Jump to content


Recommended Posts

Dear ESET,


My entire server and clients are infected with locky.  How it is possible that ESET realtime protection let this happen?


Please advise,





Link to comment
Share on other sites

  • Administrators

There have been massive Nemucod/Locky spam campaigns going on recently in Europe and Middle East when a Locky downloader (Nemucod or a VBA downloader) was spreading as .js or .xls/.doc attachment. When run, it downloaded and ran Locky which subsequently encrypted files. 


In order to get maximum protection against Filecoders, you should:

- keep LiveGrid enabled (test it by downloading the CloudCar test file from hxxp://amtso.security-features-check.com/cloudcar.exe;the file should be detected as Suspicious object)

- keep Advanced heuristics on file execution enabled in the real-time protection setup

- keep all other protection modules enabled (especially HIPS, Advanced Memory Scanner, Exploit Blocker)

- if your license allows, install ESET Smart (Enpoint) Security instead of ESET NOD32 (Endpoint) Antivirus as it can also block Filecoders at the network layer

- on non-production systems consider switching to pre-release updates so that you receive the latest modules in advance


And most importantly - back up important files on a regular basis and avoid opening attachments and clicking links in suspicious emails, especially if they come from an unknown sender. Do not trust .js, .rtf or Office attachments. If you didn't expect any and you know the sender, it's better to contact him or her and verify the authenticity of the email.

Link to comment
Share on other sites

  • ESET Staff

From some point of view is ironic because the best protection (besides having a protection software up-to-date, etc),

is the education of the user.


As @Marcos point the main vector is an e-mail message who trigger the human at the keyboard to

open it.



@percytc, take in consideration (if you have a backup somewhere) is good to have a backup not connected

to the server or network. Only connects to receive the data and disconnect (physically better).

For Cloud backup, I suggest you have 3 different times and isolated each one so if you got infected only 1

is down.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...