This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wannacry - Intercept X Standalone - Windows 10

StevenOsterwald over 6 years ago

Hello,

I installed the following VM (VmWare WOrkstation 12) today:

- Windows 10 x64 Pro 1703

- Intercept X Standalone

- Windows Defender disabled

- Firewall Windows active (no additional rules)

I then created a few textfiles in C:\Users\user\Documents\ and started wannacry. https://www.virustotal.com/en/file/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/analysis/1499255455/

The ransomware went trough without any propblem and encrypted the files. Now I wonder if I did something wrong (I hope so!) or if Interceptor is useless at this point.

If more info is needed please let me know.

Greetings

This thread was automatically locked due to age.

Parents

0 TheChaves over 6 years ago

At first glance it does not look like Intercept X correctly installed as it should have been listed as "Installed" in the top right screenshot.

If you click the Run diagnostic tool button you should see the endpoint self help tool. Check to confirm that in the installed components section you see HitmanPro Alert as installed. If this is missing I suspect it's failing to download 100% from sophos and onsite web filtering would be the culprit!
Cancel
Vote Up 0 Vote Down

Cancel
0 StevenOsterwald over 6 years ago in reply to TheChaves

THank you TheChaves for your answer,

I restarted the VM and updated Sophos Intercept, let it run the Diagnostic Tool and restarted the VM and then ran Wannacry.

Unfortunately nothing changed.
Cancel
Vote Up 0 Vote Down

Cancel
0 TheChaves over 6 years ago in reply to StevenOsterwald

Is the only data you placed on to the VM .txt files only? This may not be enough for Intercept to detect so I encourage you to test again with a mixture of file types that would be attacked in a real world scenario...copy some images, rtf files, office documents, pdf's, etc...

Then test again.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 TheChaves over 6 years ago in reply to StevenOsterwald

Is the only data you placed on to the VM .txt files only? This may not be enough for Intercept to detect so I encourage you to test again with a mixture of file types that would be attacked in a real world scenario...copy some images, rtf files, office documents, pdf's, etc...

Then test again.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 StevenOsterwald over 6 years ago in reply to TheChaves

That worked much better now. I created around 2000 junk files in the usual folders (Downloads, Documents, Pictures) and only 4 of those got encrypted. Just out of curiosity I sent the Ransomware trough Shellter and compiled it again. Intercept stopped it again after 4 files. Thank you The Chaves for the help.
Cancel
Vote Up 0 Vote Down

Cancel
0 TheChaves over 6 years ago in reply to StevenOsterwald

Glad to hear it was able to stop the encryption event for you Steven!
Cancel
Vote Up 0 Vote Down

Cancel
0 Whatever Whatever over 6 years ago in reply to StevenOsterwald

Unfortunately for you, this is not how Shellter is used, but then who cares reading some manual?

At least you and Chaves are happy. :)

Good luck
Cancel
Vote Up 0 Vote Down

Cancel
0 StevenOsterwald over 6 years ago in reply to Whatever Whatever

It did the job for me. Shellter changed the file and therefore the checksum and added some logic and whatnot. The goal was to make it look like a different file. Do I have to use a tool to its full extent if I do not need to? Seems like you did not care to read my previous posts.
Cancel
Vote Up 0 Vote Down

Cancel
0 Whatever Whatever over 6 years ago in reply to StevenOsterwald

OK...let me repeat.

This is not how Shellter is used!

That means you used the tool in a totally wrong way.

RTFM!

Cheers
Cancel
Vote Up 0 Vote Down

Cancel