Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 338
  • Last Modified:

SYSVOL and NETLOGON affected by crypto virus

Hi all

We have a SBS 2011 server and somehow the SYSVOL folder was affected by a crypto virus.

This is a server at a charity and they have only just noitced 10 days after it happened.

Is there a way i can recreate the items in these folders?

Thanks
0
David
Asked:
David
  • 3
  • 3
1 Solution
 
awawadaCommented:
Do you have a backup of the Server?
0
 
DavidAuthor Commented:
we use Mozy to backup and even though the backup set for active directory has been selected i cant see that it would backup the sysvol folder?

The server is running fine. and there are only about 6 hardly used group policies
0
 
DavidAuthor Commented:
sorry also the windows file replication service- sysvol is selected
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
DavidAuthor Commented:
i have restored a backup now, but was wondering if there was another way.
0
 
awawadaCommented:
No, for Crypto virus & Co there is no other way.
0
 
LearnctxEngineerCommented:
How is it possible that someone had write access to Sysvol? Someone needs to seriously audit that environment. Even scarier is the thought someone is running around using an account in domain admins as their day to day account...

Unfortunately though, backup is the only way unless a decryption tool has been released by the security community. There are quite a few of these available where they have been able to reverse engineer the cryto malware and engineer a decryption tool. You just need to see if your variant had such a too. But to me if a DC had been compromised in such a fashion I would be building a new environment from scratch and moving everyone over to it. You have no idea how badly the environment has been compromised.
0
 
awawadaCommented:
Thanks for the points and check with your Antivirus vendor if the Domain Controller is now clean.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now