Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 274
  • Last Modified:

Is there an application that prevents files in a file server from being encrypted?

A while back, an user got infected by crypto locker and when he went to save a file to the server (he saves everything to the server), it encrypted all the files in the particular directory.  We restored the complete server and there was no harm...  However, we want to prevent similar problems in the future.
Does anyone know if there are any applications that would completely block any encryption tools from running on a file server?

Thanks,

Allie
0
TSAdmin8
Asked:
TSAdmin8
  • 3
  • 3
  • 2
  • +3
4 Solutions
 
RizzleCommented:
What AV have you got inplace in your environment?

Also even some of the best security systems in the world sometimes cant protect you enough so what we are big on internally is user awareness training when using the web.

We also block .exe or any suspicious looking attachments, we prevent our users going to any malicious or dodgy looking websites by blocking their access to them via a proxy.

Ensure your servers,clients and applications are thoroughly patched.

Look into this utility:
https://www.foolishit.com/vb6-projects/cryptoprevent/
0
 
TSAdmin8Author Commented:
Hi Roshan,

Thank you for the quick response!
The user contracted it by visiting a valid site that had been hacked.  The whole problem happened within 5 minutes of the user visiting the site.
We use TrendMicro Office scan and also have 24 X 7 monitoring by alert logic.  We can catch things very quickly if any threats happen to infiltrate our business.  However, malware and viruses are always evolving and 'all' security companies are always scrambling to find solutions.  
We push out all application updates monthly to all clients and servers (and occasionally when important updates are made available, we also push them to clients and servers outside of our 'normal' update schedule).
We block .exe and many other attachments at our spam firewall and recently have removed many privileges for the majority of our users (the user who got the infection did not have administrative privileges either).
I am willing to buy peace of mind though so I am looking at the app you mentioned!  Thanks!

Thanks,

Allie
0
 
RizzleCommented:
I think it was just pure luck your user was infected from what you've said. But apart from the app I've provided you i would say you're very well protected! Maybe have a word with trendmicro scan to ensure they're monitoring these infections, we spoke to Sophos after the outbreak and they re-assured use they have the correct preventions in place to ensure their clients are fully protected. Maybe worth getting that reassurance!
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
Dave HoweCommented:
Sadly, no. but in theory its possible - certain document types (the ones most likely to be encrypted) have very rigid header info; a write monitor could intercept disk writes, inspect the header info, and suspend any process who attempts to write a file with a known extension (such as docx) that doesn't conform to that file format.

However, I am not aware of any product that can do this, so gap in the market there....
0
 
McKnifeCommented:
Be aware that the encryption does not happen at the server, but at the client: a malware at the client encrypts the files it finds on network shares the user can access.
At the clients, you should use normal best practices: let them only run approved code. Using whitelists together with Applocker or software restriction policies effectively fights crypto viruses.

Please note the difference to Roshan's link: that's black listing not whitelisting. Easier to administer, but not 100% effective like whitelisting is.
0
 
btanExec ConsultantCommented:
app whitelisting is to be consider if you deem the client machine can be lockdown to only user specific authorised apps - Windows has Applocker as well as restricting administrative privileges, for a start user cannot be admin or have that privileged. We are talking of reducing exposure though these two scheme can be bypassed. In fact, Australian Govt see these two as their top few mitigation measures.
http://www.asd.gov.au/publications/protect/application_whitelisting.htm
http://www.asd.gov.au/publications/protect/restricting_admin_privileges.htm

There are other s/w like Winselect that lockdown browser, and almost having the "kiosk" type for these vulnerable client with high exposure like shared machine...there is also anti-exec to layer another check on top of relying solely on AV only
http://www.faronics.com/en-uk/products/winselect/standard/
http://www.faronics.com/en-uk/products/anti-executable/standard/

Of course, ideally if client machine can revert back (on each reboot) to its native clean slate (s/w like Deepfreeze), the exposure is very much reduced but this use case is likely not palatable for end-user unless they are in a critical working that need high assurance on the machine even before start work...some go for VDI and Thin client ...

