In view of serious malicious programs

Topic

New Reply

In view of serious malicious programs such as CryptoLocker, Ransomwares and who knows how many others. I like to consider the following ideas for the folks I help plus apply to myself but I’d appreciate comments on them especially if something doesn’t make sense. Please know that I help volunteers at a non-profit organization I volunteer at and I am just a cmptrgy and those folks are just ordinary computers users

If their system gets seriously infected especially by CryptoLocker, Ransomwares, and who knows how many others – instead of paying someone to allow you to regain access to your computer and your data, spend the money on either one of these two ways
— Wipe the hard drive clean and reinstall the complete system from an external USB hard drive
— If the hard drive cannot be wiped clean, purchase a replacement hard drive and reinstall the complete system from the external USB hard drive. Why pay crooks that take advantage of doing what they are doing?
—— What I still don’t know yet is whether or not the make/model & size of the replacement makes a difference
— Myself I have an external USB hard drive on which my have my Windows 7 complete system backed up on it

Record the COA sticker information and keep that info on file
— If/when those numbers get worn out it will be problem if those numbers need to be known when a problem occurs
— Make sure the 25-character product id number for the OS is known
Create a disc to return the system back to original factory conditions
— This should usually be done from the built in factory restore drive in the computer
— The reason is that if other recovery methods are not implemented or fail for some reason the factory restore disc will come in handy
— Although bloatware is included in this option, at least the computer will be recoverable
— Download and burn drivers for the computer onto CD-R’s, DCD-R’s etc; whatever CD’s the system allows for
Get the system/utility discs from the manufacturer for their make/model
— I don’t know many people who get these when they buy their computer and I haven’t met anyone who’s willing to do so because of the cost
— However such discs are easily identifiable since they are branded according to the manufacturers design
— But if the factory restore discs are created to return the system back to original factory conditions, this part isn’t necessary
===
Create a system repair disk
— I’m under the impression that a system repair disk does not include the capability to restore the computers back to original factor conditions
===
Store application discs if they have them and know their 25-character product id number
— If there aren’t any application discs at least know the applications 25-character product id number
===
Copy/paste their data onto external media preferably a USB hard drive
— The purpose behind the copy/paste idea is that it’s easy if a file needs to be found and brought back into use for whatever reason
— Unfortunately this could be more than a challenge for the average computer user
— Myself I use a batch file to copy and paste my data from my Windows 7 laptop onto a USB flash drive and also onto a standalone Windows XP computer so I have my data in 3 different places but the average computer user is not going to take the time and/or have the patience to do so

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

Replies

Implement an imaging based restoration regimen for all those infections that cannot be easily identified and fixed
with 100% certainty of zero compromise.

Reply | Quote

Over the years, I’ve found the best solution for me is a monthly full disk image (sector by sector) backup (to an external eSATA 1TB HDD) followed by nightly incremental backups image backups until the next full backup. At the end of the month, I’ll archive the prior month’s backups another external HDD and keep for three months.

This way I always have between 90 and 120 daily backups which is more than enough to bring my PC back to any recent state I’d like.

The full backup cycle can be done on a weekly basis. But I found having many historical image backups, more to my preference… I guess I’m a control freak when it comes to my PC.

Reply | Quote

Cmptgy,

Why all of that?

Just use drive imaging and do images on a regular basis.
Make sure you create the boot media for the imaging program you use.

With those two steps you have pretty much a 100% recovery from any virus in a matter of under 2 hours and your machine will be back exactly the way you left it the last time you took an image.

Of course an even more regular file backup of your Documents folder will insure you don’t loose any important data files.

You don’t even have to invest a lot of money as there are great free programs like Macrium Reflect and EaseUS ToDo Backup. You just need to buy a USB attached HD which can be had for < $100 that will hold several generations of images.

Imaging isn't hard it just takes a little learning and practice.

Check out the posts in the Maintenance thread. HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Just another ‘Stupid’ question…..

Was there NO AV protection on these PC’s that got infected by “Crypto Locker” ???

Doc Holiday!

