Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 192
  • Last Modified:

systemdown@india.com and McAfee

Our documents got infected with the systemdown@india.com.xtbl.  It encrypted thousands of files.  Fortunately I back up everything, so I was able to put backups in place.  But my question is why didn't our Virus protections, Spyware blockers, etc., catch this.  I understand from research that this normally comes in as ads or malware, but my Manager tends to think that even if this came in through email, that our protections should have stopped it at the source and not spread throughout our entire system.  It only affected files that everyone had write access to.  

I need to prevent this from happening.  Other than totally locking down the internet what else can I do.  I have anti-virus software in place, Barracuda Spyware device, as well as Malware software.  I know the rules of prevention but I need to know if there is anything that can stop it if it hits our systems again.
0
Salonge
Asked:
Salonge
3 Solutions
 
Russ SuterCommented:
Antivirus programs are known to be ineffective against such attacks. AV programs are pretty much useless in general these days. Education is the #1 defense. You can alter your firewall and mail server rules to block attachments. That tends to be much more effective. You can also institute group policies that prevent programs from running in unauthorized locations. You can further introduce watch programs that detect anomalous activity and shut down the system or alert you.
1
 
McKnifeCommented:
The answer has been there for 15 years: software restriction policies application whitelisting. You list what's allowed (like your office software and all other known stuff), the rest gets blocked including all viruses.
0
 
Adam LeinssCommented:
+1 Russ.  AV is statistically about 40% effective in stopping malware.  You need multiple protections in place: quarantining external files coming into e-mail, user education, Internet filtering, etc.  Now there are products like Cylance that don't use signatures, but predictive analysis of program behavior, but even with their "get pass our protection" bounty program, there were people that found a way around their detection.

I would say on a real world note that our infections went down substantively when we took away admin rights from end users and put in a Websense appliance and deployed the Websense endpoint client.  We also have alerting in ESET and if anyone comes up with a Crypto alert, that computer is immediately taken offline.  Other people have used FSRM to do similar things.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now