Solved

Is there an application that prevents files in a file server from being encrypted?

Posted on 2015-01-20
11
258 Views
Last Modified: 2015-01-28
A while back, an user got infected by crypto locker and when he went to save a file to the server (he saves everything to the server), it encrypted all the files in the particular directory.  We restored the complete server and there was no harm...  However, we want to prevent similar problems in the future.
Does anyone know if there are any applications that would completely block any encryption tools from running on a file server?

Thanks,

Allie
0
Comment
Question by:TSAdmin8
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 13

Accepted Solution

by:
Rizzle earned 125 total points
ID: 40560176
What AV have you got inplace in your environment?

Also even some of the best security systems in the world sometimes cant protect you enough so what we are big on internally is user awareness training when using the web.

We also block .exe or any suspicious looking attachments, we prevent our users going to any malicious or dodgy looking websites by blocking their access to them via a proxy.

Ensure your servers,clients and applications are thoroughly patched.

Look into this utility:
https://www.foolishit.com/vb6-projects/cryptoprevent/
0
 
LVL 1

Author Comment

by:TSAdmin8
ID: 40560215
Hi Roshan,

Thank you for the quick response!
The user contracted it by visiting a valid site that had been hacked.  The whole problem happened within 5 minutes of the user visiting the site.
We use TrendMicro Office scan and also have 24 X 7 monitoring by alert logic.  We can catch things very quickly if any threats happen to infiltrate our business.  However, malware and viruses are always evolving and 'all' security companies are always scrambling to find solutions.  
We push out all application updates monthly to all clients and servers (and occasionally when important updates are made available, we also push them to clients and servers outside of our 'normal' update schedule).
We block .exe and many other attachments at our spam firewall and recently have removed many privileges for the majority of our users (the user who got the infection did not have administrative privileges either).
I am willing to buy peace of mind though so I am looking at the app you mentioned!  Thanks!

Thanks,

Allie
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40560231
I think it was just pure luck your user was infected from what you've said. But apart from the app I've provided you i would say you're very well protected! Maybe have a word with trendmicro scan to ensure they're monitoring these infections, we spoke to Sophos after the outbreak and they re-assured use they have the correct preventions in place to ensure their clients are fully protected. Maybe worth getting that reassurance!
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 125 total points
ID: 40560248
Sadly, no. but in theory its possible - certain document types (the ones most likely to be encrypted) have very rigid header info; a write monitor could intercept disk writes, inspect the header info, and suspend any process who attempts to write a file with a known extension (such as docx) that doesn't conform to that file format.

However, I am not aware of any product that can do this, so gap in the market there....
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 40560990
Be aware that the encryption does not happen at the server, but at the client: a malware at the client encrypts the files it finds on network shares the user can access.
At the clients, you should use normal best practices: let them only run approved code. Using whitelists together with Applocker or software restriction policies effectively fights crypto viruses.

Please note the difference to Roshan's link: that's black listing not whitelisting. Easier to administer, but not 100% effective like whitelisting is.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 125 total points
ID: 40561980
app whitelisting is to be consider if you deem the client machine can be lockdown to only user specific authorised apps - Windows has Applocker as well as restricting administrative privileges, for a start user cannot be admin or have that privileged. We are talking of reducing exposure though these two scheme can be bypassed. In fact, Australian Govt see these two as their top few mitigation measures.
http://www.asd.gov.au/publications/protect/application_whitelisting.htm
http://www.asd.gov.au/publications/protect/restricting_admin_privileges.htm

There are other s/w like Winselect that lockdown browser, and almost having the "kiosk" type for these vulnerable client with high exposure like shared machine...there is also anti-exec to layer another check on top of relying solely on AV only
http://www.faronics.com/en-uk/products/winselect/standard/
http://www.faronics.com/en-uk/products/anti-executable/standard/

Of course, ideally if client machine can revert back (on each reboot) to its native clean slate (s/w like Deepfreeze), the exposure is very much reduced but this use case is likely not palatable for end-user unless they are in a critical working that need high assurance on the machine even before start work...some go for VDI and Thin client ...