Reply | Quote

X3 on drive Imaging. Just look at Clint and my signatures. It takes roughly 10 to 15 minutes to restore an Image. During the restoration the HD is formatted prior to the Image being restored.

Reply | Quote

To me, there are multiple things you need to do:

1. Backup system and data on-site and off-site
This includes imaging as the base strategy. Use more than 1 disk, rotate them.
Keep one disk off-site OR use cloud based backup, at the very least, for documents and important files.

2. Get a decent, multi-layer anti-malware protection
This involves getting more than 1 live app protecting your system, to minimize the chances of anything passing through. At least one of these apps should provide non blacklist based protection, that performs decently on antimalware comparatives. I strongly recommend one of these apps, at least, be a HIPS.

Reply | Quote

I would only add that you can combine all your ideas into one singular master plan. Even if you don’t intend to image regularly or know that someone you are helping won’t maintain such a strategy, make one master image that would include all drivers and programs, preferably after cleaning up the bloatware. That covers all your recovery scenarios except for data.

In the event of something like Cryptovirus, data affected is not recoverable even if the virus is removed or can only be recovered if the ransom is paid and the black hat follows through with providing the decryption key. Only regular data imaging or one to one backups to destinations that are only attached to the backup source during the backup will be able thwart the pitfalls of an encryption virus.

Reply | Quote

Thanks for all the excellent feedback
As for me I simply maintain a system image onto an external hard drive on a monthly basis following Patch Tuesdays and use a batch file to copy/paste my daily working files onto a USB flash drive and then copy/paste them onto my standalone XP computer with its own batch file

On my long list I presented I think I’ll use it as a checklist when I help the people.
— Naturally I do not cover everything with them but just me keep in tune on what I’m checking out
— Most of the people I help don’t want to spend the few dollars on an external hard drive or don’t want to bother even if the cost isn’t an issue
— So what I’ve been doing is at least create a factory system restore disc for them as it’s simple to do
— Last year one of my friend’s computer crashed, he had no idea of where the disc was that I told him to save and he payed the price for it; but at least he finally realized that he should have listened to me

I have cleaned out computers with too many infections due to just sloppy or no maintenance/protections
So it just came to mind that if I run into someone with Cryptolocker or some very serious infection, why pay the bad guys; instead get a new hard drive and move on from there following up with much better recovery options than just a system restore disc
— Well another idea just came to my mind: if someone does run into a cryptolocker or ransomeware infection; is it worthwhile reporting it?
— I believe I would consider it

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

— So what I’ve been doing is at least create a factory system restore disc for them as it’s simple to do
— Last year one of my friend’s computer crashed, he had no idea of where the disc was that I told him to save and he payed the price for it; but at least he finally realized that he should have listened to me

I have cleaned out computers with too many infections due to just sloppy or no maintenance/protections
So it just came to mind that if I run into someone with Cryptolocker or some very serious infection, why pay the bad guys; instead get a new hard drive and move on from there following up with much better recovery options than just a system restore disc
— Well another idea just came to my mind: if someone does run into a cryptolocker or ransomeware infection; is it worthwhile reporting it?
— I believe I would consider it

Probably only worth reporting if you encounter what you think is a little-reported or new variant.

CryptoLocker is a special variant of the ransomware type viruses, if you get a system already infected OS/system recovery to the same drive or new drive is inconsequential because the data is encrypted and will be lost regardless of any action taken other than having an unaffected data backup which cannot be attached to the system at the time of infection or that data will also be encrypted.

For any other type of infection recovery disc is fine, just wipe out the virus, though I would personally make a recovery image (which can also be burned to discs) for anyone if their current system is clean and fast operationally and tell them to guard that instead of a factory restore disc (keep that too though if made).

Also, I have to believe, due to the effectiveness of the ransom in the case of a CryptoLocker type infection, all and new ransomware is being actively altered to take the same actions as CryptoLocker. In other words, I don’t see this pressure to be prepared for such a category of virus to get anything but much more paramount, and that means restore images and new drives just aren’t going to cut it in those cases unless the user is prepared to start over without affected data.

That’s why why the only thing, and I mean the only thing that will let a user recover from an encryption virus infection without paying the ransom is to have unaffected backups of the data.

