Other issues in this category (23)
Stay out of it, anti-virus
Wednesday, June 27, 2018
Today we are going to skip our intro and get straight to the point:
Hello, We received an email with the file "18.06.18.Gz" attached to it. We opened it. It turned out to be a Trojan. The hard drive is split into two partitions. On the C drive, many files and folders are highlighted in blue, but nothing like that happened to the data on the D partition.
From a request submitted to the Doctor Web support service
The situation is clear as day: a malicious attachment arrived, got extracted, and an unknown Trojan managed to activate itself in the system (the request doesn't explicitly state that it was launched, right?).
However an analysis of the anti-virus log (the log file can be found in %userprofile%\desktop\drweb.log) revealed a completely different picture. First, the installed anti-virus already had the definition of the encryption ransomware in question.
But the most unusual thing is how the Trojan managed to launch itself:
|threat: DPH:Trojan.Encoder.9 ==> send user blocked alert||The user is trying to launch the program; and the anti-virus detects the Trojan and displays a corresponding notification.|
|threat: DPH:Trojan.Encoder.9 ==> send user blocked alert||Another launch attempt!|
A few more attempts to launch the Trojan followed until the user decided that since the anti-virus wouldn't let them start the program, they would be better off disabling it.
We have to deal with over a dozen incidents like this every day!
The Anti-virus Times recommends
- Protect the settings of your desktop anti-virus with a password—this will prevent other users from disabling it.
- If the anti-virus is managed remotely over a control center, never grant users permission to disable the application.
- Block access to files and folders that users aren't supposed to use under their accounts (the accounts under which a Trojan could potentially be launched).