|
Khablam posted:Crptolocker has taught me the sheer amount of corporate mail servers that can't/don't scan attachments is simply amazing. You're literally safer using free webmail than a managed solution you'd pay 5-figures a year for. One of the many reasons I am glad we ditched our in house email servers and switched to Google Apps some years ago. They do a much better job than any appliance or software we have ever used. We have been very lucky.. Have not had a infection of any kind that came in via email since switching. All spyware/viri in the past few years has been delivered via IE ActiveX or Flash plugin vectors. Java was removed from nearly all company computers over a year ago; out of 200ish computers, only 5 have it installed because they need it. No one even noticed Java was missing. stevewm fucked around with this message at 16:28 on Oct 11, 2013 |
#
?
Oct 11, 2013 16:25
|
|
|
|
| # ? May 5, 2024 21:04 |
|
|
Khablam posted:You're literally safer using free webmail than a managed solution you'd pay 5-figures a year for. That's one of those "open secrets" many don't know.
|
|
#
?
Oct 11, 2013 22:34
|
|
|
Khablam posted:Crptolocker has taught me the sheer amount of corporate mail servers that can't/don't scan attachments is simply amazing. You're literally safer using free webmail than a managed solution you'd pay 5-figures a year for. yeah, if you're running a mail server without an endpoint security service, you're a dolt. I got called out on this very early on in my career. Thank you, incredulous NOC technician, for being a huge dick when I tried to do something stupid. google postini was great, but I guess they're transitioning to a google apps only type service. they say nothing will change with how it interacts with exchange servers, I'm hoping this is actually true...
|
|
#
?
Oct 12, 2013 07:01
|
|
|
Does anyone else think that places use trend micro for the sole purpose of "well it is good enough to call an A/V solution; but bad enough so we can get recurring revenue off it's faults" Seriously gently caress TREND
|
|
#
?
Oct 13, 2013 06:03
|
|
|
Dilbert As gently caress posted:Does anyone else think that places use trend micro for the sole purpose of "well it is good enough to call an A/V solution; but bad enough so we can get recurring revenue off it's faults" We sell a lot of trend to our clients and recently had a security rep come out and show us how to correctly configure a Worry Free Business Security install and apparently we were doing it horribly wrong. We rolled out some changes to problem clients who would always end up with some bullshit Fake AV ransomware on their terminal server and the results have been great. We are also using other services for smaller clients, I think we are still deciding which to go with though.
|
|
#
?
Oct 13, 2013 10:32
|
|
|
Cryptolocker honestly sounds pretty brazen. I would imagine it would eventually have top or near-top priority among law enforcement bodies that deal with cybercrime if it continues to get more widespread. I know that variants of it have been around for a while, but if it's getting better and better at what it does it's only going to draw more attention and that's rarely ideal for most criminal organizations.
|
|
#
?
Oct 14, 2013 08:31
|
|
|
My company is finally moving away from Symantec Corporate 10.xx antivirus since it is no longer supported. Is there any business level antivirus out there anymore that does not require a yearly licensing fee? Only a small part of our company is centrally located and the rest are small offices with 2-5 PCs which operate in small work groups. We're trying to find a solution for the remote offices that would allow for local installs and minimize costs going forward. I guess we could just install some sort of free AV like Avast but we are also not trying to be thieves.
|
|
#
?
Oct 14, 2013 18:48
|
|
|
tadashi posted:Is there any business level antivirus out there anymore that does not require a yearly licensing fee? No
|
|
#
?
