Solved

Is there an application that prevents files in a file server from being encrypted?

Posted on 2015-01-20
11
231 Views
Last Modified: 2015-01-28
A while back, an user got infected by crypto locker and when he went to save a file to the server (he saves everything to the server), it encrypted all the files in the particular directory.  We restored the complete server and there was no harm...  However, we want to prevent similar problems in the future.
Does anyone know if there are any applications that would completely block any encryption tools from running on a file server?

Thanks,

Allie
0
Comment
Question by:TSAdmin8
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 13

Accepted Solution

by:
Rizzle earned 125 total points
ID: 40560176
What AV have you got inplace in your environment?

Also even some of the best security systems in the world sometimes cant protect you enough so what we are big on internally is user awareness training when using the web.

We also block .exe or any suspicious looking attachments, we prevent our users going to any malicious or dodgy looking websites by blocking their access to them via a proxy.

Ensure your servers,clients and applications are thoroughly patched.

Look into this utility:
https://www.foolishit.com/vb6-projects/cryptoprevent/
0
 
LVL 1

Author Comment

by:TSAdmin8
ID: 40560215
Hi Roshan,

Thank you for the quick response!
The user contracted it by visiting a valid site that had been hacked.  The whole problem happened within 5 minutes of the user visiting the site.
We use TrendMicro Office scan and also have 24 X 7 monitoring by alert logic.  We can catch things very quickly if any threats happen to infiltrate our business.  However, malware and viruses are always evolving and 'all' security companies are always scrambling to find solutions.  
We push out all application updates monthly to all clients and servers (and occasionally when important updates are made available, we also push them to clients and servers outside of our 'normal' update schedule).
We block .exe and many other attachments at our spam firewall and recently have removed many privileges for the majority of our users (the user who got the infection did not have administrative privileges either).
I am willing to buy peace of mind though so I am looking at the app you mentioned!  Thanks!

Thanks,

Allie
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40560231
I think it was just pure luck your user was infected from what you've said. But apart from the app I've provided you i would say you're very well protected! Maybe have a word with trendmicro scan to ensure they're monitoring these infections, we spoke to Sophos after the outbreak and they re-assured use they have the correct preventions in place to ensure their clients are fully protected. Maybe worth getting that reassurance!
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 125 total points
ID: 40560248
Sadly, no. but in theory its possible - certain document types (the ones most likely to be encrypted) have very rigid header info; a write monitor could intercept disk writes, inspect the header info, and suspend any process who attempts to write a file with a known extension (such as docx) that doesn't conform to that file format.

However, I am not aware of any product that can do this, so gap in the market there....
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 40560990
Be aware that the encryption does not happen at the server, but at the client: a malware at the client encrypts the files it finds on network shares the user can access.
At the clients, you should use normal best practices: let them only run approved code. Using whitelists together with Applocker or software restriction policies effectively fights crypto viruses.

Please note the difference to Roshan's link: that's black listing not whitelisting. Easier to administer, but not 100% effective like whitelisting is.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 61

Assisted Solution

by:btan
btan earned 125 total points
ID: 40561980
app whitelisting is to be consider if you deem the client machine can be lockdown to only user specific authorised apps - Windows has Applocker as well as restricting administrative privileges, for a start user cannot be admin or have that privileged. We are talking of reducing exposure though these two scheme can be bypassed. In fact, Australian Govt see these two as their top few mitigation measures.
http://www.asd.gov.au/publications/protect/application_whitelisting.htm
http://www.asd.gov.au/publications/protect/restricting_admin_privileges.htm

There are other s/w like Winselect that lockdown browser, and almost having the "kiosk" type for these vulnerable client with high exposure like shared machine...there is also anti-exec to layer another check on top of relying solely on AV only
http://www.faronics.com/en-uk/products/winselect/standard/
http://www.faronics.com/en-uk/products/anti-executable/standard/

Of course, ideally if client machine can revert back (on each reboot) to its native clean slate (s/w like Deepfreeze), the exposure is very much reduced but this use case is likely not palatable for end-user unless they are in a critical working that need high assurance on the machine even before start work...some go for VDI and Thin client ...

Side note, I am not advocating any specific vendor or s/w but relying on AV and FW and the traditional means serves well not against the threat we are seeing, Ransomware variants spawn off speedily, backup data is just the resort if machine gets compromise...we cannot be totally secure 100% or expect to have a silver bullet. We just need to make constantly monitor and sharpen our arsenal tool to stay effective.

Some in order to fend against ransomware, has written script to scan for dropped files to sieve out compromised machine or beef up the call back or beacon e.g. in
 http://www.experts-exchange.com/Security/Vulnerabilities/Q_28590936.html#a40533048  
http://www.experts-exchange.com/Security/Vulnerabilities/Q_28296044.html#a39654430

also a recent is if you see file extensions with .rlspiam from your Windows Explorer, you are highly already infected by new wave of CryptoLocker.
0
 
LVL 1

Author Closing Comment

by:TSAdmin8
ID: 40567025
We are evaluating Cryptoprevent :)
0
 
LVL 61

Expert Comment

by:btan
ID: 40567582
thanks, good to take note of this too as also mentioned in SRP or applocker
Whitelisting:

Whitelisting in CryptoPrevent currently applies to Software Restriction Policies only, it does NOT apply to the Filter Module including Program Filtering.
A whitelist rule may contain environment variables native to Windows, such as %userprofile% or %appdata%
Windows will ignore a whitelist rule containing wildcards if a more specific blacklist rule is in effect, which with CryptoPrevent rules is almost always the case.
http://www.foolishit.com/vb6-projects/cryptoprevent/technical-information/
0
 

Expert Comment

by:sbukovic
ID: 40574570
You will need a multi-layered security approach.  Hardened endpoints against CIS Standards, MS Security Configuration Manager Baseline templates, and etc...  Software Restriction policies are a MUST, I really like https://www.foolishit.com/vb6-projects/cryptoprevent/ as mentioned in a previous response.  Basically, you need to ensure that you restrict executables and etc from running from temporary download space and restrict browsers from being able to execute scripts hosted on compromised websites.  Reputable antivirus with web analytics technology built in is important, not Microsoft Security Essentials or Forefront, stick with vendors like Sophos, Trend, Intel Security, or Symantec.  Implement a good web proxy technology like Websense, Barracuda, Watchguard, or something that utilizes their intelligence feeds.

The best thing you can really do is ensure that the workstations are adequately hardened.  End user security awareness can go pretty far, if they listen, but without a good layered endpoint protection strategy no amount of security awareness will help.
0
 
LVL 1

Author Comment

by:TSAdmin8
ID: 40575201
Hi Sbukovic,
We do have a multi-layered approach already!  We use Barracuda, Trend, have blacklisted executables, etc.  The best part of our security scheme is AlertLogic!  They monitor your incoming and outgoing traffic and catch anything suspicious within 1 - 5 minutes of the activity starting!  It is an expensive service but definitely worth it!  I just wanted to add as I think that in combination with everything else, Alertlogic is a very valuable tool (too many crooks out there).  In truth, AlertLogic did catch the activity (when the user whose files got locked was infected) but by the time we got and email and phone call, and literally ran to the user's workstation to disconnect it, it was too late and a few files had been encrypted.
Thankfully we also have a good back up scheme so all the files were recovered promptly!
Cryptoprevent had me download the fool version and we are currently testing it against all of our existing software so that we can make exceptions!  I have to add that I enjoyed talking to them and they seem to be spot on regarding their product and possible interference with other valid software!  I will post later to let everyone know more about it!
Thanks everyone for the great responses!
0
 
LVL 61

Expert Comment

by:btan
ID: 40575227
nice folks - no security silver bullet or perfect security, defence in depth is not only about different solution as all have verbalized in this forum clearly, it is to best help the blue team reduce windows of exposure and close the gap timely. Not a "if" incident happened but "when" it does happened, what we going to do about it. You may also want to consider EMET though it may not be ransomware or cryptoware centric.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now