Thanks for the information! I've been waiting on this for a while, so this is very good information (since Win8 didn’t have an Enterprise edition available to end users and hence AppLocker was never an option then).
Thanks! -Aakash Shah -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Susan Bradley Sent: Thursday, February 27, 2014 1:21 PM To: [email protected] Subject: Re: [NTSysADM] RE: Cryptolocker Microsoft to add a standalone Windows Enterprise version to its business line-up | ZDNet#ftag=RSS14dc6a9: http://www.zdnet.com/microsoft-to-add-a-standalone-windows-enterprise-version-to-its-business-line-up-7000026860/#ftag=RSS14dc6a9 On 2/27/2014 1:13 PM, Aakash Shah wrote: > If you have access to the Enterprise editions of Windows, AppLocker is > another feature built into Windows to consider. This is like Software > Restriction Policies, but allows you to add publisher rules more easily. So > for instance, you can whitelist GoToMeeting by whitelisting the publisher's > certificate (Citrix). This way, the exe's can potentially run from anywhere > as long as they are signed by the publisher. This is very helpful when some > software writes into many different folders for each version (GoToMeeting is > one notorious example). > > -Aakash Shah > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Ziots, Edward > Sent: Thursday, February 27, 2014 12:37 PM > To: [email protected] > Subject: RE: [NTSysADM] RE: Cryptolocker > > Like I think we all said that AV is not going to save you against todays > current malware attacks, even if your users aren't admin the malware can > right to user writeable areas of the OS. And from what the current samples I > have looked at in sandbox they are pretty malicious and leave a lot of IOC > (indicators of compromise on systems). ( Process injection, Mutex's, Memory > resident, Encrypted payloads, Anti-tampering, you name it, and ohh yes Signed > Malware with valid certificates and encrypted outbound communications are the > new craze) > > I have mentioned it before, if you control code execution on your systems you > are winning, if you don't you are losing. > > Z > > Edward E. Ziots, CISSP, CISA, Security +, Network + > Security Engineer > Lifespan Organization > [email protected] > Work:401-255-2497 > > > This electronic message and any attachments may be privileged and > confidential and protected from disclosure. If you are reading this message, > but are not the intended recipient, nor an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that you are strictly prohibited from copying, printing, forwarding or > otherwise disseminating this communication. If you have received this > communication in error, please immediately notify the sender by replying to > the message. Then, delete the message from your computer. Thank you. > > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Susan Bradley > Sent: Thursday, February 27, 2014 3:07 PM > To: [email protected] > Subject: Re: [NTSysADM] RE: Cryptolocker > > http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ > > Yup, you find out which vendors have really bad updating strategies. > > On 2/27/2014 12:03 PM, Ryan Shugart wrote: >> I actually have a test GPO to implement this, thanks. The concern we're >> having is just what needs to be whitelisted and the process in finding that >> out. It won't be fun, some not very smart software sticks executables into >> the %appdata% folder and runs from there, such as Java updates, for example. >> Ryan >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Susan Bradley >> Sent: Thursday, February 27, 2014 12:52 PM >> To: [email protected] >> Subject: Re: [NTSysADM] RE: Cryptolocker >> >> Software restriction policies. >> >> Ignore the url the concepts are valid >> >> http://www.foolishit.com/vb6-projects/cryptoprevent/ >> >> And yes it can also be done with group policy. >> >> I've never seen antivirus actually protect anyone. I've seen a/v >> vendors say they have protection but they are always one step behind >> because it's really not a virus, it's a program that launches >> encryption on your system. >> >> Encryption is not a virus. >> >> On 2/27/2014 11:36 AM, Ziots, Edward wrote: >>> AV isn’t