I actually have a test GPO to implement this, thanks. The concern we're having is just what needs to be whitelisted and the process in finding that out. It won't be fun, some not very smart software sticks executables into the %appdata% folder and runs from there, such as Java updates, for example. Ryan
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Susan Bradley Sent: Thursday, February 27, 2014 12:52 PM To: [email protected] Subject: Re: [NTSysADM] RE: Cryptolocker Software restriction policies. Ignore the url the concepts are valid http://www.foolishit.com/vb6-projects/cryptoprevent/ And yes it can also be done with group policy. I've never seen antivirus actually protect anyone. I've seen a/v vendors say they have protection but they are always one step behind because it's really not a virus, it's a program that launches encryption on your system. Encryption is not a virus. On 2/27/2014 11:36 AM, Ziots, Edward wrote: > > AV isn’t going to detect advanced malware like CryptoLocker. > > As a start I would do a egress filter trust to untrust for these IP’s. > > https://discussions.nessus.org/thread/6799 > > The most > > recent alert I saw yesterday came from the Center for Internet > Security <http://www.cisecurity.org/>. In their advisory, > > they listed the following IPs as being associated with the network > activity: > > 144.76.192.130 > > 192.155.83.72 > > 212.2.227.70 > > 95.59.26.43 > > 162.243.66.243 > > 162.243.70.51 > > 166.78.144.80 > > 192.210.230.39 > > 194.28.174.119 > > 195.22.26.231 > > 195.22.26.252 > > 195.22.26.253 > > 195.22.26.254 > > 212.71.250.4 > > 50.116.8.191 > > 69.61.18.148 > > 74.91.124.113 > > 86.124.164.25 > > 87.255.51.229 > > 93.189.44.187 > > 95.211.172.143 > > 96.43.141.186 > > Are your 3^rd party software on the endpoints up to date? > > Z > > Edward E. Ziots, CISSP, CISA, Security +, Network + > > Security Engineer > > Lifespan Organization > > [email protected] <mailto:[email protected]> > > Work:401-255-2497 > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this > message, but are not the intended recipient, nor an employee or agent > responsible for delivering this message to the intended recipient, you > are hereby notified that you are strictly prohibited from copying, > printing, forwarding or otherwise disseminating this communication. If > you have received this communication in error, please immediately > notify the sender by replying to the message. Then, delete the message > from your computer. Thank you. > > // > > *From:*[email protected] > [mailto:[email protected]] *On Behalf Of *Ryan Shugart > *Sent:* Thursday, February 27, 2014 2:27 PM > *To:* [email protected] > *Subject:* [NTSysADM] Cryptolocker > > Hi: > > We’ve been plagued with Cryptolocker for the past several months, just > two infections yesterday. We’re running McAfee 8.8 with the latest > DATs and its just not finding this virus in time. If anyone is using > an antivirus solution that does detect this, can you let us know? > We’re interested in a possible switch. > > Thanks. > > Ryan > > Ryan Shugart > > LAN Administrator > > MiTek USA, MiTek Denver > > 314-851-7414 > > > © COPYRIGHT, MITEK HOLDINGS, INC., 2011-2013, ALL RIGHTS RESERVED > > _ ________________________________ _ > > This communication (including any attachments) contains information > which is confidential and may also be privileged. It is for the > exclusive use of the intended recipient(s). If you are not the > intended recipient(s), please note that any distribution, copying, or > use of this communication or the information in it is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately and then destroy any copies of it. > -- Got your CryptoLocker prevention in place? http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ Only two more patching days of XP.... are you ready? © COPYRIGHT, MITEK HOLDINGS, INC., 2011-2013, ALL RIGHTS RESERVED ________________________________ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying, or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it.
