Jump to content

HEUR:Trojan.Multi.Crypmod.gen - Blocked on fileserver KES11


Recommended Posts

Hello, On our Windows 2019 fileserver there was a "HEUR:Trojan.Multi.Crypmod.gen" blocked according to the KSC10 administration server Threats Report. Path to file : System Result: Blocked: HEUR:Trojan.Multi.Crypmod.gen User: DOMAIN_XXX\USERNAME_XXX (Initiator) Object: System Reason: Dangerous action Database release date: 9/​23/​2019 3:56:00 AM Remote session: 0x1e08736c Remote host: - (192.168.0.xxx) Looking in the KES11 "Reports\Behavior Detection" on the File Server i can see the following. 9/23/2019 4:48:27 PM Malicious object detected External application DOMAIN_XXX\USER_XXX Detected: HEUR:Trojan.Multi.Crypmod.gen External application Behavior analysis Application: External application User: DOMAIN_XXX\USER_XXX (Initiator) Remote session: 0x1e08736c Remote host: - (192.168.0.xxx) Component: Behavior Detection Result: Detected: HEUR:Trojan.Multi.Crypmod.gen Object: External application Reason: Behavior analysis Database release date: 9/23/2019 3:56:00 AM 9/23/2019 4:48:27 PM Blocked External application DOMAIN_XXX\USER_XXX Blocked: HEUR:Trojan.Multi.Crypmod.gen External application Dangerous action Application: External application User: DOMAIN_XXX\USER_XXX (Initiator) Remote session: 0x1e08736c Remote host: - (192.168.0.xxx) Component: Behavior Detection Result: Blocked: HEUR:Trojan.Multi.Crypmod.gen Object: External application Reason: Dangerous action Database release date: 9/23/2019 3:56:00 AM Unfortunately i cannot find much more then this in the Kaspersky logging and cannot find anything at all about this in the KES11 logging on the Users computer. I've scanned all our Servers and every client computer in our company and found nothing, what i do know is the this user used a private USB stick to print some pictures for his kids birthday, this USB stick was placed in his (up to date) Windows 10 computer but was also placed in the Ricoh printer itself, a device that i cannot scan. Fortunately it looks like the program was halted before it could do anything and since this happened we did not detect anything strange on our network or our computers. But the lack of information bothers me, especially because the users client computer has no logging of this issue at all, is there any way i can find out more about this Trojan.Multi.Crypmod.gen or get more useful logging from KES or from KSC..?
Link to comment
Share on other sites

Hi, thank you Nikolay for your answer, it's to bad the there isn't more information available, especially because i still have no clue as to how this got to my FileServer, apparently from a client computer sure but that client computer itself didn't detect anything and they both use the same KES11 installation. The only other way i could have spread to the FileServer would be that it spread though a Ricoh network multicopier, and that would be very bad cause if that would be the case, because it could stay undetected and possibly untreated on that device for a long time.
Link to comment
Share on other sites

  • 1 month later...

Hello.  I have the same exact threat on one of my storage servers.  Have no idea where this action comes from and need to find out what to do besides running full scans.  This user is outside of our company and I am assuming tried to do something that was not allowed during a remote session and was blocked.  I need to know what triggers this and what to do to correct it.

 

Thank you

 

Link to comment
Share on other sites

  • 1 month later...

I have the exact same detection, but using Kaspersky Anti-Ransomware Tool for Business, and it gives me even LESS information about it:

No other AV solution tested here detected this… Maybe it’s a Kaspersky engine bug?

Link to comment
Share on other sites

  • 11 months later...

Hello everyone.

I have the same detection too. It’s in portuguese-Brazil language:

 

Detection:

Resultado:     Detectado: HEUR:Trojan.Multi.Crypmod.gen
Usuário:     DOMAIN\username (Iniciador)
Objeto:     System
Motivo:     Análise de comportamento
Data da versão do banco de dados:     08/01/2021 11:06:00
Sessão remota:     0x54ee8339
Host remoto:     10.10.10.29

 

Not neutralized

Resultado:     Não neutralizado: HEUR:Trojan.Multi.Crypmod.gen
Usuário:    DOMAIN\username (Iniciador)
Objeto:     System
Sessão remota:     0x54ee8339
Host remoto:     10.10.10.29

 

Does it have a solution? I tried Kaspersky Support but they don’t helped so much.

Link to comment
Share on other sites

  • 8 months later...
  • 11 months later...

Bom dia,

Sou novo nesse mudo do Kaspersky, obtive a mesma informação que acabei de ler acima, saberia me informar se já teve alguma solução deste caso, ou o que posso está fazendo para mitigar essa ameaça no meu ambiente?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share



×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.