Oct 14, 2013 19:08
|
|
|
I'm the ad-hoc IT guy for my small law office (5 users, including the receptionist). All of them are Windows machines (XP through 8, but I'll be replacing the one XP machine as soon as Windows 8.1 hits) It's not absolutely indispensable, but some users (the lawyers) usually need access to each other's files (for drafting and revisioning purposes). Right now that's solved by having the lawyer's computers share their Documents folder (just that folder) through the network. This is obviously Very Dumbtm and I will be correcting this ASAP tomorrow morning, especially after reading this whole CryptoLocker discussion. Still, I'm wondering if there is any safe way and convenient way (ie: not having to send everything through e-mail) for users to share their files without actually exposing every machine to the network. One option I thought of was that right now every user has their folders synced in real-time to a Google account, so I could simply have each Google user share the folders to each other, which will be automatically downloaded to the other user's machine via Google's Windows app. The bonus of this is that everything will also go through Google's file scanning process. Any thoughts? Edit: I understand the legal contingencies of having confidential legal documents leave the local environment and get hosted on a third-party's website. I am OK with this.
|
|
#
?
Oct 14, 2013 23:22
|
|
|
Ur Getting Fatter posted:Any thoughts? Do you? I can't believe the attorneys in your office are okay with opening themselves up to attorney/client privilege issues this way. I work for a large law firm and our partners' hearts would explode from their chests if someone was storing attorney work product on Google Docs.
|
|
#
?
Oct 15, 2013 00:48
|
|
|
This may be a bit too out-of-the-box, but what about Wiki-style security? As in, run a Linux server with shadow-copy/versioning to host the files for very low downtime if you get Cryptolockered - reimage the PCs and revert the shared file store. It also keeps stuff local. -- Client called me in today and I discovered an Install IQ Updater install that had littered a few dozen PDF readers and other pay-to-install shovelware onto the system. There was also some DNS redirecting (away from anti-malware software), a suspicious search page set as the default, and the system's existing security software was screwed - MSE was flat-out missing, and MalwareBytes seemed to have been highjacked into scareware - it threw up detections, but then demanded payment for clearing them. Windows Defender Offline was utterly useless, didn't find a thing. TDSSkiller said no rootkit was running. I manually nuked all temp files, then killed a bunch of shenanigans with rkill, then I spent a lot of time with Revo Uninstaller killing services and processes to kill all the stubborn shovelware. I also wiped out Chrome (which had gotten screwed somewhere along the line) and MalwareBytes and reinstalled them fresh. Right now, HijackThis and MSE say the system is clean. I'm letting MalwareBytes do a full scan overnight. But while the stubborn Install IQ Updater was definitely the problem - it was extremely resistant to being uninstalled - but I'm not sure it was THE problem. Anyone seen an infection like this and know what I should be looking for (or if the root cause was nuked during the process of ending unknown services and nuking the temp files)? There's a lot of pain-in-the-rear end legacy software on this computer, and the backups are pre-cleansing.
|
|
#
?
Oct 15, 2013 00:49
|
|
|
Factory Factory posted:This may be a bit too out-of-the-box, but what about Wiki-style security? As in, run a Linux server with shadow-copy/versioning to host the files for very low downtime if you get Cryptolockered - reimage the PCs and revert the shared file store. It also keeps stuff local. You beat me to it on point #1. I would actually suggest a Windows server, but with volume shadow copies or whatever so you can restore previous versions. On your infection... I hate to say it... you should be looking for reinstall media. Spyware/rootkits these days are too vicious to trust even a "cleaned" system. sfwarlock fucked around with this message at 04:36 on Oct 15, 2013 |
|
#
?
Oct 15, 2013 04:32
|
|
|
Do Not Resuscitate posted:Do you? I can't believe the attorneys in your office are okay with opening themselves up to attorney/client privilege issues this way. I work for a large law firm and our partners' hearts would explode from their chests if someone was storing attorney work product on Google Docs. The complicated answer: this isn't in the US, and our legal framework for offsite storage is a lot simpler. Basically, as long as certain criteria are met re: protection from outside access to our files, we are legally in the clear. The simple answer: there is literally no one that cares where our files are because we are a 5-man operation that doesn't handle big clients. Data protection (and cost-effectiveness) is a lot more important than some ethereal contingency that has zero real world application for our use-case. This isn't really the place to discuss this, however. It's my bad for even bringing up the legal issue in the first place. As a small aside, you'd be very surprised how many large lawfirms and hotshot lawyers will actually communicate, and even send files, through free webmail addresses. Like someone posted before, enterprise security is sometimes so lax that it might as well not exist, and in the end you're a lot more worried that someone is reading your e-mails than some hypothetical malpractice suit over proper data protection.
|
|
#
?
