xrad 0 Posted July 12, 2016 Posted July 12, 2016 Hi Some of my customer pc's with nod32 installed have been infected with the "Locky Ransomware" virus. Nod32 did not initially detect the infection our customer noticed a rouge file on a backup drive. I would like to get more information such as the entry point etc. How can I find this? On investigation I noticed that a nod32 scan seemed to detect the infection was introduced via a rouge email. I could only get a low res screen shot of this. Is it possible to find this info from the logs and if so where do I look? Best regards, D. collector_log.txt data_dir_list.txt Processes.txt
Administrators Marcos 5,455 Posted July 12, 2016 Administrators Posted July 12, 2016 Please email the output from ESET Log Collector (hxxp://support.eset.com/kb3466/) to samples[at]eset.com. Do you know by chance what email client the user uses? If it's not supported and they receive email via IMAPS for instance, they would need to enable SSL filtering and IMAPS scanning to detect and block this kind of spammed threats (JS/Nemucod).
xrad 0 Posted July 13, 2016 Author Posted July 13, 2016 Thank you Macros I will email the logs now. The user was using IE no client used (Private email). To the best of my knowledge the user is not authorised to use the system for private email as new business policy is in place now.
xrad 0 Posted July 14, 2016 Author Posted July 14, 2016 Does eset get back to you if you after submitting the eav_logs?
Administrators Marcos 5,455 Posted July 18, 2016 Administrators Posted July 18, 2016 Please drop me a pm with the email address that you submitted the files from. I was able to find only one ticket from July 13 where the reporter attached the ESET Log Collector's executable instead of the output archive containing logs. That submission came from <of..........er@f........r.net>.
Recommended Posts