Do you have a plan to deal with CryptoLocker?

I may go back to sandboxie instead of defensewall as DW is 32 bit only

 

To prevent it from executing, virtually all security programs does that just like for most other malware. In fact, not falling for social engineering may be all that's needed. As for damage control virtualization, HIPS, and backups would be key. CryptoLocker being actively developed is bad news for blacklisting though.

 

My plan is the same as with all the other malwares...to not get it in the first place. It have worked good so far

 

I second what SweX says, and that is my plan also.

 

On the linux machines...nothing to do. On Windows, basically what Johnny123 is doing except with AppLocker.

 

I've been thinking about playing around with AppLocker, but from what I can see the only big advantage is if you need a lot of additional rules, since it has the publisher option which is obviously safer. I only have one additional rule in SRP and that is for Program Files (x86) so I'm guessing that switching wouldn't make much of a difference, or am I missing something?

 

You should be okay sticking with SRP, although with AppLocker you can create Allow rules with exceptions; I'm not sure if that option is available in SRP? Microsoft really harps on advising against the use of Deny rules, recommending Allow actions with exceptions instead. In my case I mostly use Allow only, so there is the implicit deny action.

The link below shows a table comparing Applocker to SRP policies...

-http://technet.microsoft.com/pt-pt/library/ee424367(v=ws.10).aspx

 

anti exe + offsite backups (just the same for any other malware)

 

I just looked, if there is, I can't find it.

Yeah, it's a good idea to avoid deny rules since they take precedence over any allow rules. I haven't managed to do it yet, but apparently if you screw up with the right deny rules you can end up locking yourself out.

At the moment the only files that can execute are in Program Files, Program Files (x86) and Windows. All of the software I have works so I guess it's better not to wake a sleeping dog.

 

CryptoLocker has reminded me that before plugging in my external backup drive, I should always restart the computer and then log in to a user account which is least likely to have malware. I also periodically burn backups to DVD media, which any later-acquired malware would probably not tamper with when inserted.

 

I believe the following practices I normally use protect me from CryptoLocker:

1. Use Chrome browser, with plugins set to Click-to-Play (helps avoid a Java vector)
2. Use BufferZone Pro for automatic sandboxing (However, I exclude CHROME.EXE for convenience)
3. Added paths to BufferZone: JAVAW.EXE and C:\Users\*\Downloads.
4. I keep all work files in Dropbox. Versioning feature allows me to recover old versions of files.
5. System snapshot backups with todo-backup.
6. Avast Anti-Virus. Virus defs always up-to-date.
7+. Other practices not listed here protect me from threats other than just Cryptolocker.

All apps above have freeware versions available.

For convenience, I prefer set-it-and-forget-it, which is why I use BZ instead of Sandboxie and why I don't have CHROME.EXE sandboxed. Excluding CHROME.EXE is slightly less secure, but Chrome has it's own sandboxing and click-to-play helps prevent some drive-by attacks against sandbox weaknesses.

 

Programs in my signature and remote backup.

 

HitmanPro.Alert 2.0

 

I hope you mean the 2.5 beta with CryptoGuard

 

yeap

 

I do not know if you people are aware but bitdefender anti cryptolocker tool is updating hosts file in windows to block domains which are spreading cryptolocker.

 

At the risk of showing my ignorance, I would ask a question about Windows 8.1 Automatic Maintenance - File History. Would this be subject to CryptoLocker? I thought maybe since System Restore is not affected by CL, this backup of files wouldn't be also. Just trying to get a feel for handling this. Thanks for any insight provided.

 

newer varients of cryptolocker are destroying system restore so i would assume that windows 8.1 file history will start getting destroyed too. do not rely on the above mentioned fail safe's to save you if you get infected by cryptolocker

 

Do you know if the anti-cryptolocker functionality is included in Bitdefender Internet Security?

 

Just curious - is there a way to block or lock the usb port that my external hard drive is attached to which would prevent cryptolocker from having access to that drive? I found a possible program, but it is not password protected, which might make it ineffective.

http://www.thewindowsclub.com/windows-usb-blocker

 

No idea, I use avast free version. I do not use BD anti cryptolocker also. I tried it in a friends pc. I am using Hitman Pro alert.

 

Yes I do. I use linux. On my windows laptop i only watch netflix and use vsee.

 

At SpywareHammer BillP posted up this interesting insight about his WinPatrol...
-http://spywarehammer.com/simplemachinesforum/index.php/topic,14904.msg139501.html#msg139501-
Pull quotes:
I wouldn't feel comfortable saying WinPatrol will protect you against this kind of threat.
I'm currently spending a lot of time researching this threat so I do have a bit of experience. Using WinPatrol PLUS I have been able to detect the infiltration in time before any damage was done. Using the free version some files were compromised. However, this was under lab conditions and not by a typical user who would have allowed CryptoLocker to run in the first place. My experience is that typical users could fall prey to the download but instinct would kick in the moment they clicked.
I'm pleased to note I have not received any reports of attacks by WinPatrol users. That either means WinPatrol users are very careful or Scotty has alerted them in time.
I can also confirm while these kinds of threats have always been around, the visibility of CyptoLocker is not good for the bad guys. I have been recruited to join with others to prevent this kind of behavior in the future.

Here from the Bits from Bill Blogspot is a link to a how-to for using WinPatrol's Registry Monitoring to "protect your System Restore function":
=http://www.thewindowsclub.com/monitor-windows-registry-winpatrol-plus=

The FWIW disclaimer: this posting is FWIW.

EDIT: Well, whuddya know? A day after I post this... WinPatrol 29.1 is now available. Updated December 2nd, 2013. ...learn more about v29.1 and how it still helps us develop a permanent way to stop programs like Cryptolocker.

Cheers.

 

Hi

Anyone knows whether CIS can block CryptoLocker with default settings?

Thanks

 

I'm not really sure how powerful the default settings are but...
- The HIPS popups should tell you if there is any critical system change made by unknown programs.
- The "protected file/folder" feature should deny access to the files/folders you have put under its protection.
- The auto-sandbox should (depends on the settings) contain/restrict/block the malware from accessing your system.

Be careful though, that CIS itself can do the same or even worse than CryptoLocker when you misconfigured it. Same thing applies to any strong classical HIPS software in this world.