going to detect advanced malware like CryptoLocker. >>> >>> As a start I would do a egress filter trust to untrust for these IP’s. >>> >>> https://discussions.nessus.org/thread/6799 >>> >>> The most >>> >>> recent alert I saw yesterday came from the Center for Internet >>> Security <http://www.cisecurity.org/>. In their advisory, >>> >>> they listed the following IPs as being associated with the network >>> activity: >>> >>> 144.76.192.130 >>> >>> 192.155.83.72 >>> >>> 212.2.227.70 >>> >>> 95.59.26.43 >>> >>> 162.243.66.243 >>> >>> 162.243.70.51 >>> >>> 166.78.144.80 >>> >>> 192.210.230.39 >>> >>> 194.28.174.119 >>> >>> 195.22.26.231 >>> >>> 195.22.26.252 >>> >>> 195.22.26.253 >>> >>> 195.22.26.254 >>> >>> 212.71.250.4 >>> >>> 50.116.8.191 >>> >>> 69.61.18.148 >>> >>> 74.91.124.113 >>> >>> 86.124.164.25 >>> >>> 87.255.51.229 >>> >>> 93.189.44.187 >>> >>> 95.211.172.143 >>> >>> 96.43.141.186 >>> >>> Are your 3^rd party software on the endpoints up to date? >>> >>> Z >>> >>> Edward E. Ziots, CISSP, CISA, Security +, Network + >>> >>> Security Engineer >>> >>> Lifespan Organization >>> >>> [email protected] <mailto:[email protected]> >>> >>> Work:401-255-2497 >>> >>> This electronic message and any attachments may be privileged and >>> confidential and protected from disclosure. If you are reading this >>> message, but are not the intended recipient, nor an employee or agent >>> responsible for delivering this message to the intended recipient, >>> you are hereby notified that you are strictly prohibited from >>> copying, printing, forwarding or otherwise disseminating this >>> communication. If you have received this communication in error, >>> please immediately notify the sender by replying to the message. >>> Then, delete the message from your computer. Thank you. >>> >>> // >>> >>> *From:*[email protected] >>> [mailto:[email protected]] *On Behalf Of *Ryan Shugart >>> *Sent:* Thursday, February 27, 2014 2:27 PM >>> *To:* [email protected] >>> *Subject:* [NTSysADM] Cryptolocker >>> >>> Hi: >>> >>> We’ve been plagued with Cryptolocker for the past several months, >>> just two infections yesterday. We’re running McAfee 8.8 with the >>> latest DATs and its just not finding this virus in time. If anyone >>> is using an antivirus solution that does detect this, can you let us know? >>> We’re interested in a possible switch. >>> >>> Thanks. >>> >>> Ryan >>> >>> Ryan Shugart >>> >>> LAN Administrator >>> >>> MiTek USA, MiTek Denver >>> >>> 314-851-7414 >>> >>> >>> © COPYRIGHT, MITEK HOLDINGS, INC., 2011-2013, ALL RIGHTS RESERVED >>> >>> _ ________________________________ _ >>> >>> This communication (including any attachments) contains information >>> which is confidential and may also be privileged. It is for the >>> exclusive use of the intended recipient(s). If you are not the >>> intended recipient(s), please note that any distribution, copying, or >>> use of this communication or the information in it is strictly >>> prohibited. If you have received this communication in error, please >>> notify the sender immediately and then destroy any copies of it. >>> >> -- >> Got your CryptoLocker prevention in place? >> http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ >> Only two more patching days of XP.... are you ready? >> >> >> >> >> © COPYRIGHT, MITEK HOLDINGS, INC., 2011-2013, ALL RIGHTS RESERVED >> ________________________________ This communication (including any >> attachments) contains information which is confidential and may also be >> privileged. It is for the exclusive use of the intended recipient(s). If you >> are not the intended recipient(s), please note that any distribution, >> copying, or use of this communication or the information in it is strictly >> prohibited. If you have received this communication in error, please notify >> the sender immediately and then destroy any copies of it. > -- > Got your CryptoLocker prevention in place? > http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ > Only two more patching days of XP.... are you ready? > > > -- Got your CryptoLocker prevention in place? http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ Only two more patching days of XP.... are you ready?
