comunic 4 Posted October 3, 2016 Share Posted October 3, 2016 hi all i am very disapointed of the ransomware protection on my RDS servers with EFS 6.4 and maximum security ERA6 profile. it's been 6 times the same client have about 650gb on 3 VMS totally crypted, and eset doesn't do anything ! On the attachement, you can see that eset detect the responsible DLL but it simply unable to stop it (reboot is required to clean the threat...), which is impossible to manage on a RDS server ! What can we do to improve the efficiency against this ?! thank's for your replies. Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted October 3, 2016 ESET Staff Share Posted October 3, 2016 Hi @comunic, Sad to heard is been 6 times already. I suggest you contact ESET Support and ask for help and improvement, because is the first thing I will do in your case. As second, I will take a look at the "patient zero" or entry point, so after found, I rise other "layers of defense" to avoid a new problem there. AFAIK, the usual is an e-mail with fake "invoice" attached. Count "education to the user" as one of the "layers of defense" ;-) Please also stay here to talk, maybe someone has some good suggestions. Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted October 4, 2016 ESET Staff Share Posted October 4, 2016 Hello, concerning additional steps. the best practices are listed in this KB Article (it basically applies well also for the ESET File Security): hxxp://support.eset.com/kb3433/ Link to comment Share on other sites More sharing options...
comunic 4 Posted October 4, 2016 Author Share Posted October 4, 2016 Well, thank you for repling ! the only things different with the kb is that i disable network drive scan. I think this whould have not help me in this case because the crypto was executed on an rds session and encrypt everthing on the network (every shared folder) without being mapped as a network drive. @gonzalo : if i could prevent users clicking on a big message like "just click here to encrypt all my files" i would do it Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted October 4, 2016 ESET Staff Share Posted October 4, 2016 Hi @comunic, If you have an RDS server, I can guess you have some software to manage the e-mail, If was an RDS session then you have the name of the guy who do the click, ¬,¬ oh-oh (for him). Have a good backup on other place with no connection to the network is wise, if its a third party contract be sure they have (as movies mention) more than one backup of the backup. To be honest, my knowledge is very limited but my ideas not. Using some X software can you Hold the deliver of any e-mail with attachments so antivirus + and rules can check for malicious content or link? just to be sure: you have already applied that KB to servers and terminals, right? Link to comment Share on other sites More sharing options...
comunic 4 Posted October 4, 2016 Author Share Posted October 4, 2016 hi, yep the kb is applied, exept the network drive analyse (useless in that case anyway) fortunately i was able to restore the complete VMs with veeam, but i whish i could avoid that ! i already push an applocker policy on exe files but it seems to be a dll this time ! Link to comment Share on other sites More sharing options...
ESET Staff Gonzalo Alvarez 66 Posted October 4, 2016 ESET Staff Share Posted October 4, 2016 mmm... how about to increase the traffic blockade to known sites? (I guess some people not need to go out of the daily same sites) To prevent the dropper or the ransomware to connect outside get new undetected version? do you contact support? Link to comment Share on other sites More sharing options...
Recommended Posts