Reply | Quote

F.U.N.

Couldn’t have said it any better! :clapping: :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I see backups as the last line of defense. You need them, but you also need to check your active defenses. There are decent AV and antimalware programs that protect against this and any ransomware, out of the box. Just get one of those. Rely on classic, blacklist based AVs and you will always be vulnerable to this and zero day threats.

Reply | Quote

All the above are great but how about preventing CyberLocker from installing itself. I obtained the following:-

Wowzer – I just did some research on CryptoLocker, and that is one nasty little virus. I haven’t seen Ransomware being distributed so profusely and professionally before like that

Run a nifty little tool to set it up for you automatically on your computer.

More Info: http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

OR http://partners.lazybear.com.au/cryptoprevent/ which I went for

Please Note: This is the free version of the tool – they also have a paid version for $15 (links down the bottom of the page) that includes an auto update function as well. For the measly $15 asked I went for he PRO version

There’s also a IT Service Provider version that allows us to distribute unlimited versions (branded under your name) of the auto updating edition

Reply | Quote

All the above are great but how about preventing CyberLocker from installing itself. I obtained the following:-

Wowzer – I just did some research on CryptoLocker, and that is one nasty little virus. I haven’t seen Ransomware being distributed so profusely and professionally before like that

Run a nifty little tool to set it up for you automatically on your computer.

More Info: http://krebsonsecurity.com/2013/11/how-to-avoid-cryptolocker-ransomware/
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

OR http://partners.lazybear.com.au/cryptoprevent/ which I went for

Please Note: This is the free version of the tool – they also have a paid version for $15 (links down the bottom of the page) that includes an auto update function as well. For the measly $15 asked I went for he PRO version

There’s also a IT Service Provider version that allows us to distribute unlimited versions (branded under your name) of the auto updating edition

Why run a tool that will prevent a specific version of malware, when you can run an AV or a firewall that will prevent all such threats? Sorry, I can’t understand it.

Reply | Quote

Why run a tool that will prevent a specific version of malware, when you can run an AV or a firewall that will prevent all such threats? Sorry, I can’t understand it.

As I repair computers for inexperienced users, this tool is useful as it prevents fake AV software as well. This type of infection usually occurs because of “device at end of keyboard error” (user). User says yes so AV allows it to run. Experienced users will not have this problem so tool is not necessary.

Reply | Quote

As I repair computers for inexperienced users, this tool is useful as it prevents fake AV software as well. This type of infection usually occurs because of “device at end of keyboard error” (user). User says yes so AV allows it to run. Experienced users will not have this problem so tool is not necessary.

I think the “device at the end of the keyboard” needs to be educated and accountable, as well. If it is not this type of malware, there will be other types of malware that will be allowed to run if users simply do not learn not to authorize stuff they did not start.

Reply | Quote

Why run a tool that will prevent a specific version of malware, when you can run an AV or a firewall that will prevent all such threats? Sorry, I can’t understand it.

I don’t understand either, ruirib.

I don’t understand your remark at all.

You are such an experienced, helpful and here often seen knowledgeable person that i would have assumed you knew that most of the PuPs that install from AppData can and will not be caught by any AV program. That assumption seems to have been off base, I apologize.

In CL’s case it is always the user who clicked on an attachment or a link and thus initiates the mishap.

ANY new virus has a zero day infection window before any AV program can detect and (hopefully) remove it.

And no average firewall will prohibit an action that the user initiated.

Considering the above and the staggering number of PuPs out there that mostly install via AppData folders this special tool may well be a reasonable line of defense against a special, acute and quite common threat.

Since CL is new and since it got “invited” by the user something like CryptoPrevent may well be advised.

Disclaimer: I am in no way at all associated with FoolishIT; I happen to use some of their products.

Reply | Quote

I don’t understand either, ruirib.

I don’t understand your remark at all.

You are such an experienced, helpful and here often seen knowledgeable person that i would have assumed you knew that most of the PuPs that install from AppData can and will not be caught by any AV program. That assumption seems to have been off base, I apologize.

