nevermind, think I found the registry key on a system not yet updated: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayVersion"="17.0.0.169" On Wed, Jul 8, 2015 at 2:21 PM, Erik Goldoff <[email protected]> wrote: > so has anyone come up with a script method of checking installed flash > player versions ? > > I'm hunting the registry, but haven't found what I need yet. > > On Wed, Jul 8, 2015 at 1:10 PM, Ed Ziots <[email protected]> wrote: > >> The exploit kits.are.dropping.cryptowall 3.0 and.others due to 0 day >> in.flash which just.got.patched. I would.spend.time.dealing.with how many >> flash.installations are.not up.to >> spec.and.get.those.patched.first.the.deal.with additonal.srp controlls. >> >> Ed >> On Jul 8, 2015 12:29 PM, "Kennedy, Jim" <[email protected]> >> wrote: >> >>> Chase down where the exe is as you dig through this. You will find it >>> in the users profile in appdata most likely. Applock the user profile, all >>> of it. >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Jonathan Link >>> *Sent:* Wednesday, July 8, 2015 12:24 PM >>> *To:* [email protected] >>> *Subject:* Re: [NTSysADM] OT: VirusScanning software >>> >>> >>> >>> That's my assessment as well. >>> >>> >>> >>> On Wed, Jul 8, 2015 at 12:17 PM, Susan Bradley <[email protected]> >>> wrote: >>> >>> >>> If the infection occurred as soon as he attached to the network, I'm >>> guessing he was already nailed and he just brought it in when he came in. >>> >>> >>> On 7/8/2015 9:10 AM, Jonathan Link wrote: >>> >>> Well, he wasn't in the office for much of the past two days, so firewall >>> logs are ineffective in this instance. It appears that the infection >>> started as soon as his computer attached to the network. Browser history >>> is a good place to look, but I can't access the machine without it being >>> turned on and on the network (I'm on vacation) and that would be >>> counterproductive at this point. I am hoping I can recover some of his >>> data that was on the computer, but made him no promises. >>> >>> >>> On Wed, Jul 8, 2015 at 11:55 AM, Susan Bradley <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> IE history >>> Firewall logs >>> >>> Should help narrow it down. >>> >>> And we have a zero day flash being patched today. Expect a >>> Microsoft patch for Windows 8 and above. >>> >>> >>> On 7/8/2015 8:32 AM, Jonathan Link wrote: >>> >>> No, not yet. It's one of our directors, and he swears that >>> the only site he visited within the last 24 hours was msn.com >>> <http://msn.com> <http://msn.com>. So it could be the flash 0 >>> day from an infected ad that wasn't caught? Of course, he >>> might not be remembering something... >>> >>> It started working at around 8am this morning which is when he >>> fired up his computer in the office. >>> >>> On Wed, Jul 8, 2015 at 11:08 AM, David McSpadden >>> <[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> wrote: >>> >>> I know you are on vacation but do you know the attack vector? >>> >>> *From:*[email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected] >>> <mailto:[email protected]>> >>> [mailto:[email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected] >>> <mailto:[email protected]>>] *On Behalf Of >>> *Jonathan Link >>> *Sent:* Wednesday, July 08, 2015 10:43 AM >>> *To:* [email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected] >>> <mailto:[email protected]>> >>> *Subject:* Re: [NTSysADM] OT: VirusScanning software >>> >>> So, we just got hit with a Croptywall variant with SRP in >>> place. I didn't disbelieve you Susan, I was just hoping >>> that we could >>> avoid infection until I got a true whitelisting solution >>> in place. >>> >>> Oh and I'm on vacation, so this is extra fun to restore >>> backups >>> via the VPN. Luckily we have other systems in place that >>> mitigated the extent of damage, such as really good >>> backups, and >>> tested restore procedures. >>> >>> On Fri, Jul 3, 2015 at 3:36 PM, Susan Bradley >>> <[email protected] <mailto:[email protected]> >>> <mailto:[email protected] <mailto:[email protected]>>> >>> wrote: >>> >>> I have many consultant stories of ransomware nailing >>> clients with >>> software restriction policies in place - especially the web >>> cocktail variants. >>> >>> Applocker/whitelisting = Enterprise SKUs. Which I hardly >>> ever see >>> in my space, nor does the customer base afford the time >>> and effort. >>> >>> Great if you have the budget to do it, sucks if you don't >>> have the >>> licenses and infrastructure. >>> >>> On 7/3/2015 11:54 AM, Jonathan Link wrote: >>> >>> I was posting from my phone in a hurry, DYAC. Software >>> Restriction, not proper pixies. >>> >>> Susan, I haven't seen an executable run in any >>> location that >>> has been blocked by SRP. IF you have a very narrow >>> whitelist, >>> it helps a lot. >>> >>> On Fri, Jul 3, 2015 at 2:02 PM, Jonathan Link >>> <[email protected] >>> <mailto:[email protected]> >>> <mailto:[email protected] >>> <mailto:[email protected]>>> wrote: >>> >>> You can also use proper pixies to restrict where >>> software >>> can run. I've blocked the user profile folder and >>> added an >>> exception for the desktop and a couple of other >>> places >>> that I can't recall. Users have to move downloaded >>> apps to >>> ther desktop to install. I haven't had a Cryptowall >>> infection in 2 years. >>> >>> On Friday, July 3, 2015, Susan Bradley >>> <[email protected] >>> <mailto:[email protected]> <mailto:[email protected] >>> >>> >>> <mailto:[email protected]>>> wrote: >>> >>> It changes so fast that as soon as they do the >>> bad >>> guys code up something new. >>> >>> there's no silver bullet here. >>> >>> Silverlight/flash/java. Use it,patch it or >>> lose it. >>> >>> Web filtering at the firewall. If your firewall >>> doesn't provide web filtering/UTM options it's >>> time to >>> upgrade. Home users look at OpenDNS (yes even >>> now >>> that Cisco is buying them) >>> >>> Filter attachments/zips. >>> >>> Least priv/non admin. >>> >>> Block the app location (yes this impacts >>> firefox and >>> office installs) Google foolishit for non >>> domain or >>> cryptolocker group policy toolkit >>> >>> Education to your users that that email you >>> got isn't >>> a legit email. >>> >>> On 7/3/2015 10:09 AM, David McSpadden wrote: >>> >>> Quick, anyone know of a VirusScanning >>> software >>> that is catching CryptoWall 3.0 yet? >>> >>> *David McSpadden* >>> >>> Systems Administrator >>> >>> Indiana Members Credit Union >>> >>> P: 317.554.8190 <tel:317.554.8190> >>> >>> <tel:317.554.8190 <tel:317.554.8190>> |F: >>> 317.554.8106 <tel:317.554.8106> <tel:317.554.8106 >>> >>> >>> <tel:317.554.8106>> >>> >>> Description: imcu email icon >>> <http://imcu.com/> >>> Description: facebook email icon >>> <https://www.facebook.com/IndianaMembersCU> >>> Description: twitter email icon >>> <https://twitter.com/IndMembersCU> >>> >>> Description: email logo >>> >>> mcp2 >>> >>> This e-mail and any files transmitted with >>> it are >>> property of Indiana Members Credit Union, are >>> confidential, and are intended solely for >>> the use >>> of the individual or entity to whom this >>> e-mail is >>> addressed. If you are not one of the named >>> recipient(s) or otherwise have reason to >>> believe >>> that you have received this message in error, >>> please notify the sender and delete this >>> message >>> immediately from your computer. Any other >>> use, >>> retention, dissemination, forwarding, >>> printing, or >>> copying of this email is strictly prohibited. >>> >>> Please consider the environment before >>> printing >>> this email. >>> >>> This e-mail and any files transmitted with it are property of >>> Indiana Members Credit Union, are confidential, and are >>> intended >>> solely for the use of the individual or entity to whom >>> this e-mail >>> is addressed. If you are not one of the named recipient(s) or >>> otherwise have reason to believe that you have received this >>> message in error, please notify the sender and delete this >>> message >>> immediately from your computer. Any other use, retention, >>> dissemination, forwarding, printing, or copying of this >>> email is >>> strictly prohibited. >>> >>> >>> Please consider the environment before printing this email. >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >
