is ok my question is : why when i ask eset (in hips) to block files it doesn't work
Administrators Marcos 5,741 Posted March 17, 2016 Administrators Posted March 17, 2016 my question is : why when i ask eset (in hips) to block files it doesn't work Could you please clarify what you mean? Did you create a block HIPS rule and it didn't work, ie. it failed to block a particular file ?
Mike45 1 Posted March 17, 2016 Author Posted March 17, 2016 yes, i've test many rules, nothing work is there anyone that could make it work ?
Administrators Marcos 5,741 Posted March 17, 2016 Administrators Posted March 17, 2016 I'm sorry but it's still not clear what you're trying to achieve. What exactly doesn't work? Please clarify.
Mike45 1 Posted March 18, 2016 Author Posted March 18, 2016 (edited) i want to block/disable .locky files creation/rename like this :hxxp://www.netstaff.fr/blog/?p=768 Edited March 18, 2016 by Mike45
ESET Insiders toxinon12345 32 Posted March 19, 2016 ESET Insiders Posted March 19, 2016 (edited) HIPS is for geek users. It seems you must use the notation HKEY_USERS rather than HKEY_CURRENT_USER. Edited March 19, 2016 by toxinon12345
Mike45 1 Posted March 19, 2016 Author Posted March 19, 2016 i don't speak about HKCU\Software\lockybut about .locky files (second screen capture)
ESET Insiders toxinon12345 32 Posted March 19, 2016 ESET Insiders Posted March 19, 2016 i speak about .locky files (second screen capture) The only requirement is the 'drive:\' prefix Anyway I'm not sure if that is recursive for all nested directory levels
ESET Insiders toxinon12345 32 Posted March 19, 2016 ESET Insiders Posted March 19, 2016 (edited) HIPS is for geek users. I created a HIPS rule as a mitigation for the LOCKY threat (Filecoder): ---> Log enabled, notification enabled ---> Registry keys [blocked] for √[Renaming] √[Modify] operations HKEY_USERS\*\software\LOCKY\* Then make sure to remove any existing LOCKY regkey at that location Edited March 19, 2016 by toxinon12345
Mike45 1 Posted March 19, 2016 Author Posted March 19, 2016 ok thanks but how to block locky file creation ? if i block this registry key, locky is totaly blocked ?
ESET Insiders toxinon12345 32 Posted March 19, 2016 ESET Insiders Posted March 19, 2016 (edited) We even could block application execution from %temp% folder. Create a rule blocking application start for : ---> [userFolder]\appData\Local\Temp\svchost.exe as far as I know, Locky writes to this path as part of its install Edited March 19, 2016 by toxinon12345
ESET Insiders toxinon12345 32 Posted March 19, 2016 ESET Insiders Posted March 19, 2016 (edited) Ok, another plus would make a Directory tree Read-only. For example, I designed my HD partition 'F:' as Read only by creating this rule: Blocked file writes for: This source app ----> [userFolder]\appData\Local\temp\svchost.exe These file path ---> F:\*.* So F: and any subfolder would be protected against Locky Edited March 19, 2016 by toxinon12345
Mike45 1 Posted March 21, 2016 Author Posted March 21, 2016 i've not ask for this...w why don't you answer correctly ? :/block execution of temp .exe isn't a right solution for sur create a partition for 300 computer ?? so i've just ask how to block creation of .locky files (block this extention in HIPS eset rules) because it does't do what i add
macros 1 Posted April 1, 2016 Posted April 1, 2016 well, there must be solution from eset for block .locky file creation. why we should do trick from hips. what our antivirus for then?
Mark Miller 0 Posted April 26, 2016 Posted April 26, 2016 Hello my computer infected by ransomware. please guide me to remove !
Administrators Marcos 5,741 Posted April 26, 2016 Administrators Posted April 26, 2016 Hello my computer infected by ransomware. please guide me to remove ! If you are a paying user, submit the following stuff to [email protected]: 1, the output from ESET Log Collector (hxxp://support.eset.com/kb3466/) 2, examples of encrypted files (ideally some Office documents) 3, payment instructions
karcer 0 Posted May 15, 2016 Posted May 15, 2016 Is there a way toi recover the files with the now extension .locky For the most part I do not care for the files that were encrypted but there are a few that I would really like to have back.
Administrators Marcos 5,741 Posted May 17, 2016 Administrators Posted May 17, 2016 Unfortunately, files encrypted by Filecoder.Locky cannot be decrypted. As instructed above, feel free to provide me with the output from ESET Log Collector for a check to make sure that you have ESET configured for maximum protection.
Mike45 1 Posted May 17, 2016 Author Posted May 17, 2016 hxxp://www.lemondeinformatique.fr/actualites/lire-des-chercheurs-retrouvent-une-parade-contre-cryptoxxx-64828.html
Administrators Marcos 5,741 Posted May 17, 2016 Administrators Posted May 17, 2016 hxxp://www.lemondeinformatique.fr/actualites/lire-des-chercheurs-retrouvent-une-parade-contre-cryptoxxx-64828.html This topic is about Locky, not about CryptProjectXXX which we at ESET can decode as well.
Recommended Posts