Endpoint Protection

Hi all, we encounter some randomware recently and surprisingly SEP unable to detect it. We would like to know anyway to increase the sensitivity of SEP and way to prevent it. Hopefully to get the solution ASAP. Thanks.

Did you submit it to Symantec. Also, are you using the IPS, firewall, SONAR, and Download Insight components?

SOme articles here:

Support Perspective: CTB-Locker and other forms of Crypto malware

https://www-secure.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-malware

Recovering Ransomlocked Files Using Built-In Windows Tools

https://www-secure.symantec.com/connect/articles/recovering-ransomlocked-files-using-built-windows-tools

Cryptolocker Q&A: Menace of the Year

https://www-secure.symantec.com/connect/blogs/cryptolocker-qa-menace-year

First Response to: Cryptolocker \ Ransomcrypt\ Encryptor

https://www-secure.symantec.com/connect/articles/first-response-cryptolocker-ransomcrypt-encryptor

The Day After: Necessary Steps after a Virus Outbreak

https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

https://www-secure.symantec.com/connect/forums/cryptolockercryptodefense-defenses

https://www-secure.symantec.com/connect/forums/there-fixtool-recover-files-encrypted-ransomware

System Infected: Trojan.Cryptolocker

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27046

Yes but I would like to seek alternative suggestion as if they really work then the default setting should able to detect it but apparently not and not the first time we encounter this.

Yes but I would like to seek alternative suggestion as if they really work then the default setting should able to detect it but apparently not and not the first time we encounter this.

Default settings are not strong enough to combat this stuff. You need to tune aggressively.

Any suggestion how aggresive we need to tune it? Any successful case study with minimum operation impact?

Hi Avatar,

Please update this thread with news of what version of SEP you are running and what components are in use?

These articles should be read carefully: they will help you to really increase the security level in your organization:

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

 

A good Connect forum thread on how to protect yourself: https://www-secure.symantec.com/connect/forums/cryptolockercryptodefense-defenses

 

Support Perspective: CTB-Locker and other forms of Crypto malware
https://www-secure.symantec.com/connect/blogs/support-perspective-ctb-locker-and-other-forms-crypto-malware

Many thanks!

Mick

One extra note: ensure that you are using IPS and that all MS patches and third-party plugins are up-to-date.  This sounds like a new variant of TeslaCrypt, which typically arrives on a computer after it has landed on a webpage compromised with an exploit kit....

Symantec Guide to Scary Internet Stuff - No 4 Drive-by downloads
http://www.youtube.com/watch?v=J0QXD2ts4Qc

Hi Mick, thanks a lot. Let me digest those information and try to improvement to my environment. Yes it is the Alpha or TeslaCrypt which is headache to us.

Hi,

Thank you for posting in Symantec community.

Can you configure a gateway to block incoming .zip files and .scr extensions but exlude your domain. If feasible this can be a workaround to keep away virus attachments.

This can be a good example: http://www-10.lotus.com/ldd/nd6forum.nsf/e5f5333619f2996885256a220009508f/4e8051d45200d5c885256e4d006f0ada?OpenDocument

I think you can do through GPO as well.

Also, the key to dealing with crypto-type malware is prevention and planning. While it is assumed you have antivirus and IPS protection in place, the criminals using crypto-malware are constantly updating code to avoid detection by these systems. Since the damage these threats do is often irreversible, taking additional steps to protect yourself is advised.

Preventive Measures

• Do not follow unsolicited web links in email messages or submit any information to webpages in links.
• Use caution when opening email attachments.
• Keep operating systems and software, including anti-virus, up-to-date with the latest patches.
• Perform regular backups of all systems/data to avoid serious consequences should your system fall under attack.

Please do locate the file which cased the damage and submit it to Security Response for analysis.  It will most likely be a .scr or .exe in %TEMP%.  If you have opened any suspicious mail attachments lately, please submit that file.  This will not help you recover your files, but it will prevent future admins from suffering the same grief.

Symantec Insider Tip: Successful Submissions!

https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

 If want to know how SEP handles email attachment, check this article:

About SEP Auto-Protect and email scanning

http://www.symantec.com/docs/TECH95093

Found out a lot of new variance which unable to detect by Symantec. Manage to find out few URL that link to those ransomware

Hi Avatar,

Thanks for the update. New variants of these threats are released constantly by their authors in an effort to evade secureity software like SEP.  We're constantly adding protection against the latest variants.  Please do submit to Security Response any undetected suspicious samples that you have encountered.

(Please, of course, stay safe and do not intentionally download any malware!)

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

Hi Mick,

Possible to trace the source and possible threat remain in my office environment as some workstations may be the C&C for this which SEP unable to detect it? We need other alternative tool to solve this ASAP then only can submit the suspicious samples to Symantec. 

Generally this threat arrives on an endpoint, hits all the drives there and then goes on to corrupt any files in that client's mapped drives.  It doesn't spread further or set the victim machine up as a C & C server.

If there's ever a concern that there may be undetected malware on a computer, I recommend running the following diagnostic:

How to run the Threat Analysis Scan in Symantec Help (SymHelp)
http://www.symantec.com/docs/TECH215519

Hope this helps! &: )

Mick

Hi again Avatar,

Are there any additional queries?  This thread is still marked "needs solution."

Many thanks,

Mick

This cisco article might be beneficial to you if it is Teslacrypt.

http://blogs.cisco.com/security/talos/teslacrypt