In CL’s case it is always the user who clicked on an attachment or a link and thus initiates the mishap.

ANY new virus has a zero day infection window before any AV program can detect and (hopefully) remove it.

And no average firewall will prohibit an action that the user initiated.

Considering the above and the staggering number of PuPs out there that mostly install via AppData folders this special tool may well be a reasonable line of defense against a special, acute and quite common threat.

Since CL is new and since it got “invited” by the user something like CryptoPrevent may well be advised.

Disclaimer: I am in no way at all associated with FoolishIT; I happen to use some of their products.[/Quote]

I am sorry, your information is not up to date and maybe you need to re-think your AV protection. As a dedicated AV app, I use Emsisoft Antimalware. It’s been probably four months since it included optional PUP detection, which I have activated (even if my habits do not make me incur very frequently in PUP installation risks) – regarding this, EAM can even block PUPs silently, with no user input. Emsisoft Antimalware also protects against CryptoLocker and it did right from day one, through its behavior detection module.

Also, I am not sure I understand what you said about firewalls. A HIPS, like Online Armor, will ask for permission for every new program you run or any new dll used by a program, even after the user initiated such program. Either I misinterpreted you, or your need to review how HIPS work (3rd party firewalls are usually HIPS, even if they are called firewalls but the distinction between both is important and relevant).
HIPS will ask you to confirm if you allow a previous unknown executable or component to run, even if you started it yourself. It can also provide advice on the specific executable or component, allowing a better informed decision. HIPS are usually whitelisting apps – they only allow execution to what you have previously allowed (they can also allow known system components without your input – and yes, they can determine what is a valid, known system component).

So, couple best of breed AV and a HIPS and it covers pretty much anything you can throw at your computer, even zero day threats.

You mention user actions. Yes, the user is a problem, but if a user has two apps warning about something and it still allows it… well, maybe that user shouldn’t be on the internet. It’s a blunt statement, I concede it is, but we are well past the early 2000s . Being online is risky and users need to be defensive and although tools can help, our role is to educate users.

Here I have been a strong advocate here of multilayer defenses that include a HIPS. If anything, this whole CryptoLocker situation just reinforces my view about it. In my view, a HIPS coupled with a behavioral detection AV is part of an indispensable safety net that I advise to everyone. It’s not a miracle solution, it doesn’t replace careful thinking about the prompting that you will get, but it’s an overall defense strategy that just works without the need for any additional tools to counter new strategies. Chasing a specific strategy applied by a new threat is always being behind the threats. It’s the same philosophy of blacklisting AVs, which is their most glaring failure point – you are always chasing the bad guys. Whitelisting offers a better option, in my view – I have been using apps that offer whitelisting since I went online with my personal computers. Never ran one without a whitelisting app.

To conclude I cannot avoid to state that PUPs, annoying as they are, are not malware. So while inconvenient, there are really no risks coming from them, at least for now, but best of breed AVs can still get them. The one I use does, and that’s also why I advocate best of breed AV apps, which are never free – good technology costs money and I am happy to invest just a few dollars in them, since I’d rather be safe than sorry.

P.S.: Please note that I am not against adding CryptoPrevent, or any other defense measure. What I really mean is that is much better to add protection that works against multiple threats and ensure the best protection one can get. From what I read about it, it won’t do any harm, but the point is, you will only be protected until this CryptoLocker changes its strategy or any other CrypoLocker comes with a new one.
If you want to add it as an extra protection layer, fine. People should not view it as the substitute for a defensive security strategy that can prevent this and other threats, though.

Reply | Quote

If you are close to paranoid about this stuff you may want to look at CryptoPrevent.

Additionally it will thwart many of the currently (in my area at least) prevalent PuP malware infections that have crippled many a computer.

Disclosure: I am an in absolutely no way affiliated with FoolishIT except that I use two of their tools on my own machine.