Oct 15, 2013 06:00
|
|
|
Ur Getting Fatter posted:I'm the ad-hoc IT guy for my small law office (5 users, including the receptionist). All of them are Windows machines (XP through 8, but I'll be replacing the one XP machine as soon as Windows 8.1 hits) Use Dropbox for business. https://www.dropbox.com/business . Really inexpensive, and more secure + powerful than pretty much anything else. There are probably other similar services, but this is the one I'm familiar with.
|
|
#
?
Oct 15, 2013 19:56
|
|
|
What about spider oak? They seem to be the most concerned with privacy/security out of all the cloud storage providers. https://spideroak.com/
|
|
#
?
Oct 16, 2013 03:08
|
|
|
Khablam posted:It's usually between Avast and AVG, with both having their own fanbase.
|
|
#
?
Oct 16, 2013 07:43
|
|
|
does anyone have any documentation on the inner workings of combofix? I'm always really annoyed by their whole "ONLY FOR USE WITH AUTHORIZED HELPER, DONT USE THIS ON YOUR OWN, THERE BE DRAGONS HERE" poo poo. I mean I understand it as a public policy, but it'd be really useful if they shared like, command line options, how to write scripts for it, etc for those of us who use it on a regular basis.
|
|
#
?
Oct 16, 2013 22:05
|
|
|
Dilbert As gently caress posted:Does anyone else think that places use trend micro for the sole purpose of "well it is good enough to call an A/V solution; but bad enough so we can get recurring revenue off it's faults" We use trend and the inability to scan inside attached compressed files other than .zip is a product limitation. That is a direct quote from them. I hate Trend so much all it does is yell at me about spyware that it already delete and gives false positives on things. We are a development company so we make a couple pieces of software and it likes to flag our .exes as viruses when we upload them to ftps.
|
|
#
?
Oct 16, 2013 22:16
|
|
|
mindphlux posted:does anyone have any documentation on the inner workings of combofix? It's purposely obfuscated because they don't want the evildoers to understand how it works and counteract it.
|
|
#
?
Oct 16, 2013 22:43
|
|
|
Real answer: it's obfuscated because the people actually telling you to run it don't have a clue what it does, and it sounds better to say "sorry, can't tell you" than "I'm a trumped up self-aggrandizing wannabe IT expert with a 2000 word MOSTLY RED CAPS LOCK copypasta for dealing with any and all IT issues" Bleeping computer has some good tools, but some utter shitlords infest whatever hellhole of a forum they claim to have. I've quite honestly found threads where someone has had what is clearly a dicky video driver and a coincidental minor piece of spyware, but the tool has ran the user though 10's of hours of SCAN THIS EXACTLY THIS WAY AND PASTE IT HERE WITHIN 1 DAY OR THE THREAD IS CLOSED AND YOU ARE BANNED, and you can literally see the point at which one of their catch-all tools has done a number on the user's registry and the guy is all SEE YOU DIDN'T LISTEN THE MALWARE HAS GOTTEN WORSE.* It's so very vicariously distressing to watch someone suffer terrible IT support at the hands of someone who has zero clue, and oh so much self importance. gently caress that place. End rant, I guess. The use-case for combofix ought to be "I am very, very sure my system is now clean (offline scans or such) but something it changed to work is broken" -- try it before flattening the system. Or, save yourself all the hassle and at the first sign of a rootkit, reinstall from backup. I stopped doing IT support when I realised 99% of my job could be replaced by a voice recorder that says "Your malware removal is your backup. If you don't have a backup go gently caress yourself" * - but seriously, gently caress that place. And have a look around for those threads, they're so painful
|
|
#
?
