Announcement

Collapse
No announcement yet.

[bacon@oddwallps.com].java Ransomware

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [bacon@oddwallps.com].java Ransomware

    I recently moved into using ITSM for all my customers. (only Windows pc's.) I installed the client a month ago. Today a client told me that the system is unresponsive.
    I checked the pc and saw that this system has been infected with [bacon@oddwallps.com].java Ransomware.
    1st : Is this a known ransomware virus that the client should have detected?
    2nd: Can I clean the system with ITSM?
    3rd: How can I configure ITSM so that it will detect this kind of virus'?
    This client now already lost her confidence in this product.

    Hope somebody can shine a light on this.
    Last edited by ailan; 01-13-2018, 09:38 AM.

  • #2

    Comment


    • #3
      Hello ailan,

      We appreciate for bringing this issue to our attention. To properly provide the answer to your concern, we will coordinate with you via support ticket to further analyze how the virus gets in on the device and provide the proper solution to remove the said malware. Thank you

      Comment


      • #4
        ailan to become infected with ransom when protected by Comodo, it would suggest you have configured the protection wrongly.

        Comment


        • #5
          Hi nct,
          Can you specify which module or setting I should address for this (read Ransomware in general)?
          I have the profile set with the default settings: Containment is ON, HIPS is OFF, Antivirus is ON, File rating is ON (with cloud lookup), Firewall is ON, Virusscop is ON and Valkyrie is ON.

          Thanks

          Comment


          • #6
            Originally posted by ailan View Post
            Hi nct,
            Can you specify which module or setting I should address for this (read Ransomware in general)?
            I have the profile set with the default settings: Containment is ON, HIPS is OFF, Antivirus is ON, File rating is ON (with cloud lookup), Firewall is ON, Virusscop is ON and Valkyrie is ON.

            Thanks
            Have you added any exclusions to the policy?

            Comment


            • #7
              Yes: I started with the default 'Standard Windows Profile for ITSM 6.10' and excluded some networkmapped drives.
              Nothing local on the system. See attached screenshot:

              Comment


              • #8
                Originally posted by ailan View Post
                Yes: I started with the default 'Standard Windows Profile for ITSM 6.10' and excluded some networkmapped drives.
                Nothing local on the system. See attached screenshot:
                I would advise calling support and speaking to L2, you shouldn't generally need to exclude mapped drives, this is likely to be the source of the infection.

                Comment


                • #9
                  Thanks for the suggestion.

                  But how could that be? The programms are executed locally and if an infected file from internet, shared file or from where, it should trigger the scanner. All the files on the mapped network should be clean because only scanned and clean files can be placed on these shares.
                  And should that be the case, that its coming from the excluded networkshares, than I should detect these files when scanning mannualy:
                  I've scanned the files, local and on network shares with the client and no infected files where detected.

                  So, I think that there's more than only the exclussions.

                  If you have more suggestions which settings could prevent these infections I'm all ears.

                  Comment


                  • #10
                    Originally posted by ailan View Post
                    Thanks for the suggestion.

                    But how could that be? The programms are executed locally and if an infected file from internet, shared file or from where, it should trigger the scanner. All the files on the mapped network should be clean because only scanned and clean files can be placed on these shares.
                    And should that be the case, that its coming from the excluded networkshares, than I should detect these files when scanning mannualy:
                    I've scanned the files, local and on network shares with the client and no infected files where detected.

                    So, I think that there's more than only the exclussions.

                    If you have more suggestions which settings could prevent these infections I'm all ears.
                    i'm a reseller of Comodo One and have considerable experience of the product, but L2 support are the guys who need to assist you on this.

                    Comment


                    • #11
                      Ok. I already have emailcontact with support.
                      But in case anyone has a suggestion how to counter these ransomware, and what to set in the policy, please post here.
                      Thanks

                      Comment


                      • #12
                        Originally posted by ailan View Post
                        Ok. I already have emailcontact with support.
                        But in case anyone has a suggestion how to counter these ransomware, and what to set in the policy, please post here.
                        Thanks
                        Comodo should block ransomware if correctly configured, which is why I suspect your network drive exclusions could be the issue. To quote melih, the Comodo founder:
                        "if known bad....Comodo removes...
                        If known good...Comodo allows...
                        if Unknown....Comodo runs it in Containment"

                        Comment


                        • #13


                          What is that icon ?? That's not the CCS client I'm used to ??
                          James Dyke.
                          Director DittoIT.
                          www.DittoIT.co.uk
                          Backup, Disaster Recovery & Business Continuity.

                          Comment


                          • #14
                            Hi @dittoit,
                            Yes, it's Comodo Client - Security v 10.
                            I checked it on different systems and they are the same.

                            nct, yes I also thought that Unknown behaviour and programs would be blocked or put in Quarantine.

                            Comment


                            • #15
                              Hi ailan

                              Sorry to hear about the incident. With proper configuration, you wouldn't and can't get infected...

                              As nct mentioned, it looks like you have wide exclusion rules. Also, from the logs you shared with support, there are multiple profiles and broken rules on your profiles.


                              Could you please de-assign all other profiles from your devices and apply only "Optimum Windows Profile for ITSM 6.10" or "Hardened Windows Profile for ITSM 6.10" until you have a training and investigation session with one of our engineers?

                              Our support team will contact with you to schedule the session as soon as possible.

                              Best regards,
                              Ilker
                              Last edited by Ilker; 01-14-2018, 03:14 PM.

                              Comment

                              Working...
                              X