percytc 0 Posted March 19, 2016 Share Posted March 19, 2016 Dear ESET, My entire server and clients are infected with locky. How it is possible that ESET realtime protection let this happen? Please advise, Regards Laszlo Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted March 19, 2016 Administrators Share Posted March 19, 2016 There have been massive Nemucod/Locky spam campaigns going on recently in Europe and Middle East when a Locky downloader (Nemucod or a VBA downloader) was spreading as .js or .xls/.doc attachment. When run, it downloaded and ran Locky which subsequently encrypted files. In order to get maximum protection against Filecoders, you should: - keep LiveGrid enabled (test it by downloading the CloudCar test file from hxxp://amtso.security-features-check.com/cloudcar.exe;the file should be detected as Suspicious object) - keep Advanced heuristics on file execution enabled in the real-time protection setup - keep all other protection modules enabled (especially HIPS, Advanced Memory Scanner, Exploit Blocker) - if your license allows, install ESET Smart (Enpoint) Security instead of ESET NOD32 (Endpoint) Antivirus as it can also block Filecoders at the network layer - on non-production systems consider switching to pre-release updates so that you receive the latest modules in advance And most importantly - back up important files on a regular basis and avoid opening attachments and clicking links in suspicious emails, especially if they come from an unknown sender. Do not trust .js, .rtf or Office attachments. If you didn't expect any and you know the sender, it's better to contact him or her and verify the authenticity of the email. Link to comment Share on other sites More sharing options...
Mike45 1 Posted March 19, 2016 Share Posted March 19, 2016 is it possible because Stormshield Endpoint Security block locky Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted March 19, 2016 ESET Staff Share Posted March 19, 2016 From some point of view is ironic because the best protection (besides having a protection software up-to-date, etc), is the education of the user. As @Marcos point the main vector is an e-mail message who trigger the human at the keyboard to open it. @percytc, take in consideration (if you have a backup somewhere) is good to have a backup not connected to the server or network. Only connects to receive the data and disconnect (physically better). For Cloud backup, I suggest you have 3 different times and isolated each one so if you got infected only 1 is down. Link to comment Share on other sites More sharing options...
Recommended Posts