Side note, I am not advocating any specific vendor or s/w but relying on AV and FW and the traditional means serves well not against the threat we are seeing, Ransomware variants spawn off speedily, backup data is just the resort if machine gets compromise...we cannot be totally secure 100% or expect to have a silver bullet. We just need to make constantly monitor and sharpen our arsenal tool to stay effective.

Some in order to fend against ransomware, has written script to scan for dropped files to sieve out compromised machine or beef up the call back or beacon e.g. in
 http://www.experts-exchange.com/Security/Vulnerabilities/Q_28590936.html#a40533048  
http://www.experts-exchange.com/Security/Vulnerabilities/Q_28296044.html#a39654430

also a recent is if you see file extensions with .rlspiam from your Windows Explorer, you are highly already infected by new wave of CryptoLocker.
0
 
LVL 1

Author Closing Comment

by:TSAdmin8
ID: 40567025
We are evaluating Cryptoprevent :)
0
 
LVL 64

Expert Comment

by:btan
ID: 40567582
thanks, good to take note of this too as also mentioned in SRP or applocker
Whitelisting:

Whitelisting in CryptoPrevent currently applies to Software Restriction Policies only, it does NOT apply to the Filter Module including Program Filtering.
A whitelist rule may contain environment variables native to Windows, such as %userprofile% or %appdata%
Windows will ignore a whitelist rule containing wildcards if a more specific blacklist rule is in effect, which with CryptoPrevent rules is almost always the case.
http://www.foolishit.com/vb6-projects/cryptoprevent/technical-information/
0
 

Expert Comment

by:sbukovic
ID: 40574570
You will need a multi-layered security approach.  Hardened endpoints against CIS Standards, MS Security Configuration Manager Baseline templates, and etc...  Software Restriction policies are a MUST, I really like https://www.foolishit.com/vb6-projects/cryptoprevent/ as mentioned in a previous response.  Basically, you need to ensure that you restrict executables and etc from running from temporary download space and restrict browsers from being able to execute scripts hosted on compromised websites.  Reputable antivirus with web analytics technology built in is important, not Microsoft Security Essentials or Forefront, stick with vendors like Sophos, Trend, Intel Security, or Symantec.  Implement a good web proxy technology like Websense, Barracuda, Watchguard, or something that utilizes their intelligence feeds.

The best thing you can really do is ensure that the workstations are adequately hardened.  End user security awareness can go pretty far, if they listen, but without a good layered endpoint protection strategy no amount of security awareness will help.
0
 
LVL 1

Author Comment

by:TSAdmin8
ID: 40575201
Hi Sbukovic,
We do have a multi-layered approach already!  We use Barracuda, Trend, have blacklisted executables, etc.  The best part of our security scheme is AlertLogic!  They monitor your incoming and outgoing traffic and catch anything suspicious within 1 - 5 minutes of the activity starting!  It is an expensive service but definitely worth it!  I just wanted to add as I think that in combination with everything else, Alertlogic is a very valuable tool (too many crooks out there).  In truth, AlertLogic did catch the activity (when the user whose files got locked was infected) but by the time we got and email and phone call, and literally ran to the user's workstation to disconnect it, it was too late and a few files had been encrypted.
Thankfully we also have a good back up scheme so all the files were recovered promptly!
Cryptoprevent had me download the fool version and we are currently testing it against all of our existing software so that we can make exceptions!  I have to add that I enjoyed talking to them and they seem to be spot on regarding their product and possible interference with other valid software!  I will post later to let everyone know more about it!
Thanks everyone for the great responses!
0
 
LVL 64

Expert Comment

by:btan
ID: 40575227
nice folks - no security silver bullet or perfect security, defence in depth is not only about different solution as all have verbalized in this forum clearly, it is to best help the blue team reduce windows of exposure and close the gap timely. Not a "if" incident happened but "when" it does happened, what we going to do about it. You may also want to consider EMET though it may not be ransomware or cryptoware centric.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question