I recently moved into using ITSM for all my customers. (only Windows pc’s.) I installed the client a month ago. Today a client told me that the system is unresponsive.
I checked the pc and saw that this system has been infected with [bacon@oddwallps.com].java Ransomware.
1st : Is this a known ransomware virus that the client should have detected?
2nd: Can I clean the system with ITSM?
3rd: How can I configure ITSM so that it will detect this kind of virus’?
This client now already lost her confidence in this product.
We appreciate for bringing this issue to our attention. To properly provide the answer to your concern, we will coordinate with you via support ticket to further analyze how the virus gets in on the device and provide the proper solution to remove the said malware. Thank you
Hi nct,
Can you specify which module or setting I should address for this (read Ransomware in general)?
I have the profile set with the default settings: Containment is ON, HIPS is OFF, Antivirus is ON, File rating is ON (with cloud lookup), Firewall is ON, Virusscop is ON and Valkyrie is ON.
I would advise calling support and speaking to L2, you shouldn’t generally need to exclude mapped drives, this is likely to be the source of the infection.
But how could that be? The programms are executed locally and if an infected file from internet, shared file or from where, it should trigger the scanner. All the files on the mapped network should be clean because only scanned and clean files can be placed on these shares.
And should that be the case, that its coming from the excluded networkshares, than I should detect these files when scanning mannualy:
I’ve scanned the files, local and on network shares with the client and no infected files where detected.
So, I think that there’s more than only the exclussions.
If you have more suggestions which settings could prevent these infections I’m all ears.
Ok. I already have emailcontact with support.
But in case anyone has a suggestion how to counter these ransomware, and what to set in the policy, please post here.
Thanks
Comodo should block ransomware if correctly configured, which is why I suspect your network drive exclusions could be the issue. To quote @melih, the Comodo founder:
“if known bad…Comodo removes…
If known good…Comodo allows…
if Unknown…Comodo runs it in Containment”
Sorry to hear about the incident. With proper configuration, you wouldn’t and can’t get infected…
As @nct mentioned, it looks like you have wide exclusion rules. Also, from the logs you shared with support, there are multiple profiles and broken rules on your profiles.
Could you please de-assign all other profiles from your devices and apply only “Optimum Windows Profile for ITSM 6.10” or “Hardened Windows Profile for ITSM 6.10” until you have a training and investigation session with one of our engineers?
Our support team will contact with you to schedule the session as soon as possible.
We recommended to use hardened profile or customize current used profile. In addition, do not forget to enable virusscope not only for Containment applications and enable command-line analyzis for acrord32.exe and for cmd.exe.