nicolausj
asked on
Decrypt virus
Some how a computer on our network got the decrypt virus on it and it started encrypting files on mapped drives to our server. I have done virus checks on every single computer and server and removed the suspect computer from the network.
I have done a shadow copy restore of the files affected, but there are still files in the folder saying Help_Decrypt.html , .png, .txt, and a a web link saying help_decrypt.
Firstly, are these files dangerous? and can I just delete them? How can I make sure this nasty program is off the network?
Thanks
I have done a shadow copy restore of the files affected, but there are still files in the folder saying Help_Decrypt.html , .png, .txt, and a a web link saying help_decrypt.
Firstly, are these files dangerous? and can I just delete them? How can I make sure this nasty program is off the network?
Thanks
use gpo or similar to push out restriction policies for application areas - see my article on ransomware.
Which antivirus do you use?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Tell me which antivirus you use?
If you are asking me and not the OP, I use MBAM Pro alongside Winpatrol Plus, RUBuotted, HitmanPro.Alert and Windows Firewall, among others. See my article on multilayered security.
Hi Thomas
No I'm asking nicolausj . Hope you are fine?
No I'm asking nicolausj . Hope you are fine?
yes thanks
ASKER
Symantec Endpoint Protection is what we use... sorry been running around like a crazy person today.
Our institution uses SEP. Today's version is fairly robust and has less of the overhead of previous versions. IT still runs a little more resource hungry than other similar apps.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alright so i can delete the files. Can I safely say he virus is removed if I have scanned all the computers/servers and nothing has been found?
Thanks again for the responses, I have never had a problem quite like this before.
I also wanted to add one thing, the computer that was infected didn't have any real symptoms accept it was running slow. It didn't seem to affect any of the computers files either, just the mapped drives.
Thanks again for the responses, I have never had a problem quite like this before.
I also wanted to add one thing, the computer that was infected didn't have any real symptoms accept it was running slow. It didn't seem to affect any of the computers files either, just the mapped drives.
ASKER
working with support now.
Never heard that one before. Usually it encrypts both local and network files.
Alright so i can delete the files.Did you see my last comment? :-)
Can I safely say he virus is removed if I have scanned all the computers/servers and nothing has been found?No. See the comment from Thomas:
AntiVirus won't protect you against ransomeware , if it is unknown and not detected by behavioral detection (also called Heuristic analysis or behavioural analysis).
ASKER
Believe it or not i just got off the phone with Symantec and they told me to just delete the files with Help_decrypt. That was basically the extent of the conversation.
And they send you the Help_decrypt? Or where did you download it?
ASKER
They are the files associated with the virus... each of the folders affected has 4 files in it. HELP_DECRYPT.HTML
HELP_DECRYPT.PNG, HELP_DECRYPT.txt, and HELP_DECRYPT as a web link.
HELP_DECRYPT.PNG, HELP_DECRYPT.txt, and HELP_DECRYPT as a web link.
ASKER
Thanks for the help
no admin rights for users
up to date AV
a proxy
spam filtering that works
these viruses are lethal and can cost you or the MSP you work for your job. need to cut them out at source.