Can I use EventSentry to deploy a kill file or vaccine for stopping ransomware/viruses such as Petya/NotPetya?

Article ID: 354
Category: Security
Applies to: 2.93 and later
Updated: 2018-11-07

Yes, this is only takes a few minutes to configure.

  1. Use the EventSentry console toolbar and click Tools > Embedded Scripts

  2. Make a new script and give it a name that ends with .bat, such as blockpetya.bat

  3. Select the new script and create its contents on the right. Paste this line: if not exist "%systemroot%\perfc." echo > %systemroot%\perfc

  4. Click OK to close the Embedded Scripts menu, and click Home > Save in the toolbar

  5. Make a new System Health package and right-click it, choose Add > Application Scheduler

  6. Select Application Scheduler and then click the + button in its settings on the right

  7. Choose a schedule for how often you'd like to ensure the kill file exists (e.g. every 24 hours), and then choose the name of your Embedded Script in the filename drop-down, and choose Local for the isolation mode drop-down at the bottom, and click OK

  8. Right-click your new System Health package again and either choose Global to run it on all of your agents, or choose Assign Package and select the groups/machines you'd like to run it on

  9. Click Home > Save in the toolbar, and then push your new settings (Groups > Push Configuration > Go) and then restart the agent services to generate the script (Groups > Other Actions \/ Restart > Go)

  10. If you need to create a kill file that has a file extension, here is an example of your script:
    if not exist "c:\windows\virus.sys" echo > ";c:\windows\virus.sys"

    If you need to create a specific folder to act as a kill file, here is an example of your script:
    if not exist "c:\windows\virusfolder" md "c:\windows\virusfolder"