Oct 17, 2013 01:11
|
|
|
Khablam posted:Real answer: it's obfuscated because the people actually telling you to run it don't have a clue what it does, and it sounds better to say "sorry, can't tell you" than "I'm a trumped up self-aggrandizing wannabe IT expert with a 2000 word MOSTLY RED CAPS LOCK copypasta for dealing with any and all IT issues" Yeah, I completely agree with all of that really. I don't think there's any legitimate reason to obfuscate basic parts of the program other than to be a shitlord. I'm sorry, but publishing some command line options on how to run an unattended scan are not going to let the terrorists win. Annoyingly, it's very good at what it does. It's usually my first line option, just because it's so easy. I've never had it gently caress up a machine either. So, disable AV, combofix it, and then delve in deeper to see if there are still traces of infection. I'll admit I'm a bit lazy, but I lost the virus-hunting boyscout attitude a longgggggggggggggggggg time ago, sometime after I joined the real world of technology support.
|
|
#
?
Oct 19, 2013 07:18
|
|
|
Laserface posted:Yay, a day after reading about this Cryptolocker thing, a client gets it. gently caress, this thing is spreading like crazy...we've had at least 3 clients hit with Cryptolocker, thankfully they're all set up with backups and we were able to clean the virus and restore their files. We've got a few processes in place that we're using to try to track and prevent it from accessing and spreading on our own network and client ones. Only other one we saw recently was a client that got the sexy.exe virus - basically infected one machine, then spread to the server and network shares. It made all their files hidden, and made copies of said files that were actually executables that would end up spreading the virus when the files were opened. Small outbreak, took a relatively short time to fix, but still sucks since apparently this virus is YEARS old and the AV software they were using didn't pick it up. 
|
|
#
?
Oct 19, 2013 07:37
|
|
|
Ozz81 posted:the AV software they were using didn't pick it up. Is it OK for you to tell us which AV software this is?
|
|
#
?
Oct 19, 2013 21:26
|
|
|
Is there any general way to safeguard against Cryptolocker. Does it just target My Documents or does it seek out every file on it's hitlist on the system?
|
|
#
?
Oct 21, 2013 04:30
|
|
|
The way to safeguard against it is to take regular backups and properly secure your network shares. It will blindly try to encrypt anything it can find, and that's about all there is to it. It's the simplicity that makes it so dangerous.
|
|
#
?
Oct 21, 2013 04:48
|
|
|
WebDog posted:Is there any general way to safeguard against Cryptolocker. Does it just target My Documents or does it seek out every file on it's hitlist on the system? Basically it looks for every file it can access with certain extensions (there's a list floating around out there somewhere). The only thing you can do to safeguard is to make sure that you have backups, and that the backups can't be accessed by the infected PC. If the backup is something like a dropbox folder, it'll get encrypted along with the rest of the drive.
|
|
#
?
Oct 21, 2013 05:46
|
|
|
FYI if your company uses some dumbass over-sold cloud security on their mailbox (like Total defence - http://cloud.totaldefense.com/) most of them (including TD) aren't detecting cryptlocker.WebDog posted:Is there any general way to safeguard against Cryptolocker. Does it just target My Documents or does it seek out every file on it's hitlist on the system? Alkanos posted:If the backup is something like a dropbox folder, it'll get encrypted along with the rest of the drive.
|
|
#
?
Oct 21, 2013 11:04
|
|
|
The paid Dropbox service can revert files indefinitely, though that would suck having to do on a large amount of files, so maybe it has a big "revert" option like Wikipedia
|
|
#
?
Oct 21, 2013 13:06
|
|
|
WebDog posted:Is there any general way to safeguard against Cryptolocker. Does it just target My Documents or does it seek out every file on it's hitlist on the system? Besides making sure you have backups available, you can also set Group Policy to block executables from running from the Application Data folder. If your environment is like ours, you might also need to create an exception for Chrome if people use that, since it likes to install in that folder too, maybe if you don't have local admin rights.
|
|
#
?
Oct 24, 2013 02:36
|
|
|
My "work environment" is pretty much aimed at stopping a dreaded call from a family member when it hits. Does XP's GP have settings to stop executables running out of App Data?
|
|
#
?
