Re: Ransomware Protection

hje
hje W/ Alumni Posts: 4 Junior Protector

We have a computer that has all the documents encrypted - they all have got the extension .zepto. If I scan the computer with F-Secure PSB, it does not find any virus or trojan on the computer, and the computer is reported clean. But if I instead scan it with Spyhunter 4, it can find an infected file + it finds the bitmap on the desktop with the ransome text. It is being reported as Locky Ransomeware.

 

Is F-Secure a little slow on this variant of the virus, or is Spyhunter giving me a false positive?

Image 1.jpg

Comments

  • Laksh
    Laksh W/ Alumni Posts: 237 Cybercrime Crusader

    Hi @hje,

     

    I have moved your post to the most relevant board as you are using our Business product. Thanks.

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader

    Hello hje,

     

    Please, check your scanning settings. By default the checkbox "Scan only known file types" is selected. If you uncheck the checkbox, all files will be scanned, and the infections which can't harm your machine directly by execution/opening will be found as well.

     

    Best regards,

    Vad

  • hje
    hje W/ Alumni Posts: 4 Junior Protector

    I have tried to uncheck the checkbox "Scan only known file types" and made a new scan, but it still does not find the  ransomeware. According Spyhunter there are two type of infections on the computer, Locky Ransomware and Zepto Ransomeware. All the datafiles on the computer have been renamed a cryptical name and the extension.zepto.

     

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader

    Please, contact support. We'll need more detailed information from your machine to find out, what could be wrong in this case.

     

    Best regards,

    Vad

  • NickJ
    NickJ W/ Alumni Posts: 29 Security Scout

    Hello Vad,

     

    Can you just confirm whether F-Secure PSB is expected to protect clients from Ransomware infections such as Locky with the "Scan only known file types" check-box enabled?

     

    Surely the executables/office documents/javascript files that drop and execute the ransomware should be detected with that checkbox enabled, hopefully before they have even been executed?

     

    Thanks,

     

    Nick

     

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader

    Hello NickJ,

     

    You can find the list of threats detected by F-Secure products on our website:

    https://www.f-secure.com/en/web/labs_global/threat-descriptions

    And yes, Locky Ransomware is a known infection, which is detected with default settings for Real Time scan and Manual scan.

    Link to the information about Locky Ransomware:

    https://www.f-secure.com/v-descs/trojan-downloader_w97m_locky.shtml

     

    But please, don't mix real infection with already encrypted files or bitmaps with the ransome text.

     

    Best regards,

    Vad

  • hje
    hje W/ Alumni Posts: 4 Junior Protector

    Hi.

    Thanks for info.

     

    Yes it looks like the ransomeware is not active on the computer anymore, but what bothers me is that Spyhunter can find som leftovers of the virus, while F-Secure can not find anything. One of the files Spyhunter can reckognize is the bitmap on the desktop with the ransomeware text, but I can not see what the other two files are, that Spyhunter finds.

     

    When I got to the infected computer the antivirus was somehow disabled, and thereby the computer was not protected as it should be. So nothing to blame F-Secure for there!  

  • NickJ
    NickJ W/ Alumni Posts: 29 Security Scout

    I think it is acceptable that F-Secure does not mark the bitmap as malicious. That file is not active, and is not doing any harm to your system. The only time I can think that detecting this file would be useful would be in an IPS product, where if you see this file you could disconnect the system from the network so it is not able to encrypt connected fileshares etc.

     

    I am sure that this infection has caused you a lot of trouble today but as a fellow PSB customer I am glad to hear that your user had disabled their protections, and that Vad has confirmed that there are protections for this malware in the PSB product.

     

     

  • hje
    hje W/ Alumni Posts: 4 Junior Protector
    Yes, I would also say that it is acceptable with the bitma. It is the other two files that bothers me, as I can not set what kind of files it is.

    So should I trust F-Secure or Syhunter?

    Just to be safe I scanned the computer with Malwarebytes Anti-Malware, and it did not find any malicious files, so I choose to trust the two programs (F-Secure and Malwarebytes) against the one (Spyhunter). - And hope I will not regret it Smiley Happy
  • IceMan7
    IceMan7 W/ Alumni Posts: 1 Security Scout

    SpyHunter - Scanner dubious reputation strongly jumped in the results of Google and applying techniques of manipulation leaning installation. Google whole bunch of highly positioned descriptions of "removing malware" designed in such a way to download SpyHunter as a marvelous free treatment for an infection. After installation, it turns out that this is a paid program.

     

    Overall, this is **bleep**

     

    To scan your computer from time to time I recommend (in that order)
    1) Eset Online Scanner
    2) Malwarebytes Anti-Malware (free) / Emsisoft Emergency Kit
    3) HitmanPro / Zemana Antimalware

    F-Secure and the above 3 points on demand, and the computer sound like a fish :)

This discussion has been closed.