Endpoint Protection

We have had a recent incident where an incoming mail had an office file attachment that went to around 400 users before the spam filter blocked it. Currently SEP 12 is running in our environment.

What is the best way to block the users from opening this file, until the Symantec team has a pattern that detects it?

I would prefer to use a method that blocks based on checksum rather than filename.

This is the second such instance of undetected office file malware I have seen in a month, that has gotten thru without detection. So looking or help in preparing for further such incidents.

Do you have a security solution at your mail gateway where you can block specific attachments? The emails probably have a zip attachment which contain an scr file or exe. You can block by hash using an application control policy but this would be reactive since  you don't know the hash until after the file comes in and risk the chance of a user already opening the file

We have gateway protection in place. I am looking for protection where the file has already gotten into our environment and we need to protect until SEP pattern is available.

Hello,

Please read the following article about a new wave of Cryptolockers currently in the wild (Trojan.Cryptolocker.G andTrojan.Cryptolocker.E especially).  This article includes a tip on how to use SEP's ADC component to increase your security.

Support Perspective: CTB-Locker and other forms of Crypto malware

https://www-secure.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-malware

I also recommend ensuring that mail servers are using the latest definitions.  It would be a good idea to apply Rapid Release defs to SMSMSE and other products protecting mail servers a couple times per day.  This will improve detection of the very latest Downloaders (usually Downloader.Ponik) that are used to deliver the ultimate cryptolocking payload.

Virus Definition Update Methods Available for Symantec Mail Security for Microsoft Exchange (SMSMSE)

 http://www.symantec.com/docs/TECH131756

Check this article:

Tips to "Be SAFE"

https://www-secure.symantec.com/connect/blogs/tips-be-safe

Never open an email attachment you were not expecting. 

Here are few tips for safely using email and the web

1. Use caution when opening email attachments. Email attachments (files attached to email messages) are a primary source of virus infection. Never open an attachment from someone you don't know. If you know the sender but weren't expecting an attachment, verify that the sender actually sent the attachment before you open it.

2. Guard your personal information carefully. If a website asks for a credit card number, bank information, or other personal information, make sure you trust the website and verify that its transaction system is secure.

3. Be careful when clicking hyperlinks in email messages. Hyperlinks (links that open websites when you click them) are often used as part of phishing and spyware scams, but they can also transmit viruses. Only click links in email messages that you trust.

4. Only install addons from websites that you trust. Web browser addons allow webpages to display things like toolbars, stock tickers, video, and animation. However, addons can also install spyware or other malicious software. If a website asks you to install an addon, make sure that you trust it before doing so.

Regards,

Hi cable mite,

End user educattion is the most powerful tool.  An unopened malware attachment is always a harmless malware attachment.  &: )

Ensure that all the protection components are running on SEP clients- IPS, SONAR/PTP, firewall, Downlaod Insight, ADC.  If there is a known hash for the malware's .exe you can used ADC to block it.  An article created in Symantec's Connect Forums illustrates how to Block Software By Fingerprint.

Also: ensur ethe mail security solution at the gateway is running up-to-date definitions and is well configured for defense (run Rapid Release updates several times per day, ensure it is blocking attachments with odd extensions like .js)

Hope this helps!

Mick

Best option is security awareness training.

You can use an application control policy but again that could potentially be after the fact