Are All AV's Vulnerable to Encryption Virus?

Discussion in 'other anti-virus software' started by jjc225, May 5, 2016.

  1. jjc225

    jjc225 Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    282
    Just got hit with a nasty encryption virus (crypto or some variant) which has encrypted all my Office files, photos, etc. I had McAfee LiveSafe and Zemana Antimalware. Opened an attachment which I thought was safe. An alarm went off on Zemana and a scan started and something was found and deleted. Later I conducted a full scan with McAfee. Nothing.

    So are there any av's out there that guard against this bit of nastiness? Instructions are included to go to the dark web and pay ransom with Bitcoins to get your files back. Really bad stuff here.
     
  2. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,553
    Location:
    USA still the best. But barely.
    But your files are ok? If so only McCrappy failed you. No ime McCrappy is one of the worst AVs. BD, KAV, DrWeb (your avatar) are best that I know. Just McCrappy is one of the worst irl.
     
  3. XhenEd

    XhenEd Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    536
    Location:
    Philippines
    Know the crypto(ransom)-ware. There might be a decryptor available for that already.

    Edit: Your files are safe, are they not? :D
     
  4. jjc225

    jjc225 Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    282
    No, all Office files are currently encrypted. Also, I made a huge mistake with my online backup. I had it set on continuous automatic backup. The illicit encryption changes that took place on my computer also took place on the online backup.
     
  5. hjlbx

    hjlbx Guest

    The only way to prevent this is to not execute any unknown\untrusted files on your system = default-deny.

    Most AV are default-allow if the malicious file is undetected.

    You can set AVs to block execution of any file that isn't specifically white-listed -- like Webroot or Kaspersky, but if malicious file is digitally signed it probably won't be blocked.

    Anti-executable or software restriction policy that blocks execution are best.
    • NoVirusThanks Exe Radar Pro
    • AppGuard
    • COMODO with Unrecognized set to Block
    • VooDooShield
    • etc
     
  6. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,870
    Location:
    UK
  7. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I recently recovered gigs of files from a customers computer using ShadowExplorer to recover the orignal unencrypted files. I believe I was able to recover 100% or least very close to that.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Check if your online backup solution offers versioning. If it offers you could restore older versions (unencrypted). There is also no AV that will 100% protect you from ransomware.
     
  9. rossnixon

    rossnixon Registered Member

    Joined:
    Aug 14, 2013
    Posts:
    38
    Location:
    New Zealand
  10. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
    this, if you list what backup service you use we may be able to help you further
     
  11. jjc225

    jjc225 Registered Member

    Joined:
    Nov 25, 2010
    Posts:
    282
    The ransom program that hit my computer is Locky, and at this time according to Bleeping Computer there is no known decryptor. I guess it is a really new variant.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I wouldn't depend on ShadowExplorer since it relies on vssadmin, which can be used to delete the shadow copies.
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,616
    Location:
    USA
    I don't trust any AV with these things. I have seen videos of all of them fail. The reason I am currently back to ESET is that it is one of the only products left that still works with Sandboxie, which is the only thing I would trust to keep a cryptor from destroying my machine. I have offline backups, and will not pay a ransom to anyone.
     
  14. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,870
    Location:
    UK
    In that case image your drive now and keep the image somewhere safe in the hope that a decrypter becomes available.
     
  15. Secure_Guy

    Secure_Guy Registered Member

    Joined:
    May 4, 2016
    Posts:
    49
    Well...either that or use VMware or VirtualBox to surf the net.
     
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,616
    Location:
    USA
    That works as well, but my complaint with that is backing up your drive. I do differential backups and ANY change you make to your VM makes your backup a whole lot bigger as it has to backup the entire virtual disk. Unless you make snapshots, and delete them each time. Plus, licensing gets expensive on things that are not Linux, so that is what my VM would be if I went that way.
     
  17. Secure_Guy

    Secure_Guy Registered Member

    Joined:
    May 4, 2016
    Posts:
    49
    Have you guys tried Emsisoft Anti-Malware?
    They are pretty good.

    To the OP, have a look here: https://decrypter.emsisoft.com
    Hopefully it helps.

    Also, VIPRE Rescue is good also.
     
  18. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    Wow... word to the wise - make offline backup copies of your files or you're hosed.

    Do you have recovery software to revert Windows to an earlier point in time? You may lose more recent work but its the only way to retrieve your data.
     
  19. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    Never open an attachment without scanning it first. If its from someone you don't know, delete it! And never blindly follow links that could be compromised by an exploit kit. Once is all it takes. Making safe computing a habit.
     
  20. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    There's software like Malwarebytes Anti-Ransomware that will prevent ransomware from executing. And Malwarebytes Anti-Exploit will block exploit kit vectors to keep you safe. An anti-executable like Secure Folders/Privacy Fence can be run to make critical data files read only so malware can't encrypt it. Its obvious an AV is not enough to protect you from ransomware.
     
  21. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    620
    Location:
    Belgium
    At this moment i know that Kaspersky and Avira protect against Crypto & Locky.
     
  22. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,417
    Location:
    Slovakia
    Yes, security experts always recommend backups, but they forgot to mention, that automatic backup is convenient, but completely unreliable. :isay:

    Disabling WSH and deleting powershell (none are really needed) protect against majority of malware, Locky included, I can not say against how many, but I always check details and I would say, at least 90%, if not 100%. https://blog.avast.com/a-closer-look-at-the-locky-ransomware Picture says it all.
     

    Attached Files:

  23. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I agree. I was actually very suprised I was able to recover all of the cutomer's data. It was the first time I've used ShadowExplorer. Some Google searching revealed that there was no tool to decrypt the files. One of the links I found, suggested running ShadowExplorer, and I figured it was worth a try.

    Sadly, way too many people don't keep backups of their important data.
     
  24. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    Data should be kept offline in form of permanent hard copies.

    If your computer gets compromised, you still haven't lost anything important.
     
  25. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,500
    Location:
    .
    Spot on! :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.