Last night, we were infected with the Cryptolocker virus.  The end user was on a thin client running Xenapp virtual desktop.   The local IT person says the machine had SEP on it.  If that is the case, why wouldn't SEP have blocked this virus? 

how did you get to know it's infected?

can you submit the file to Symantec Security response.

Ransomcrypt: A Thriving Menace

https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

Check some of thread

https://www-secure.symantec.com/connect/forums/cryptolocker-are-we-safe

https://www-secure.symantec.com/connect/forums/cryptolocker-and-adc-policies

Did you check the Risk log on the client? Was there anything there?

Can you verify SEP was enabled and reporting in to the SEPM?

What is the SEP version? Was components were installed?

I was not involved in troubleshooting the incident.  Information is still trickling in.  I will submit the file.  However in the interrim, can you tell me if it's possible that this system had SEP on it?  It's not in the console and local IT is being very sketchy on the details.  Is there a way I can find out for sure whether or not SEP was installed and if so when it was installed?

you can do a search for symantec endpoint protection in the registry or look for the install directory

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection

Hi,

Thank you for posting in Symantec community.

I would be glad to answer your query.

Symantec detecting this threat as Trojan.Ransomcrypt.F. Additionally generic coverage of this threat using detection Trojan.Ransomcrypt!g3.

Trojan.Ransomcrypt.F is a Trojan horse that encrypts files on the compromised computer and then prompts the user to purchase a password in order to decrypt them.

Trojan.Ransomcrypt!g3 is a heuristic detection used to detect threats associated with the Trojan.Ransomcrypt.F family of threats

To remove this threat refer this article:

http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99&tabid=3

Does SEP 11.6 block Cryptolocker?

Yes. Defs for both 11.x and 12.1 will detect it. Same for the IPS.

We were just hit on a traditional desktop machine running 11.6. 

Also, I submitted the files that I referred to initially to the Security Response team this morning.  No word yet.

Could be a new variant which did not yet have a detection signature.

The authors of this threat have a very strong financial motive for crafting files that will evade AntiVirus programs.  There are new variants seen often.  Some details of recent changes can be found in the blog post mentioned earlier:

Ransomcrypt: A Thriving Menace
https://www-secure.symantec.com/connect/blogs/ransomcrypt-thriving-menace

For more, also see these resources:

Additional information about Ransomware threats
http://www.symantec.com/docs/TECH211589

Symantec is constantly updating our protection (AV and other components).  Definitely backup all important data regularly, keep your AV definitions up-to-date, and deploy the IPS component of SEP if you are not already using it!

Also note: SEP 11.x will reach End-of-Support-Life as of January 5, 2014.   After any outbreaks are contained, migrate to SEP 12.1 ASAP.

FAQ: Upgrading Symantec Endpoint Protection 11.x to version 12.1.x
Article URL http://www.symantec.com/docs/TECH207274  

This new article may be of interest to followers of this thread:

Recovering Ransomlocked Files Using Built-In Windows Tools
https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools