Jump to content

EFS 6.4 : 0 vs Crypto/locky : 1 Again and again...

Recommended Posts

hi all

i am very disapointed of the ransomware protection on my RDS servers with EFS 6.4 and maximum security ERA6 profile.

it's been 6 times the same client have about 650gb on 3 VMS totally crypted, and eset doesn't do anything !

On the attachement, you can see that eset detect the responsible DLL but it simply unable to stop it (reboot is required to clean the threat...), which is impossible to manage on a RDS server !

What can we do to improve the efficiency against this ?!

thank's for your replies.


Link to comment
Share on other sites

  • ESET Staff

Hi @comunic,


Sad to heard is been 6 times already.


I suggest you contact ESET Support and ask for help and improvement,

because is the first thing I will do in your case.


As second, I will take a look at the "patient zero" or entry point, so after

found, I rise other "layers of defense" to avoid a new problem there.


AFAIK, the usual is an e-mail with fake "invoice" attached.

Count "education to the user" as one of the "layers of defense" ;-)


Please also stay here to talk, maybe someone has some good suggestions.

Link to comment
Share on other sites

Well, thank you for repling !

the only things different with the kb is that i disable network drive scan.

I think this whould have not help me in this case because the crypto was executed on an rds session and encrypt everthing on the network (every shared folder) without being mapped as a network drive.

@gonzalo : if i could prevent users clicking on a big message like "just click here to encrypt all my files" i would do it :)

Link to comment
Share on other sites

  • ESET Staff

Hi @comunic,


If you have an RDS server, I can guess you have some software to manage the e-mail,


If was an RDS session then you have the name of the guy who do the click, ¬,¬ oh-oh (for him).


Have a good backup on other place with no connection to the network is wise, if its a third

party contract be sure they have (as movies mention) more than one backup of the backup. ;)


To be honest, my knowledge is very limited but my ideas not.


Using some X software can you Hold the deliver of any e-mail with attachments so

antivirus + and rules can check for malicious content or link?


just to be sure: you have already applied that KB to servers and terminals, right?

Link to comment
Share on other sites


yep the kb is applied, exept the network drive analyse (useless in that case anyway)

fortunately i was able to restore the complete VMs with veeam, but i whish i could avoid that !

i already push an applocker policy on exe files but it seems to be a dll this time !

Link to comment
Share on other sites

  • ESET Staff

mmm... :huh:


how about to increase the traffic blockade to known sites?

(I guess some people not need to go out of the daily same sites)


To prevent the dropper or the ransomware to connect outside get

new undetected version?


do you contact support?

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...