How to tell if your AV detects certain viruses

[glenimp617]

Hi all,

http://www.independent.co.uk/news/u...ty-council-pay-1-million-ransom-a6843261.html

I'm sure many in the enterprise sector will have heard the recent outage of Lincolnshire county council. We are putting the team together this morning to discuss our safety measures, which although we know are good, it never hurts going back over things.

My main question I'll be asking the team, is how do we know 100% that all our AV detection systems will identify "TeslaCrypt 3"

AFAIK we are protected by EOP, Exchange365, Fortinet antiGuard and Endpoint on the client

Is there a website that you can type in the virus name, and it tells you which AV and defs will detect it.

Thanks!

 

[nutcase]

These particular attacks aren't generally picked up by anti-virus unfortunately. Malwareytes have just releasted a beta that claims to detect them.

What you've listed probably won't help much. What will is whitelisting applications using a GPO. If you can prevent the executable running then you're winning.

 

[glenimp617]

I had a feeling that may be the case. We have done this from time to time, especially on our rds platform.

The latest endpoint defs do have teslacrypt on it (aka crypt3) but I wondered if there was a general go to website.

How do we find the hash of the virus to stop it running?

defs = 1.213.5162.0

 

[Felix]

These particular attacks aren't generally picked up by anti-virus unfortunately. Malwareytes have just releasted a beta that claims to detect them.

What you've listed probably won't help much. What will is whitelisting applications using a GPO. If you can prevent the executable running then you're winning.

Whitelist good application or blacklist the known bad ones?

 

[nutcase]

Whitelist good. Blacklisting is only of use if you know where it will install itself.

 

[Ev0]

Yup whitelisting is preferred as above, you could only blacklist if you either know the path it'll be running from or have the hash of the executable to block.

What happens when it's a new variant with a different hash and running from a different path?

 

[Felix]

Whitelist good. Blacklisting is only of use if you know where it will install itself.

Will that not be quite a task with all the different exes from normal and background application?

Is it a case of sitting down and seeing what is running on a clean PC?

 

[glenimp617]

We are rolling AppV 5.1 out to our desktop estate, so perhaps white listing would be quite easy for us

 

[nutcase]

Will that not be quite a task with all the different exes from normal and background application?

Is it a case of sitting down and seeing what is running on a clean PC?

Pretty much yes. Here's a good method:

http://community.spiceworks.com/how...ction-policy-to-prevent-cryptolocker-and-more

 

[Felix]

Thanks!

 

[KIA]

Is it the JavaScript variant?

 

[Caged]

I think if you work in a sector where you have a load of normal office type requirements and average employees then you need to seriously consider running a locked-down environment and AppLocker whitelisting. If you force everybody to run as a standard user and prevent applications running from any user profile folders then you will stop 99% of these sorts of attacks.

That just leaves zero-day bugs in applications and you can mitigate this somewhat with sane patching policies and by reducing your attack footprint severely - chances are you don't need Flash or Java any more, for example.