Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SYSVOL and NETLOGON affected by crypto virus

Posted on 2016-09-09
7
Medium Priority
?
280 Views
Last Modified: 2016-09-11
Hi all

We have a SBS 2011 server and somehow the SYSVOL folder was affected by a crypto virus.

This is a server at a charity and they have only just noitced 10 days after it happened.

Is there a way i can recreate the items in these folders?

Thanks
0
Comment
Question by:David
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41792314
Do you have a backup of the Server?
0
 

Author Comment

by:David
ID: 41792317
we use Mozy to backup and even though the backup set for active directory has been selected i cant see that it would backup the sysvol folder?

The server is running fine. and there are only about 6 hardly used group policies
0
 

Author Comment

by:David
ID: 41792320
sorry also the windows file replication service- sysvol is selected
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 

Author Comment

by:David
ID: 41792511
i have restored a backup now, but was wondering if there was another way.
0
 
LVL 18

Accepted Solution

by:
awawada earned 2000 total points
ID: 41792529
No, for Crypto virus & Co there is no other way.
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41792953
How is it possible that someone had write access to Sysvol? Someone needs to seriously audit that environment. Even scarier is the thought someone is running around using an account in domain admins as their day to day account...

Unfortunately though, backup is the only way unless a decryption tool has been released by the security community. There are quite a few of these available where they have been able to reverse engineer the cryto malware and engineer a decryption tool. You just need to see if your variant had such a too. But to me if a DC had been compromised in such a fashion I would be building a new environment from scratch and moving everyone over to it. You have no idea how badly the environment has been compromised.
0
 
LVL 18

Expert Comment

by:awawada
ID: 41793161
Thanks for the points and check with your Antivirus vendor if the Domain Controller is now clean.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question