We run Malwarebytes Enterprise in addition to SCEP, they've both caught cryptlocker. They get along well, and MB updates pretty quickly.
On Thu, Feb 27, 2014 at 2:03 PM, Ryan Shugart <[email protected]> wrote: > I actually have a test GPO to implement this, thanks. The concern we're > having is just what needs to be whitelisted and the process in finding that > out. It won't be fun, some not very smart software sticks executables into > the %appdata% folder and runs from there, such as Java updates, for example. > Ryan > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Susan Bradley > Sent: Thursday, February 27, 2014 12:52 PM > To: [email protected] > Subject: Re: [NTSysADM] RE: Cryptolocker > > Software restriction policies. > > Ignore the url the concepts are valid > > http://www.foolishit.com/vb6-projects/cryptoprevent/ > > And yes it can also be done with group policy. > > I've never seen antivirus actually protect anyone. I've seen a/v > vendors say they have protection but they are always one step behind > because it's really not a virus, it's a program that launches encryption > on your system. > > Encryption is not a virus. > > On 2/27/2014 11:36 AM, Ziots, Edward wrote: > > > > AV isn't going to detect advanced malware like CryptoLocker. > > > > As a start I would do a egress filter trust to untrust for these IP's. > > > > https://discussions.nessus.org/thread/6799 > > > > The most > > > > recent alert I saw yesterday came from the Center for Internet > > Security <http://www.cisecurity.org/>. In their advisory, > > > > they listed the following IPs as being associated with the network > > activity: > > > > 144.76.192.130 > > > > 192.155.83.72 > > > > 212.2.227.70 > > > > 95.59.26.43 > > > > 162.243.66.243 > > > > 162.243.70.51 > > > > 166.78.144.80 > > > > 192.210.230.39 > > > > 194.28.174.119 > > > > 195.22.26.231 > > > > 195.22.26.252 > > > > 195.22.26.253 > > > > 195.22.26.254 > > > > 212.71.250.4 > > > > 50.116.8.191 > > > > 69.61.18.148 > > > > 74.91.124.113 > > > > 86.124.164.25 > > > > 87.255.51.229 > > > > 93.189.44.187 > > > > 95.211.172.143 > > > > 96.43.141.186 > > > > Are your 3^rd party software on the endpoints up to date? > > > > Z > > > > Edward E. Ziots, CISSP, CISA, Security +, Network + > > > > Security Engineer > > > > Lifespan Organization > > > > [email protected] <mailto:[email protected]> > > > > Work:401-255-2497 > > > > This electronic message and any attachments may be privileged and > > confidential and protected from disclosure. If you are reading this > > message, but are not the intended recipient, nor an employee or agent > > responsible for delivering this message to the intended recipient, you > > are hereby notified that you are strictly prohibited from copying, > > printing, forwarding or otherwise disseminating this communication. If > > you have received this communication in error, please immediately > > notify the sender by replying to the message. Then, delete the message > > from your computer. Thank you. > > > > // > > > > *From:*[email protected] > > [mailto:[email protected]] *On Behalf Of *Ryan Shugart > > *Sent:* Thursday, February 27, 2014 2:27 PM > > *To:* [email protected] > > *Subject:* [NTSysADM] Cryptolocker > > > > Hi: > > > > We've been plagued with Cryptolocker for the past several months, just > > two infections yesterday. We're running McAfee 8.8 with the latest > > DATs and its just not finding this virus in time. If anyone is using > > an antivirus solution that does detect this, can you let us know? > > We're interested in a possible switch. > > > > Thanks. > > > > Ryan > > > > Ryan Shugart > > > > LAN Administrator > > > > MiTek USA, MiTek Denver > > > > 314-851-7414 > > > > > > (c) COPYRIGHT, MITEK HOLDINGS, INC., 2011-2013, ALL RIGHTS RESERVED > > > > _ ________________________________ _ > > > > This communication (including any attachments) contains information > > which is confidential and may also be privileged. It is for the > > exclusive use of the intended recipient(s). If you are not the > > intended recipient(s), please note that any distribution, copying, or > > use of this communication or the information in it is strictly > > prohibited. If you have received this communication in error, please > > notify the sender immediately and then destroy any copies of it. > > > > -- > Got your CryptoLocker prevention in place? > http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/ > Only two more patching days of XP.... are you ready? > > > > > (c) COPYRIGHT, MITEK HOLDINGS, INC., 2011-2013, ALL RIGHTS RESERVED > ________________________________ > This communication (including any attachments) contains information which > is confidential and may also be privileged. It is for the exclusive use of > the intended recipient(s). If you are not the intended recipient(s), please > note that any distribution, copying, or use of this communication or the > information in it is strictly prohibited. If you have received this > communication in error, please notify the sender immediately and then > destroy any copies of it. > -- Probable Contrarian