Oct 24, 2013 03:00
|
|
|
Well this whole CryptoLocker thing has finally scared me into not being a lazy idiot with regards to securing my personal PC.  Time to install Avast and kill Java forever.I think the worst part is that I would never have known about this fucker if it wasn't for Tumblr. 
|
|
#
?
Oct 24, 2013 05:26
|
|
|
WebDog posted:My "work environment" is pretty much aimed at stopping a dreaded call from a family member when it hits. Does XP's GP have settings to stop executables running out of App Data? Limited accounts rather than local admin can help too. Avast!, ESET, Trend and a couple of others had day-0 definitions for this thing, and scan and intercept web traffic. In my opinion any AV that doesn't intercept and scan network/web traffic before the browser sees it is 100% useless in the real world; it's ability to detect viruses sitting on your file-system is irrelevant. Check your AV does this. e: Cryptlocker is "just" an EXE, usually spread by email attachment. If people are getting hit by this, there's a lot to say about it, and it's all negative, both on a system security standpoint, and a user-knowledge problem. This is 1999-era stuff with a different payload. Khablam fucked around with this message at 11:02 on Oct 24, 2013 |
|
#
?
Oct 24, 2013 10:02
|
|
|
Khablam posted:Avast!, ESET, Trend and a couple of others had day-0 definitions for this thing, and scan and intercept web traffic. In my opinion any AV that doesn't intercept and scan network/web traffic before the browser sees it is 100% useless in the real world; it's ability to detect viruses sitting on your file-system is irrelevant. Does the free version of Avast have this?
|
|
#
?
Oct 24, 2013 18:07
|
|
|
Yes, the downside is that it's very annoying until you pay for it.
|
|
#
?
Oct 24, 2013 19:08
|
|
|
TheRationalRedditor posted:Yes, the downside is that it's very annoying until you pay for it. Bitdefender (free) whilst not as fully featured will also remain all-but silent on the issue. You might also be thinking of Avira (similar name?) whose free version at some point made you manually update, and showed a near-full-screen splash screen every time. e: vvv oh, poo poo. I've had it turned off so many years I've forgotten that. It once went off whilst I was, erm, entertaining a guest and my computer had been left hooked into the surround-sound system .I've really never lived it down. Khablam fucked around with this message at 21:27 on Oct 24, 2013 |
|
#
?
Oct 24, 2013 21:12
|
|
|
No, I certainly am thinking of Avast, though being mostly facetious because of the notoriety of the very loud female voice who likes to ambush you in quiet moments (most people don't know you can turn it off lol). Avast is really good.
|
|
#
?
Oct 24, 2013 21:19
|
|
|
Bloody Pom posted:Well this whole CryptoLocker thing has finally scared me into not being a lazy idiot with regards to securing my personal PC. It definitely made me make some changes. I'm reasonably careful online, but I unmapped all my drives on all my computers (work and home), installed A/V on my HTPC, and I signed up for an online backup service and copied all my important documents and photos to a hard drive that's sitting in a safety deposit box. I dealt with a house fire when I was a kid, so I should have been more on the ball to begin with.
|
|
#
?
Oct 24, 2013 21:21
|
|
|
I just blocked all .zip attachments in our appliance-based spam filter to try to stop the spread of CryptoLocker. Anything else I'm missing besides locking down AppData? I think Zbot dropper is possibly distributing CryptoLocker and variants. Any other drive by java exploits or routes to infection out there for CryptoLocker?
|
|
#
?
Oct 29, 2013 05:22
|
|
|
So this article about "badBIOS" over at arstechnica... please tell me that is a hoax? http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
|
|
#
?
Oct 31, 2013 18:57
|
|
|
|
| # ? May 5, 2024 21:04 |
|
|
eames posted:So this article about "badBIOS" over at arstechnica... please tell me that is a hoax? " Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. " It's ghosts! 
|
|
#
?
Oct 31, 2013 19:02
|
|
