SecGuru Posted July 15, 2017 ID:1142967 Share Posted July 15, 2017 Hi, It seems that the anti ransomware in EP does not work well. I tested a powerhell ransomware sample on Windows 10 x64 Enterprise. The PC was fully operational with EP, all modules were included in the policy. However, the files are encrypted. The strange thing is that Malwarebytes 3 (home) and the Anti Ransomware 0.9 module in Entpoint Security, block the script, with these products, the files were not encrypted ?? Please find attached the prinscreens, the file(pw=infected) and the policy settings. https://virustotal.com/en/file/7a6d5ae7d7bc2849ea40907912a27e8aa6c83fafd952168f9e2d43f76881300c/analysis/1500146992/ Has anybody else the same issues? I have tested some other ransomware samples, these were blocked, but not this sample. Readable Msg-j8k5b798d4.zip Link to post Share on other sites More sharing options...
Staff Rsullinger Posted July 17, 2017 Staff ID:1143534 Share Posted July 17, 2017 Hello SecGuru, I am sorry to hear that the EPP client missed that. If the machine is still up, I want to have you collect the endpoint security logs for our team so I can take that (with the file you provided) to them to get tested and fixed. The easiest way to get these logs is to run a command into CMD: C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEA.exe –diag You may need to go to the actual directory to run it so these can help: cd C:\Program Files\Malwarebytes Endpoint Agent\MBCloudEa.exe -diag This will create a zip on the desktop called MBDiagnostics. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now