Crypto Locker

What do I need to get for an office environment to keep in clean from viruses such as Crypto locker and other malware that encrypts the files.

So even if a workstation receives an email an try's to open it , it won't let him.  

I firewall with filtering, this office has an AV installed on the server and on the client and still all of the computer got infected.
LVL 1
alonig1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
There is  no "magic bullet" here. New or polymorphic malware will not be picked up by antivirus software. Keeping Outlook's restrictions on executing attachments helps, as does all the other stuff you have in place.

You still need backups, so in the event of an attack, a restore can be done.
0
alonig1Author Commented:
So those firewalls with AV that filters every packet won't help?
0
Mal OsborneAlpha GeekCommented:
They help a lot. Might filter 99% of the nasties out.  

Until malicious software has been discovered, sent to the AV provider, analysed, and new patterns created and distributed, it cannot be detected. This might take a week or more.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

alonig1Author Commented:
There is no 100% but 99% is sure something that can help.

Which product would you recommend ?
0
Andy SCommented:
There's no specific AV which will pick them ALL up.. in addition to scanning emails and in coming files, i'd recommend:
-Application whitelisting
-Application Patching
-OS Patching
-Restricted Administrative Permissions

Then even if something does come in, it's less likely to be able to be run..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
andreasSystem AdminCommented:
I would say its fay below 99% detection rate. We got hit with new malware here several times a week. Until detection of it in most AV-Products AFTER submission for analysis it takes 12-36 hours usually to get a detection pattern published.

The main thing is, that cryptolocker variants stay silent for quite a time while they are encrypting your files, during that time nobody will detect the malware and thus nobody will sent the new sample to analysis. After first victims realize the files are encrypted they need to hire/call some staff to analyze, this personnel than needs to manually find the evil new files (which is nt always an easy task) and then send the findings to AV-companies to analyze and create detection patterns.

If IT staff only send in to the one company they are using your product may not benefit from it either.

The submission problem is the biggest issue here as this step between release of a new malware variant by attackers and submission of first samples to AV-companies takes frequently a lot of time, especially if the malware is not very wide spread or a targeted attack to a few targets only.

What would greatly help is to create group policies for your domain that disallow execution of executables inside all of the user writable paths, including profile paths, desktop, libraries, etc.

Only allow execution of software from well known places like the windows directories and c:\program files, etc.

This way any downloaded file with (exe, bat, pif, scr,...) cannot be opened by users after they saved them.

But the GPO thing will not work for malware that is injected into running processes and residing in registry only. Also for RAM-only residing malware that executes upon exploitation of a security hole in a running process the GPOs will not help, also not against attacks of holes in your operating system.

So it is also very important to install ALL security fixes for all used software on your machines as fast as possible.

Do no rely on AV-products and Firewalls alone to protect you. They protect you well against known attacks and attacks against open ports. But they are useless against exploits that are new, useless against stupid actions of your users and also wont detect new unanalyzed malware.

Furthermore very important is REGULAR user training and instructing on how to deal with attachments and on secure behavior of using the computers and the internet.
0
ivan rosaCommented:
Are you talking about a home or office?

if home
   games > no quiet a perfect solution (unless of course you play on consoles)
   homework/browsing the web > perhaps you might want to switch to linux
   specific Windows programs >no quiet a solution but to install 3rd party apps such NORTON Security,        +Windows updates

if Office
   There are firewalls OS that runs from a dedicated PC, all you network aside from the one you might already have individually eg.
    http://www.smoothwall.com/en-us         (although this involves cost)

Warm regards,

ivan
0
McKnifeCommented:
If cryptolocker has taught us one thing, then it is that relying on AV can cause a lot of trouble.
Look at the concept of application whitelisting as in Applocker https://technet.microsoft.com/en-us/library/dd723678(v=ws.10).aspx or its predecessor, Software restriction policies https://technet.microsoft.com/en-us/library/hh831534.aspx

In short: only what you put on a list will run. Nothing else, no virus, network wide.
1
drunkennoodleCommented:
I would try a multi-layer approach...
1. Firewall.
2. AV.
3. Anti-malware protection like Malwarebytes or SUPERAntiSpyware.
3. Anti-spam solution like McAfee SaaS Email Protection (MX Logic) or Barracuda’s Email Security Service.
4. Don't let any user be in the Admin group on the local computer.  Instead either User or Power User.
5. Use Software Restriction Policies to block .exe from running when they are located in %AppData% folder, or any other folder.  This can be done in GPO.  An alternative is to use Cryptoprevent.
6. Use a web/content filtering service.
7. Use a click protect service for browsers.
8. Stay up to date with all patches for OS and 3rd party apps.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.