Announcement: New Knowledge Base

4 June 2020: We are pleased to announce the launch of a new Knowledge Base, Changelogs for Business Security Products, where you can find more details, such as bugfixes or new features, about the most recent releases of our business-related products.

Re: Ransomware Protection

We have a computer that has all the documents encrypted - they all have got the extension .zepto. If I scan the computer with F-Secure PSB, it does not find any virus or trojan on the computer, and the computer is reported clean. But if I instead scan it with Spyhunter 4, it can find an infected file + it finds the bitmap on the desktop with the ransome text. It is being reported as Locky Ransomeware.

 

Is F-Secure a little slow on this variant of the virus, or is Spyhunter giving me a false positive?

Image 1.jpg

Best Answer

  • etomcatetomcat Posts: 1,312
    Accepted Answer

    Hello,

     

    Modern ransomware codes delete themselves (the malicious binary executable) from the infected computer, after the task of encrypting all document and media files has been completed. That trick makes it difficult to analyze the infection. The only thing left behind are the textual and bitmap versions of the bitcoin ransom payment collection instructions.

     

    Therefore, if your computer is already full of .zepto files, it is no wonder antivirus won't find any malicious binaries in the system, since there aren't any left!

     

    As for how your computer got infected in the first place, despite active F-Secure protection, who knows? Official F-Secure Lab stance is that active DeepGuard protection running with full effort should stop all ransomware infection attempts. (The corresponding default settings are "DeepGuard Advanced Mode" checked in the corporate and institutional purpose F-Secure products and "DeepGuard use basic mode" UNchecked in home-consumer products.)

     

    On the other hand, some competing vendors already include dedicated anti-ransomware / anti-cryptor protection technology in their antivirus suites, while Deepguard is a general purpose protection module that is also supposed to stop ransomware. That is not an ideal situation and partners have been asking F-Secure Corp. to include a dedicated anti-cryptor protection asset in their products.

     

    Best Regards: Tamas Feher, Hungary.

Answers

  • LakshLaksh Posts: 4,428

    Hi @hje,

     

    I have moved your post to the most relevant board as you are using our Business product. Thanks.

  • VadVad Posts: 1,047

    Hello hje,

     

    Please, check your scanning settings. By default the checkbox "Scan only known file types" is selected. If you uncheck the checkbox, all files will be scanned, and the infections which can't harm your machine directly by execution/opening will be found as well.

     

    Best regards,

    Vad

  • hjehje Posts: 4

    I have tried to uncheck the checkbox "Scan only known file types" and made a new scan, but it still does not find the  ransomeware. According Spyhunter there are two type of infections on the computer, Locky Ransomware and Zepto Ransomeware. All the datafiles on the computer have been renamed a cryptical name and the extension.zepto.

     

  • VadVad Posts: 1,047

    Please, contact support. We'll need more detailed information from your machine to find out, what could be wrong in this case.

     

    Best regards,

    Vad

  • NickJNickJ Posts: 29

    Hello Vad,

     

    Can you just confirm whether F-Secure PSB is expected to protect clients from Ransomware infections such as Locky with the "Scan only known file types" check-box enabled?

     

    Surely the executables/office documents/javascript files that drop and execute the ransomware should be detected with that checkbox enabled, hopefully before they have even been executed?

     

    Thanks,

     

    Nick

     

  • VadVad Posts: 1,047

    Hello NickJ,

     

    You can find the list of threats detected by F-Secure products on our website:

    https://www.f-secure.com/en/web/labs_global/threat-descriptions

    And yes, Locky Ransomware is a known infection, which is detected with default settings for Real Time scan and Manual scan.

    Link to the information about Locky Ransomware:

    https://www.f-secure.com/v-descs/trojan-downloader_w97m_locky.shtml

     

    But please, don't mix real infection with already encrypted files or bitmaps with the ransome text.

     

    Best regards,

    Vad

  • hjehje Posts: 4

    Hi.

    Thanks for info.

     

    Yes it looks like the ransomeware is not active on the computer anymore, but what bothers me is that Spyhunter can find som leftovers of the virus, while F-Secure can not find anything. One of the files Spyhunter can reckognize is the bitmap on the desktop with the ransomeware text, but I can not see what the other two files are, that Spyhunter finds.

     

    When I got to the infected computer the antivirus was somehow disabled, and thereby the computer was not protected as it should be. So nothing to blame F-Secure for there!  

  • NickJNickJ Posts: 29

    I think it is acceptable that F-Secure does not mark the bitmap as malicious. That file is not active, and is not doing any harm to your system. The only time I can think that detecting this file would be useful would be in an IPS product, where if you see this file you could disconnect the system from the network so it is not able to encrypt connected fileshares etc.

     

    I am sure that this infection has caused you a lot of trouble today but as a fellow PSB customer I am glad to hear that your user had disabled their protections, and that Vad has confirmed that there are protections for this malware in the PSB product.

     

     

  • hjehje Posts: 4
    Yes, I would also say that it is acceptable with the bitma. It is the other two files that bothers me, as I can not set what kind of files it is.

    So should I trust F-Secure or Syhunter?

    Just to be safe I scanned the computer with Malwarebytes Anti-Malware, and it did not find any malicious files, so I choose to trust the two programs (F-Secure and Malwarebytes) against the one (Spyhunter). - And hope I will not regret it Smiley Happy
  • IceMan7IceMan7 Posts: 17

    SpyHunter - Scanner dubious reputation strongly jumped in the results of Google and applying techniques of manipulation leaning installation. Google whole bunch of highly positioned descriptions of "removing malware" designed in such a way to download SpyHunter as a marvelous free treatment for an infection. After installation, it turns out that this is a paid program.

     

    Overall, this is **bleep**

     

    To scan your computer from time to time I recommend (in that order)
    1) Eset Online Scanner
    2) Malwarebytes Anti-Malware (free) / Emsisoft Emergency Kit
    3) HitmanPro / Zemana Antimalware

    F-Secure and the above 3 points on demand, and the computer sound like a fish :)

    hje
This discussion has been closed.