1. If you're receiving a message that you are banned from the Current Events or Politics forums, it's not you specifically: those forums have been hidden for all users. For more info, see here.
    Dismiss Notice

bloody bloody cryptolocker bloody

Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.

  1. person

    person Member

    Joined:
    Mar 7, 2003
    Messages:
    344
    Location:
    Brisbane
    I'll post a thread how I go when I roll it out fully :) - in testing so far seems good - the most affordable that I tried, cost is around $70/machine perpetual licence, plus maintenence. Not too bad really..

    I've found this blog to be a good resource, haha - http://appsensebigot.blogspot.com.au/p/application-manager.html

    NB whitelisting doesn't really work if users insist on being local admins :( - but appsense can function as a "second level UAC" so even if they are local admins it can offer an additional prompt that might scare them off being stupid...
     
  2. Punk

    Punk Member

    Joined:
    Mar 15, 2002
    Messages:
    1,058
    Location:
    Walking on Sunshine
    Has anyone had any experience with Webroot and crypto at all?
    Just wondering how it stacks up.
     
  3. FerrisXB9R

    FerrisXB9R Member

    Joined:
    Jan 18, 2005
    Messages:
    3,255
    Location:
    AB, CAN
    Certainly doesn't stop it, if that's what you're asking.
     
  4. Punk

    Punk Member

    Joined:
    Mar 15, 2002
    Messages:
    1,058
    Location:
    Walking on Sunshine
    Now I don't trust sales guys but they recon that even if they don't catch it at first, then webroot will roll back the changes that the crypto causes.

    So I was just wondering if anyone had actually seen or used it?
     
  5. FerrisXB9R

    FerrisXB9R Member

    Joined:
    Jan 18, 2005
    Messages:
    3,255
    Location:
    AB, CAN
    Full disclosure: We use webroot for all our clients. Every single one. We weekly audit our clients for out of date webroot definitions.

    I've personally dealt with 4 such instances of cryptolocker, or encrypting ransomware, across 3 clients in as many months.

    Webroot has never been any help whatsoever.

    Remove cryptoed files.

    Restore from backup.

    Webroot never comes into it. It's never once picked up the executable on the client pc that caused the infections, and has no feature to fix the damage caused that I can see. Every time I've had to look at the file permissions of the "you're fucked, pay here".html that gets thrown everywhere to find out the culprit of the infection. Never once has webroot even thrown up an alert of any kind to let us know shits going down. It's always a phone call from the client.

    Now I have faith in Webroot as an antivirus product. Not a lot gets past it. It's good at that. But as for ransomware, I'm yet to see it have any effect at all. I'm going to go over it with a fine toothed comb tomorrow though, just in case there's some new feature that's arrived that we haven't switched on, but I won't hold my breath.
     
    Last edited: Oct 13, 2016
  6. Smoke87

    Smoke87 Member

    Joined:
    Jun 17, 2005
    Messages:
    6,195
    Few questions to the admins here;

    1. Why do you permit users to hold local administrator privileges?
    2. Why have you not implemented at least directory based AppLocker whitelisting?
    3. Why do you permit your users to download executables via your gateway, presuming you have one though...
    4. For those users working off site, have you considered leveraging direct access and pushing all the web requests back to your head office and routing these via a gateway?
     
  7. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,610
    1/ Users don't need local administrator privledges to encrypt all the things they have access to.

    2/ directory based whitelisting inteferes with normal business activities, while providing only a skerrik of increased security

    3/ Users cannot download executables, but can still get owned.

    4/ See above.

    Stopping the threat is always going to be a losing game... eventually you will get owned, so while 'best effort' gets put in to closing all the obvious open doors (like above)... the real effort gets put into establishing and maintaining prompt recovery of data, simply because that will ALWAYS be effective, any measures to prevent infection will always become ineffective in the long run.
     
  8. wullieb1

    wullieb1 Member

    Joined:
    Jul 9, 2013
    Messages:
    471
    1. Certain software we run requires Local Admin rights to work correctly, here's looking at your Autodesk. We also have users who require it as they need to make system changes when on site to connect to equipment to work.

    2. Because it would be a ball ache to maintain.

    3. When we stopped that we felt the wrath of management. Told categorically to re-instate. Yes i have the emails to prove it.

    4. Not all businesses run enterprise versions of Windows to allow them to use DA.
     
  9. Punk

    Punk Member

    Joined:
    Mar 15, 2002
    Messages:
    1,058
    Location:
    Walking on Sunshine
    Thanks for the feedback. :thumbup:
     
  10. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,383
    Location:
    Brisbane
    1. Because cancerous app vendors who haven't really updated their software since XP but are the only real choice in that particular market space for the client's size.
    2. because node.js. often because flat out, no domains.
    3. App-layer Firewalls? What kind of small business do you work in?
    4. Enterprise Licensing? hah. Although that is being re-visited with the new round of 1607-era GPO / Enterprise features. It will be easier when the Windows E3 O365 sub is released in this market though.
     

Share This Page

Advertisement: