Read detail instructions for installing the KW Support’s CryptoLocker Prevention Utility for home computers and for non-domain joined business computers.
Screenshot #1
Screenshot #2
Screenshot #3
Screenshot #4
Screenshot #5
Screenshot #6
Screenshot #7
Screenshot #8
Screenshot #9
Screenshot #10
Screenshot #11
Screenshot #11
In recent posts (here) I’ve addressed the process of creating Group Policy rules for securing your workstations from attacks like the CryptoLocker ransomware. These rules will prevent random executable files located in your local Application Data folder (AppData) from running.
The vast majority of programs that you may use should not put .exe files in the AppData folder, but every so often we come across an exception. In my case, I tried running Join.Me this morning and was greeted with this pop up window:
The process of adding an exception to the Software Restriction Rules we previously created is very straightfoward:
Modify the XP rule
Modify the Vista and higher rule
You may now wait the appropriate time (somewhere around 90 minutes, I believe) for Group Policy changes to be broadcast to all workstations, or, if you are in a hurry:
You may now test out your application
I posted previously on using Group Policy to establish rules to prevent executable files (.exe) stored in the Windows AppData directory from running, as a way to minimize or prevent the Cryptolocker-type ransomware from infecting your computers.
Someone asked me: “How do I know if the group policy rules are working?”
Good question … easy answer: drop in a small executable file into your local AppData directory and try to run it. I like to use notepad.exe for this test.
Here are the steps if doing this from a Vista / Win7 / Win8 workstation:
The past few weeks have been filled with reports of workstations and servers being hacked with the Cryptolocker / Ransomware malware. It is being called one of the worst malware attacks ever seen. And these attacks are occurring even when anti-virus and anti-spam filters are in place.
http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomware-variant/
Please do not treat this lightly!
The result of this attack is that files on your computer will be encrypted with a high-level 128-bit encryption key. And it will quickly spread to any mapped drives or USB drives that are attached. And even worse — there is no known tool to unencrypt these files.
This malware often comes in through rogue emails that appear to be from FedEx, UPS, Amazon or other similar purchasing sites. It may be a link in the email, or an attachment. But clicking on the link or the attachment is all that it takes.
You will know if you have been infected with the Cryptolocker malware, because you will see a large message on your screen telling you to pay a ransom to get your data files back.
Do not attempt to run any anti-virus or anti-malware utilities. If you see the ransom message, turn off your computer immediately. Power it off and disconnect your network cable.
The best advice anyone will give you is to make sure you have up-to-date backup of your servers, workstations and your data. Because if you get caught by this malware, you will need to restore your data from backup. It primarily seeks out office files (Word, Excel, etc.), but will also look for database files (Access, FoxPro, etc.)
Cryptolocker can be removed using well know malware removal tools, such as MalwareBytes. But these tools CANNOT unencrypt your infected files.
The Cryptolocker malware will display a large warning message that your computer has been compromised, and that you can recover your files if you pay the required ransom (anywhere from $100 to $300). But they say that you only have a limited amount of time to pay this ransom, generally 72 hours.
Even though there are some people who have reported paying the ransom and getting their files unencrypted, I cannot condone such actions. Not only is there is no assurance that the cleanup will take place if you pay the money, it still remains that your system has been compromised.
I strongly advise to reformat infected systems and restore Windows, either from backup or as a clean install.
Microsoft released several security updates for Windows last week, including KB 2859537. Well, it turns out that for some people, this specific update may cause programs to not start, or worse, a BSOD (blue screen of death).
So far this only affects a small handful of people – including some gaming programs that modify the Windows kernel, some computers with existing root kits, and even users running Avast A/V. By the way, I understand Avast has already pushed out an update fix for their software.
Solution?
The problem is that we get suckered into complacency: updates come, updates are applied, we keep working. And suddenly we forget little things like creating a restore point, or making a backup before proceeding, or doing a check for the existence of root kits.
To check your computer for existing root kits and remove them, download and run Kaspersky Lab’s free TDSSKiller.
On Saturday January 12, 2013 the U.S. Department of Homeland Security issued a recommendation to disable Java, based on vulnerabilities reported in this CERT (http://www.kb.cert.org/vuls/id/625617).
Update: on Monday January 14th, Oracle released a security patch (Java 7 Update 11) to address these vulnerabilities.
I recommend and install Calyptix’s Access Enforcer all-in-one network security appliance at many of my customer sites. Compared to my experience working with some other security appliances, I find the Access Enforcer very easy to install and maintain.
If you work with Calyptix, you may not be aware that they do “mail bagging” automatically if you enable SMTP filtering. “Mail bagging” simply means that if (for whatever reason) incoming mail cannot be delivered to your on-premise mail server, the Access Enforcer will hold (bag) it. Once your mail server is back online, it will release the emails.
The Calyptix KB article on mail bagging was updated today to address the proper requirements for using this feature.
Most of my customers are using GFI’s MaxMail solution to provide virus and spam filtering, as well as email continuity and archiving.
Today, a customer called to report issues with sending and receiving emails. I was able to successfully connect to the server remotely, but incoming and outgoing email seemed to be at a stand still, but with no warnings or errors. I rebooted Exchange on this SBS 2008 server, with no improvement.
I then used MXToolBox to check out the status of the domain and test SMTP delivery. Voila! It reported an error in connecting to GFI’s intermediate IP addresses!
I then called GFI Support, and the pre-recorded message informed me that I was not the only one with this issue. I also learned that GFI does have a specific URL for Blog status monitoring of GFI MAX: http://status.gfimax.com
And here is what they are reporting:
Our engineers have been systematically assessing all of the centralized components of our service in North America, including our configuration databases, the greylisting service, our various spam and virus filtering engines, network responsiveness between datacenters, and other elements that could be causing the very slow response times of our filters.
The likely culprit from our testing is the centralized asset storage servers, which are responding more slowly than usual by nearly an order of magnitude. The engineers are investigating this in detail to determine what is causing multiple asset stores in multiple datacenters to be so affected.
I’ve encountered this error on two different Windows XP systems in the past several days, so I thought I would create a quick post in case it helps others.
Issue: If your workstation has recently been attacked with malware, after cleaning up the malware you may discover that you will get Error 0x80070424 when you try to run Windows Update or Microsoft Security Essentials:
Microsoft Security Essentials (MSE) Windows Update/Microsoft Update (WU/MU)
Solution is very simple:
You should now be able to run WU/MU or update MSE successfully. That’s all, folks!
I’m sure everyone has their own personal “go to” list. I’d be interested in what others have found to be indispensable in their arsenal of malware-fighting utilities.I’m only focusing on SOHO and very small businesses or residential workstations.
For day-to-day protection, for residential sites (family and friends), I will suggest they install, at a minimum, these three FREE utilities:
For Small businesses (less than 10 workstations), I use the same three tools. MSE is now licensed for use in small businesses. MalwareBytes and CCleaner can be purchased for use in a business environment, and provide additional features over their free version counterpart.
For workstations that need further cleaning up, I will use one or more of the following tools:
