Link to home
Start Free TrialLog in
Avatar of TSAdmin8
TSAdmin8

asked on

Is there an application that prevents files in a file server from being encrypted?

A while back, an user got infected by crypto locker and when he went to save a file to the server (he saves everything to the server), it encrypted all the files in the particular directory.  We restored the complete server and there was no harm...  However, we want to prevent similar problems in the future.
Does anyone know if there are any applications that would completely block any encryption tools from running on a file server?

Thanks,

Allie
ASKER CERTIFIED SOLUTION
Avatar of REIT
REIT

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of TSAdmin8
TSAdmin8

ASKER

Hi Roshan,

Thank you for the quick response!
The user contracted it by visiting a valid site that had been hacked.  The whole problem happened within 5 minutes of the user visiting the site.
We use TrendMicro Office scan and also have 24 X 7 monitoring by alert logic.  We can catch things very quickly if any threats happen to infiltrate our business.  However, malware and viruses are always evolving and 'all' security companies are always scrambling to find solutions.  
We push out all application updates monthly to all clients and servers (and occasionally when important updates are made available, we also push them to clients and servers outside of our 'normal' update schedule).
We block .exe and many other attachments at our spam firewall and recently have removed many privileges for the majority of our users (the user who got the infection did not have administrative privileges either).
I am willing to buy peace of mind though so I am looking at the app you mentioned!  Thanks!

Thanks,

Allie
I think it was just pure luck your user was infected from what you've said. But apart from the app I've provided you i would say you're very well protected! Maybe have a word with trendmicro scan to ensure they're monitoring these infections, we spoke to Sophos after the outbreak and they re-assured use they have the correct preventions in place to ensure their clients are fully protected. Maybe worth getting that reassurance!
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
We are evaluating Cryptoprevent :)
thanks, good to take note of this too as also mentioned in SRP or applocker
Whitelisting:

Whitelisting in CryptoPrevent currently applies to Software Restriction Policies only, it does NOT apply to the Filter Module including Program Filtering.
A whitelist rule may contain environment variables native to Windows, such as %userprofile% or %appdata%
Windows will ignore a whitelist rule containing wildcards if a more specific blacklist rule is in effect, which with CryptoPrevent rules is almost always the case.
http://www.foolishit.com/vb6-projects/cryptoprevent/technical-information/
You will need a multi-layered security approach.  Hardened endpoints against CIS Standards, MS Security Configuration Manager Baseline templates, and etc...  Software Restriction policies are a MUST, I really like https://www.foolishit.com/vb6-projects/cryptoprevent/ as mentioned in a previous response.  Basically, you need to ensure that you restrict executables and etc from running from temporary download space and restrict browsers from being able to execute scripts hosted on compromised websites.  Reputable antivirus with web analytics technology built in is important, not Microsoft Security Essentials or Forefront, stick with vendors like Sophos, Trend, Intel Security, or Symantec.  Implement a good web proxy technology like Websense, Barracuda, Watchguard, or something that utilizes their intelligence feeds.

The best thing you can really do is ensure that the workstations are adequately hardened.  End user security awareness can go pretty far, if they listen, but without a good layered endpoint protection strategy no amount of security awareness will help.
Hi Sbukovic,
We do have a multi-layered approach already!  We use Barracuda, Trend, have blacklisted executables, etc.  The best part of our security scheme is AlertLogic!  They monitor your incoming and outgoing traffic and catch anything suspicious within 1 - 5 minutes of the activity starting!  It is an expensive service but definitely worth it!  I just wanted to add as I think that in combination with everything else, Alertlogic is a very valuable tool (too many crooks out there).  In truth, AlertLogic did catch the activity (when the user whose files got locked was infected) but by the time we got and email and phone call, and literally ran to the user's workstation to disconnect it, it was too late and a few files had been encrypted.
Thankfully we also have a good back up scheme so all the files were recovered promptly!
Cryptoprevent had me download the fool version and we are currently testing it against all of our existing software so that we can make exceptions!  I have to add that I enjoyed talking to them and they seem to be spot on regarding their product and possible interference with other valid software!  I will post later to let everyone know more about it!
Thanks everyone for the great responses!
nice folks - no security silver bullet or perfect security, defence in depth is not only about different solution as all have verbalized in this forum clearly, it is to best help the blue team reduce windows of exposure and close the gap timely. Not a "if" incident happened but "when" it does happened, what we going to do about it. You may also want to consider EMET though it may not be ransomware or cryptoware centric.