Malwarebytes Important Information

[joem]

This is important. Malwarebytes Pro does not prevent Cryptolocker.  It can be used to clean it up.  But if you open one of those emails and click on a link you are encrypted.  I know from first hand experience.  We have a network testbed that we intentionally infect with that virus to check for possible prevention solutions.  Foolish IT has the best so far but that may change. 

I bring this subject up because I have heard misinformation about this on several podcasts.  Not intentional I am sure.

[krom]

Thanks Joem for that.  It is very important information given the severity of the Cryptolocker infection.  I too have heard that Malwarebytes Pro would prevent it and I'm glad you wrote this or I would have had a false sense of security there.

 

BTW here is the link to the Foolish IT product mentioned above:

 

http://www.foolishit.com/vb6-projects/cryptoprevent/

[awraynor]

I guess Malware Bytes needs to change their site:

 

How would the full version of Malwarebytes' Anti-Malware help protect me?

As you can see below the full version of Malwarebytes' Anti-Malware would have protected you against Cryptolocker. It would have warned you before the ransomware could install itself, giving you a chance to stop it before it became too late.

 

Taken from: 

https://forums.malwarebytes.org/index.php?showtopic=134420

[Drashna Jaelre]

So we all haven't implemented the group/security policies to help prevent cryptolocker viruses?

[oj88]

Well, that's scary. It's a given that I've got family members connected to my WHS2011 and apparently, a single infected client can encrypt shared folders in WHS.

 

With an infected client, I'll probably be ok since I can always restore from the latest backup. But if the worm does its thing and crawl its way back to the shared folders.... it's bye byte.

 

Would it help to lock down all shared folders to read-only?

Edited November 13, 2013 by oj88

[jem101]

In principal yes, I understand that the program runs using the context of the currently logged in user so if you only have read-access to a folder then so will the Trojan. It can encrypt away all day but it won't be able to delete the original files to replace them with the encrypted version.

Drashna have a good point though, proper security measures, a user base that does actually take notice of you when you tell them to not open attachments unless you are absolutely sure about it, not having local admin rights to the PC and having UAC ramped up, would probably make you just about immune from it.

 

Trouble is, of course, no company, let alone home users, actually work like that. I've done consultancy for one company who are running a bespoke SAP system which doesn't even work unless UAC is switched off completely, others insist on being local admins because they 'need to install and try out new software and updates' - by which they actually mean games. Others are far too busy (or important) to bother with all these silly pop up warning messages and just want them switched off.

 

Can't really save people from themselves - or as a colleague of mine puts it 'give me convenience or give me death'

 

John

[Jason]

I've set users with remote access to my WSE12 server to No Access and Read-Only to server shares as a safeguard. Would the user not need Write Access for Cryptolocker to truly alter files on the server? If not, this is even more frightening.

[Drashna Jaelre]

In theory, yes, it would only need write access to the shares.

 

The truly scary thing is this: You do know that Windows (including Server) creates "administrative" shares for C:\Windows\ and for each drive letter on the system, including C:\.  I can't remember the Windows directory's name. but on an account with admin access, try \\SERVERNAME\C$\Windows\System32\.  Also, note that it will use the highest level permissions by default. So for an admin, thats... Admin. Not UAC prompt to access or write or move files. Or INFECT files. 
 

That's why you should never use a domain admin account for normal usage.

 

Also, if it hasn't been said enough: offsite backups.

 

 

Today's messages brought to you by Drashna's realm of IT Horrors.

[Dave]

I read that MWB would prevent the infection and that's why I was passing that info along.  Especially in light of MS ramping down on Security Essentials.  I'm not sure if this is the case or not but we might give MWB the benefit of the doubt in that a newer variant of cryptolocker could possibly sneak by.  That's unfortunate but happens frequently in the cat and mouse game of bad guy vs. good guy.  We always hold out hope that their heuristic engines will be able to detect similar trojans but it doesn't always work.

 

Layers of protection, education, and 3,2,1 backups.

[jcollison]

Did someone check back with MWB and report this information to them.  We got it right off their site.  I would hate for this to be misinformation about misinformation!