Hallo Experts
       
I would like to collect the following Threat Artifacts from a compromised Windows System:
     

• CPU

• Routing-, ARP- & Process tables

• Memory

• Temporary files

• Relevant data from storage media

   
What would you collect? Is there any best practice from NIST or anyware?
 
Thanks a lot

It's not uncommon to go to a website that gives you a frowny face and guilt tripping you that "We see you have an ad blocker. But that's how we make our money." So then if you really want the site you can white list them. And then typically you forget about it. Is there any way to tell in what ways the sites have taken advantage of your white listing? If they gave you spyware or something else malicious can you trace the malware to the site that gave it to you?

Hi guys

I've installed an anti-theft application on my laptop, in case some thieves break into my home and take it (there's been burglaries in the area). I'm trying to think further down the line. The issue I have with these applications is that if someone takes my laptop, they may be cunning enough to take out the disk inside at which point, I can kiss goodbye the anti-theft application I installed.

Are there any tracking devices out there that I could plant into my laptop, to locate it in the event of an unfortunate event?

Thanks for helping
Yashy

I’m trying to compare the two solutions, between Webroot anywhere secure with DNS protection or Sophos interecptX advanced with EDR.
I do have a Sophos Firewall, but I’ve been using Webroot for now and just tested InterceptX and I have to decide which route to take.


Does anyone have any recommendations?

Microtech scam/ransomware was on a computer at a remote location.  Said they needed to call a 1800 number to get virus removed.  This user did that and paid $300 dollars to have fake company remove virus.  Got a text from him and said they are in there right now controlling computer and "trying" to remove  virus.  Should he power off right away or should he let them do their thing so he can use his pc again since he paid the money?  I told him to immediatley power off computer and wait for them to call again.

Q1:
If I use a Solaris server as repository server to get from Internet
ClamAV updates, can it be used by other platform 'satellite'
ClamAV such as Windows, Linux?   Ie can freshclam on
Windows/Linux pull signature updates from a Solaris ?


Q2:
Are the 3 cvd files (main, daily, bytecode) inter-useable
between Solaris x86, RHEL & Windows ?

Hacked e-mail account help required.

Last night a client received an e-mail that starts out:
My nickname in darknet is konstantine23.
I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

They then list the actual password correctly to her account.  It is an Office 365 account.  She does access her account on her personal laptop, which I will have this afternoon in my possession.   I am currently scanning her work computer, and having everyone else check for the same e-mail in their SPAM folder (Where she found hers).  We are in process of changing password to all of her online accounts (Including e-mail) on another computer, not part of their network.  The business does have a UTM router in place, and logs will be looked at next.  TDSS Killer did not find any rootkits, but more scanning will be done.

Looking for information on this possible.

a couple of years back, Trendmicro's  .DAT file can be searched using (find or grep command) for
certain malware names.

I'm now using OfficeScan V12.0.1352 & I think the signature file is VsapiNT.sys

I'm trying to track if  globeimposter  ransomware is in our current officescan signature &
the 2 links below seems to say that TM has documented them quite some time ago:
 https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-4th-2017-globeimposter-notpetya-and-more/
 https://www.trendmicro.com/vinfo/in/security/news/cybercrime-and-digital-threats/ransomware-recap-crypshed-spoofs-amazon-in-ransomware-campaign

but when I searched for "glob"  (I suppose FakeGlobal as it's known to Trendmicro) would have it
listed in the latest VsapiNT.sys signature but it's not there:
appreciate steps on how to list the malwares covered by Officescan's signature file:

C:\foren>find/i "glob" *.sys |more

---------- TMPREFLT.SYS

---------- TMXPFLT.SYS

---------- VSAPINT.SYS
GlobalAddAtomA
GlobalAddAtomW
GlobalAlloc
GlobalCompact
GlobalDeleteAtom
GlobalFindAtomA
GlobalFindAtomW
GlobalFix
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalGetAtomNameW
GlobalHandle
GlobalLock
GlobalMemoryStatus
GlobalReAlloc
GlobalSize
GlobalUnWire
GlobalUnfix
GlobalUnlock
GlobalWire
MakeCriticalSectionGlobal
JungUm Global
Corel Global Macro(GMS)
GLOBAL:
GLOBALNE:
GLOBALDOTPROMPT
GLOBAL
GLOBAL.DOT:
GLOBAL:
ExecuteGlobal
Global

I've seen an ex-colleague blocking file extensions from being created using a feature in McAfee
(can't recall the name).

Can someone provide the steps to do this in Trendmicro Officescan's management console?
What's this feature called in Officescan?

What is the easiest and most effective way to get rid of the Trojan.JS.Dropper.E?