Endpoint Protection Small Business Edition

Hi there, I'm receiving this alert al least 40 times in a week (week-ends the most) It seems that is an internal issue as I'm behind a firewall and both, the attacker and the target are part of the network. I really appreciate comments and support. 

Luis

Have you taken the attacking computer offline and performed analysis to determine what is going on with it? That is an internal IP address, which seems to be infected and attempting to spread to other internal machines.

Hi Brian, well I have done trillions of scans on those machines (because is not only one) but nothing is detected; nevertheless, they are online.. I've never done the scan offline. 

Thanks

Hi Brian, I've done trillions of full scans in those computer (cuz is not only one) and nothing is detected. Nevertheless, they were online when I scanned them; even Symantec triggers a full scan after the blocking event. Does it make diference having done the scan online?

Many thanks

Luis 

Hi Brian, I've done trillions of full scans in those computer (cuz is not only one) and nothing is detected. Nevertheless, they were online when I scanned them; even Symantec triggers a full scan after the blocking event. Does it make diference having done the scan online?

Many thanks

Luis 

Try disabling SMBv1 and SMBv2 on machine.

Hi am getting this to, run a million scans nothing 

same scenario as Luis 

Same. Nothing get pick up from scanning. Ransom.Gen Activity 22 seem to flight under SEP's radar.

I have the same issue beside "Attack: Ransom.Gen Activity 20"...and nothing detected even after full scan.

Same here. Attacking Mails with:

Attack: Ransom.Gen Activity 22

arrives every 16 minutes. The Network traffic (especially shares) is blocked. Fullscan with Symantec and other AV's dont show any malware.

Regards

just understand, here your machine is not infected but some other machine is infected which is trying IPS attack to your machine. Your SEP client is blocking attacks and a notification is generated in your machine. 

Now to get original source machine of attack you can  refer either of client or server  logs for details 

for detailed steps pls refer https://www.symantec.com/connect/articles/trace-smb-double-pulsar-attack-source-machines 

After recovering from a recent ransomware attack ourselves, we continued to get the Ransom.Gen Activity 22 message from some of our users. The attack originally came through a standard user profile so when we originally restored from backup, there were some nested folders which appeared to be unaffected.

Example - The files within (Share)\Employees\John were not affected due to the elevated privileges for the John Folder. When I had restored, I left the John folder and the Employees folder, but deleted/restored all of the other file folders which contained files that had been encrypted.

Suspected solution: I think I was able to resolve the issue on our end by creating a new "Employees" folder, moving everything to the new folder and deleting the old. Try to replace any folders which may have been affected in addition to files.

Alternate solution: During the process, I also ended up reassigning permission values to all of the shared folders. This may have inadvertantly fixed the issue on our end.

I hope this helps someone else. If someone finds that they can reproduce these results, please respond. Thanks!