Endpoint Protection

 View Only

  • 1.  TeslaCrypt detection

    Posted May 19, 2015 08:17 AM

    Hi,

    I see the TeslaCrypt ransomware can be detected by the IPS of the SEP client as "System Infected: Trojan TeslaCrypt Activity", but how about filesystem detection?

    I could not find any information about how SEP protects against this threat other than though IPS detection, is there any available?

     

    Thank you !



  • 2.  RE: TeslaCrypt detection

    Posted May 19, 2015 08:19 AM
    Yes there are multiple detections for it. It tends to fall under the generic Cryptolocker detection. Just make sure you're running IPS and firewall, sonar, and download insight as well http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99


  • 3.  RE: TeslaCrypt detection

    Broadcom Employee
    Posted May 19, 2015 10:39 AM

    Hi,

    This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

    Check this:

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28449

    Preventive Measures

    • Do not follow unsolicited web links in email messages or submit any information to webpages in links.
    • Use caution when opening email attachments.
    • Keep operating systems and software, including anti-virus, up-to-date with the latest patches.
    • Perform regular backups of all systems/data to avoid serious consequences should your system fall under attack.

    Go through the following threads:

    https://www-secure.symantec.com/connect/forums/sep-not-detecting-virii-e-mail-attachments#comment-11074641

    https://www-secure.symantec.com/connect/blogs/dont-pay-ransom-fighting-ransomware-new-threat-landscape

    https://www-secure.symantec.com/connect/blogs/ransomware-how-stay-safe

     



  • 4.  RE: TeslaCrypt detection
    Best Answer

    Posted May 20, 2015 08:27 AM

    Hi _Mathieu_,

    Symantec's classification for known Teslacrypt/Alphacrypt malware samples is Trojan.Cryptolocker.N.  IPS is absolutely crucial to blocking threats like this that are often delivered through drive-by downloads.

    Two Reasons why IPS is a "Must Have" for your Network
    https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

    The SONAR/PTP component is also a "must have" against cryptolockers.

    Please do update this case if you have any additional queries, or mark it solved if you have found your answer.   &: )

    Mick



  • 5.  RE: TeslaCrypt detection

    Posted May 20, 2015 10:59 AM

    Thank you !