Side note, I am not advocating any specific vendor or s/w but relying on AV and FW and the traditional means serves well not against the threat we are seeing, Ransomware variants spawn off speedily, backup data is just the resort if machine gets compromise...we cannot be totally secure 100% or expect to have a silver bullet. We just need to make constantly monitor and sharpen our arsenal tool to stay effective.

Some in order to fend against ransomware, has written script to scan for dropped files to sieve out compromised machine or beef up the call back or beacon e.g. in
 http://www.experts-exchange.com/Security/Vulnerabilities/Q_28590936.html#a40533048  
http://www.experts-exchange.com/Security/Vulnerabilities/Q_28296044.html#a39654430

also a recent is if you see file extensions with .rlspiam from your Windows Explorer, you are highly already infected by new wave of CryptoLocker.
0
 
TSAdmin8Author Commented:
We are evaluating Cryptoprevent :)
0
 
btanExec ConsultantCommented:
thanks, good to take note of this too as also mentioned in SRP or applocker
Whitelisting:

Whitelisting in CryptoPrevent currently applies to Software Restriction Policies only, it does NOT apply to the Filter Module including Program Filtering.
A whitelist rule may contain environment variables native to Windows, such as %userprofile% or %appdata%
Windows will ignore a whitelist rule containing wildcards if a more specific blacklist rule is in effect, which with CryptoPrevent rules is almost always the case.
http://www.foolishit.com/vb6-projects/cryptoprevent/technical-information/
0
 
sbukovicCommented:
You will need a multi-layered security approach.  Hardened endpoints against CIS Standards, MS Security Configuration Manager Baseline templates, and etc...  Software Restriction policies are a MUST, I really like https://www.foolishit.com/vb6-projects/cryptoprevent/ as mentioned in a previous response.  Basically, you need to ensure that you restrict executables and etc from running from temporary download space and restrict browsers from being able to execute scripts hosted on compromised websites.  Reputable antivirus with web analytics technology built in is important, not Microsoft Security Essentials or Forefront, stick with vendors like Sophos, Trend, Intel Security, or Symantec.  Implement a good web proxy technology like Websense, Barracuda, Watchguard, or something that utilizes their intelligence feeds.

The best thing you can really do is ensure that the workstations are adequately hardened.  End user security awareness can go pretty far, if they listen, but without a good layered endpoint protection strategy no amount of security awareness will help.
0
 
TSAdmin8Author Commented:
Hi Sbukovic,
We do have a multi-layered approach already!  We use Barracuda, Trend, have blacklisted executables, etc.  The best part of our security scheme is AlertLogic!  They monitor your incoming and outgoing traffic and catch anything suspicious within 1 - 5 minutes of the activity starting!  It is an expensive service but definitely worth it!  I just wanted to add as I think that in combination with everything else, Alertlogic is a very valuable tool (too many crooks out there).  In truth, AlertLogic did catch the activity (when the user whose files got locked was infected) but by the time we got and email and phone call, and literally ran to the user's workstation to disconnect it, it was too late and a few files had been encrypted.
Thankfully we also have a good back up scheme so all the files were recovered promptly!
Cryptoprevent had me download the fool version and we are currently testing it against all of our existing software so that we can make exceptions!  I have to add that I enjoyed talking to them and they seem to be spot on regarding their product and possible interference with other valid software!  I will post later to let everyone know more about it!
Thanks everyone for the great responses!
0
 
btanExec ConsultantCommented:
nice folks - no security silver bullet or perfect security, defence in depth is not only about different solution as all have verbalized in this forum clearly, it is to best help the blue team reduce windows of exposure and close the gap timely. Not a "if" incident happened but "when" it does happened, what we going to do about it. You may also want to consider EMET though it may not be ransomware or cryptoware centric.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now