Solved

systemdown@india.com and McAfee

Posted on 2016-09-14
3
65 Views
Last Modified: 2016-10-27
Our documents got infected with the systemdown@india.com.xtbl.  It encrypted thousands of files.  Fortunately I back up everything, so I was able to put backups in place.  But my question is why didn't our Virus protections, Spyware blockers, etc., catch this.  I understand from research that this normally comes in as ads or malware, but my Manager tends to think that even if this came in through email, that our protections should have stopped it at the source and not spread throughout our entire system.  It only affected files that everyone had write access to.  

I need to prevent this from happening.  Other than totally locking down the internet what else can I do.  I have anti-virus software in place, Barracuda Spyware device, as well as Malware software.  I know the rules of prevention but I need to know if there is anything that can stop it if it hits our systems again.
0
Comment
Question by:Salonge
3 Comments
 
LVL 20

Assisted Solution

by:Russ Suter
Russ Suter earned 125 total points
ID: 41798769
Antivirus programs are known to be ineffective against such attacks. AV programs are pretty much useless in general these days. Education is the #1 defense. You can alter your firewall and mail server rules to block attachments. That tends to be much more effective. You can also institute group policies that prevent programs from running in unauthorized locations. You can further introduce watch programs that detect anomalous activity and shut down the system or alert you.
1
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 41798785
The answer has been there for 15 years: software restriction policies application whitelisting. You list what's allowed (like your office software and all other known stuff), the rest gets blocked including all viruses.
0
 
LVL 22

Accepted Solution

by:
Adam Leinss earned 250 total points
ID: 41798824
+1 Russ.  AV is statistically about 40% effective in stopping malware.  You need multiple protections in place: quarantining external files coming into e-mail, user education, Internet filtering, etc.  Now there are products like Cylance that don't use signatures, but predictive analysis of program behavior, but even with their "get pass our protection" bounty program, there were people that found a way around their detection.

I would say on a real world note that our infections went down substantively when we took away admin rights from end users and put in a Websense appliance and deployed the Websense endpoint client.  We also have alerting in ESET and if anyone comes up with a Crypto alert, that computer is immediately taken offline.  Other people have used FSRM to do similar things.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now