Endpoint Protection

 View Only

  • 1.  SEPM Recommended Settings for Crypto Viruses

    Posted Jul 29, 2014 11:54 AM

    What are the recommended settings / policies for Symantec Endpoint clients to help protect against the Crypto Viruses like Cryptowall and Cryptolocker?

    Thanks!
     



  • 2.  RE: SEPM Recommended Settings for Crypto Viruses
    Best Answer

    Posted Jul 29, 2014 11:57 AM
    You need to enable the ips, firewall, and sonar which adds extra layers. AV alone will not cut https://www-secure.symantec.com/connect/articles/sep-121-top-articles-and-best-practices


  • 3.  RE: SEPM Recommended Settings for Crypto Viruses
    Best Answer



  • 4.  RE: SEPM Recommended Settings for Crypto Viruses
    Best Answer

    Posted Jul 30, 2014 10:52 AM

    Hi CTS-Tech,

    Excellent advice above from .Brian and James007.

    The malware authors behind these threats have a serious financial motive for constantly crafting new variants that are engineered to evade (even just temporarily) AV protection.  Keeping definitions up to date and using additional components is key.

    Two additional "best practice" points:

    1. Ensure you have a working backup solution in place (and that you have tested it works!).  This is a must-have against all sorts of disasters, not just crypto threats.
    2. Lock down your network shares (A simple password can stop these threats cold.  It is a few seconds of inconvenience for a user to type in a password to access a mapped drive.  Without that protection, these crypto threats will sabotage everything on the local computers and then go hit the mapped drives to damage the whole company.)

    And a third, specifically against these Cryptolockers:

    3. Ensure your mail server is scanning inbound mail for threats.  (Most cryptolockers arrive via a malicious attachment or link to a malicious attachment.  Once the user is tricked into running that malicious program, it will do its damage.)

    Finally, a request: if your company has been hit with a cryptolocker, try to trace its source back to the malicious attachment of malicious drive-by download file.  Get that submitted to Symantec for analysis, open a case with Tech Support, and ask them to get that file examined ASAP!  This will not enable SEP to decrypt your files- nothing will do that- but it will save other users and companies the grief of falling victim to this same new variant.

    Symantec Insider Tip: Successful Submissions!
    https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

     

    Hope this helps!! &: )

    Mick



  • 5.  RE: SEPM Recommended Settings for Crypto Viruses

    Posted Jul 31, 2014 03:49 AM

    Hi Hi CTS-Tech,

    Just wondering if there was any additional infromation you require?  The thread is still marked "needs solution."

    Many thanks!

    Mick



  • 6.  RE: SEPM Recommended Settings for Crypto Viruses

    Trusted Advisor
    Posted Dec 03, 2014 10:23 AM

    As user has abandoned this post, marking all the responses here as useful. Protecting against a cryptocker virus is falls into the same category as protecting against any malware. Some aspects of this are,

    • AV protection must be current (and leverage any web protection and behavioral scanning offered)
    • Consider application whitelisting if your environment suits it
    • Consider having users run in a restricted security mode (both locally and for network shares)
    • Have proactive web traffic analysis / blocking if your environment suits it
    • If environment supports it, have mailbox AV scanning (not just scan incoming mail). This will enable malware attachments to be removed after virus definitions released.

    Mitigations against crytpolocker is simply to have a very good systems backup/restore policy ;-)

    Kind Regards,
    Ian./