[bacon@oddwallps.com].java Ransomware

I recently moved into using ITSM for all my customers. (only Windows pc’s.) I installed the client a month ago. Today a client told me that the system is unresponsive.
I checked the pc and saw that this system has been infected with [bacon@oddwallps.com].java Ransomware.
1st : Is this a known ransomware virus that the client should have detected?
2nd: Can I clean the system with ITSM?
3rd: How can I configure ITSM so that it will detect this kind of virus’?
This client now already lost her confidence in this product.

Hope somebody can shine a light on this.

Hello @ailan,

We appreciate for bringing this issue to our attention. To properly provide the answer to your concern, we will coordinate with you via support ticket to further analyze how the virus gets in on the device and provide the proper solution to remove the said malware. Thank you

@ailan to become infected with ransom when protected by Comodo, it would suggest you have configured the protection wrongly.

Hi nct,
Can you specify which module or setting I should address for this (read Ransomware in general)?
I have the profile set with the default settings: Containment is ON, HIPS is OFF, Antivirus is ON, File rating is ON (with cloud lookup), Firewall is ON, Virusscop is ON and Valkyrie is ON.

Thanks

Have you added any exclusions to the policy?

I would advise calling support and speaking to L2, you shouldn’t generally need to exclude mapped drives, this is likely to be the source of the infection.

Thanks for the suggestion.

But how could that be? The programms are executed locally and if an infected file from internet, shared file or from where, it should trigger the scanner. All the files on the mapped network should be clean because only scanned and clean files can be placed on these shares.
And should that be the case, that its coming from the excluded networkshares, than I should detect these files when scanning mannualy:
I’ve scanned the files, local and on network shares with the client and no infected files where detected.

So, I think that there’s more than only the exclussions.

If you have more suggestions which settings could prevent these infections I’m all ears.

i’m a reseller of Comodo One and have considerable experience of the product, but L2 support are the guys who need to assist you on this.

Ok. I already have emailcontact with support.
But in case anyone has a suggestion how to counter these ransomware, and what to set in the policy, please post here.
Thanks

Comodo should block ransomware if correctly configured, which is why I suspect your network drive exclusions could be the issue. To quote @melih, the Comodo founder:
“if known bad…Comodo removes…
If known good…Comodo allows…
if Unknown…Comodo runs it in Containment”

What is that icon ?? That’s not the CCS client I’m used to ??

Hi @dittoit,
Yes, it’s Comodo Client - Security v 10.
I checked it on different systems and they are the same.

@nct, yes I also thought that Unknown behaviour and programs would be blocked or put in Quarantine.

Hi @ailan

Sorry to hear about the incident. With proper configuration, you wouldn’t and can’t get infected…

As @nct mentioned, it looks like you have wide exclusion rules. Also, from the logs you shared with support, there are multiple profiles and broken rules on your profiles.

Could you please de-assign all other profiles from your devices and apply only “Optimum Windows Profile for ITSM 6.10” or “Hardened Windows Profile for ITSM 6.10” until you have a training and investigation session with one of our engineers?

Our support team will contact with you to schedule the session as soon as possible.

Best regards,
Ilker

Hi Ilker,
Yes I’ll do that.
Regards

[QUOTE=ailan;n21668][/QUOTE]

Can someone at Comodo explain what the arrows are on the CCS icon?

Thank you @ailan

Hi James,

It is firewall traffic animation effects. You can turn it on and off from your profile.

https://help.comodo.com/topic-399-1-786-10204-Firewall-Settings-.html

Ilker

We recommended to use hardened profile or customize current used profile. In addition, do not forget to enable virusscope not only for Containment applications and enable command-line analyzis for acrord32.exe and for cmd.exe.