David
asked on
SYSVOL and NETLOGON affected by crypto virus
Hi all
We have a SBS 2011 server and somehow the SYSVOL folder was affected by a crypto virus.
This is a server at a charity and they have only just noitced 10 days after it happened.
Is there a way i can recreate the items in these folders?
Thanks
We have a SBS 2011 server and somehow the SYSVOL folder was affected by a crypto virus.
This is a server at a charity and they have only just noitced 10 days after it happened.
Is there a way i can recreate the items in these folders?
Thanks
Do you have a backup of the Server?
ASKER
we use Mozy to backup and even though the backup set for active directory has been selected i cant see that it would backup the sysvol folder?
The server is running fine. and there are only about 6 hardly used group policies
The server is running fine. and there are only about 6 hardly used group policies
ASKER
sorry also the windows file replication service- sysvol is selected
ASKER
i have restored a backup now, but was wondering if there was another way.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How is it possible that someone had write access to Sysvol? Someone needs to seriously audit that environment. Even scarier is the thought someone is running around using an account in domain admins as their day to day account...
Unfortunately though, backup is the only way unless a decryption tool has been released by the security community. There are quite a few of these available where they have been able to reverse engineer the cryto malware and engineer a decryption tool. You just need to see if your variant had such a too. But to me if a DC had been compromised in such a fashion I would be building a new environment from scratch and moving everyone over to it. You have no idea how badly the environment has been compromised.
Unfortunately though, backup is the only way unless a decryption tool has been released by the security community. There are quite a few of these available where they have been able to reverse engineer the cryto malware and engineer a decryption tool. You just need to see if your variant had such a too. But to me if a DC had been compromised in such a fashion I would be building a new environment from scratch and moving everyone over to it. You have no idea how badly the environment has been compromised.
Thanks for the points and check with your Antivirus vendor if the Domain Controller is now clean.