Solved

systemdown@india.com and McAfee

Posted on 2016-09-14
3
166 Views
Last Modified: 2016-10-27
Our documents got infected with the systemdown@india.com.xtbl.  It encrypted thousands of files.  Fortunately I back up everything, so I was able to put backups in place.  But my question is why didn't our Virus protections, Spyware blockers, etc., catch this.  I understand from research that this normally comes in as ads or malware, but my Manager tends to think that even if this came in through email, that our protections should have stopped it at the source and not spread throughout our entire system.  It only affected files that everyone had write access to.  

I need to prevent this from happening.  Other than totally locking down the internet what else can I do.  I have anti-virus software in place, Barracuda Spyware device, as well as Malware software.  I know the rules of prevention but I need to know if there is anything that can stop it if it hits our systems again.
0
Comment
Question by:Salonge
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 20

Assisted Solution

by:Russ Suter
Russ Suter earned 125 total points
ID: 41798769
Antivirus programs are known to be ineffective against such attacks. AV programs are pretty much useless in general these days. Education is the #1 defense. You can alter your firewall and mail server rules to block attachments. That tends to be much more effective. You can also institute group policies that prevent programs from running in unauthorized locations. You can further introduce watch programs that detect anomalous activity and shut down the system or alert you.
1
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 125 total points
ID: 41798785
The answer has been there for 15 years: software restriction policies application whitelisting. You list what's allowed (like your office software and all other known stuff), the rest gets blocked including all viruses.
0
 
LVL 22

Accepted Solution

by:
Adam Leinss earned 250 total points
ID: 41798824
+1 Russ.  AV is statistically about 40% effective in stopping malware.  You need multiple protections in place: quarantining external files coming into e-mail, user education, Internet filtering, etc.  Now there are products like Cylance that don't use signatures, but predictive analysis of program behavior, but even with their "get pass our protection" bounty program, there were people that found a way around their detection.

I would say on a real world note that our infections went down substantively when we took away admin rights from end users and put in a Websense appliance and deployed the Websense endpoint client.  We also have alerting in ESET and if anyone comes up with a Crypto alert, that computer is immediately taken offline.  Other people have used FSRM to do similar things.
0

Featured Post

Everything You Need to Know about Petya 2.0

Get an overview of the what, when and how of Petya 2.0  from our threat analyst Marc Labilerte, as well as a look at how WatchGuard Total Security Suite protected our customers from the recent attack!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question