comunic 4 Posted August 12, 2016 Share Posted August 12, 2016 Hi, i serioulsy considering deploy hips because it seems to be the "ultimate" solution against crypto. Following my experience, automatic mode is useless, it never stopped anything. The mode "smart" seems interresting, but is it more efficient ? Finally, the learning mode, is it really safe to deploy it ? i would be very interested to have some feedbacks ! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted August 12, 2016 Administrators Share Posted August 12, 2016 Automatic mode is not useless. HIPS itself should never be disabled as many other protection features depend on it, such as Self-defense, Advanced Memory Scanner, Exploit Blocker, Ransomware protection (v10) and Script Monitor (v10). The other features are what makes HIPS that important for detection and blocking of new threats even if the rule list is empty. If you want, you can switch to Smart mode which is a kind of interactive mode that asks you for an action only if a typical malware activity is detected and only if blocking such an action should not cause a false positive. Link to comment Share on other sites More sharing options...
comunic 4 Posted August 12, 2016 Author Share Posted August 12, 2016 Of course i always let HIPS with all its feature enabled, but i never seen antyhing on the hips log, and yesterday one of my client with EFS 6.3 open a zepto locker, encrypting about 50 000 files before eset block it. Sorry, but for me it is useless ! My goal is to improve the product, to but the more efficient it can. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted August 15, 2016 Administrators Share Posted August 15, 2016 Of course i always let HIPS with all its feature enabled, but i never seen antyhing on the hips log, and yesterday one of my client with EFS 6.3 open a zepto locker, encrypting about 50 000 files before eset block it. Sorry, but for me it is useless ! My goal is to improve the product, to but the more efficient it can. That's interesting to hear. Do you know more details about the incident? You mentioned EFSW 6.3. That means it's a server possibly with shares so there's a good chance the files could get encrypted from another machine and not by running malware directly on the server. It's important that Endpoint v6 be installed also on all workstations and have LiveGrid enabled and working for maximum protection. If we eventually blocked it, was it the malware itself which was detected or just files with instructions? The best would be if you could collect logs using ESET Log Collector and pm them to me for analysis. Link to comment Share on other sites More sharing options...
comunic 4 Posted August 16, 2016 Author Share Posted August 16, 2016 Hi, i mentionned EFSW because it is an RDS 2008 R2 server ! So the malware ran directly on the server. All the settings and fonctions are enabled and based on the maximum protection policy of ERA 6.4 ! I know that a user opened a word document received in outlook, lauching the crypto locker. i will PM you the log collector. thank's Link to comment Share on other sites More sharing options...
jimwillsher 65 Posted August 16, 2016 Share Posted August 16, 2016 It was the same for us last week - emailed .docm attachment (we're now blocking .docm and other macro-enabled attachments), and it too was .zepto. I don't know how many files we lost, we didn't count them, we just had to restore 500GB from the previous night's backup (three shares encrypted in their entirety, plus all the local files on the infected PC). I know it's a really crude solution, but even a user prompt "a program on your computer has opened and re-saved 100 documents with a different file extension in the last 10 minutes, are you happy for it to continue" would have saved most of our data. Interesting to hear from Marcos about a couple of V10 features that might have helped in this scenario. Might it be worthwhile us abandoning EEA and instead installing the "consumer" version (despite losing all the management features) ? It does seem that the consumer product is a LONG way in front of the business product. I thought it was always intended to be "slightly ahead" ? It would certainly be good to get some of these consumer improvements into the business product, since crypto seems to be the virus technique of choice at the moment. Just my thoughts. Jim Link to comment Share on other sites More sharing options...
comunic 4 Posted August 16, 2016 Author Share Posted August 16, 2016 it seems that this piece of S**** was the responsible, for my part : hxxp://www.virusradar.com/en/threat_encyclopaedia/graph/344004 Interesting to see that eset published an update to block it the 10th and my client was infected the 11th ! Link to comment Share on other sites More sharing options...
Recommended Posts