Reply | Quote

It is, unfortunately, a fact the the readers of this Lounge are for the most part the more experienced users that wish to advance their PC knowledge beyond the simple user. These tools, although perhaps very good for those that read the lounge, or those that repair the PCs of those “average users”, will never be known by those very same “average users” who blithely click along exposing more and more PCs to all the nasties that may be hiding in their PCs. Heck most of these “average users” do not even realize their PC did or did not come from the manufacturer with any type of security apps such as AV/AM apps. Fortunately, many of the larger PC manufacturers do include an AV/AM app by default. If the manufacturer does not, then MS does in the form of Windows Defender in Win 8 and Win 8.1. Even though many here believe this app is less than effective to the 3rd party apps, for these “average users” it very well might be all they have available.

I commend all you PC professionals that do teach your customers about security, or install security apps on your customer’s PCs and show them how to update the sigs. and run scans. Now if we can educate the “device at end of keyboard error” (user) to these ideas, we may be able to make headway in the fight against those who’s only goal in life is to make PC user’s lives difficult.

Reply | Quote

Fortunately, many of the larger PC manufacturers do include an AV/AM app by default. If the manufacturer does not, then MS does in the form of Windows Defender in Win 8 and Win 8.1. Even though many here believe this app is less than effective to the 3rd party apps, for these “average users” it very well might be all they have available.

Speaking of free anti-virus and anti-malware applications, just yesterday I had a drive-by infection of the PC Antivirus 2009 type, and both my up-to-date Windows Defender and my up-to-date, running-in-the-background anti-virus program allowed it to do its dirty work.

The thing that saved me was — as soon as I saw the nasty screen pop up with its spurious demands — to turn off my PC using the Power button (i.e., holding it in for 5 seconds) and reboot into Safe Mode (Win7 64-bit) with networking. From there I downloaded and immediately updated Malwarebytes AntiMalware (free) and SuperAntiSpyware (free) and went to the website of the free Trend online anti-virus scanner. I ran all three simultaneously (in Quick Scan mode), and after about 15 minutes ONLY ONE of them picked up 10 assorted Trojans/PUPs, etc. That was Malwarebytes. The other two ran longer but found nothing but tracking cookies. Malwarebytes then quarantined and deleted all of them. When I rebooted my PC all was well again! So much for relying on the anti-virus capabilities of the “usual suspects.”

Reply | Quote

Speaking of free anti-virus and anti-virus applications, just yesterday I had a drive-by infection of the PC Antivirus 2009 type, and both my up-to-date Windows Defender and my up-to-date, running-in-the-background anti-virus program allowed it to do its dirty work.

The thing that saved me was — as soon as I saw the nasty screen pop up with its spurious demands — to turn off my PC using the Power button (i.e., holding it in for 5 seconds) and reboot into Safe Mode (Win7 64-bit) with networking. From there I downloaded and immediately updated Malwarebytes AntiMalware (free) and SuperAntiSpyware (free) and went to the website of the free Trend online anti-virus scanner. I ran all three simultaneously (in Quick Scan mode), and after about 15 minutes ONLY ONE of them picked up 10 assorted Trojans/PUPs, etc. That was Malwarebytes. The other two ran longer but found nothing but tracking cookies. Malwarebytes then quarantined and deleted all of them. When I rebooted my PC all was well again! So much for relying on the anti-virus capabilities of the “usual suspects.”

Not all AVs are alike. No AV will protect against everything, but there are those that are better than others… and I think having two live apps to detect malware get you a better chance of remaining free of malware.

Reply | Quote

I will just add my own ditto to the image chorus. Most all of us here live by the simple rule; image after any Change or patch, security with regularly updated AV/AM apps, and regular data backups. Those of us with the paranoia gene unplug the USB drive when not creating the image and do regular file backups too. Granted you probably can’t expect said “average user” to follow this plan, BUT, everyone should have at least one “clean” image of the OS in good working order. I always create one after bailing out friend, co-worker, or family member from some dire “my computer won’t work! Can you help?”
It’s been said enough here and for a LONG time, but new members or whatever, it bears repeating so:

BACKUP, BACKUP, BACKUP, CREATE AN IMAGE!
Joela

Joel

Reply | Quote

Thanks every one for your excellent feedback. In reviewing how I posted my concerns I got carried away making up that long list because my intent was supposed to be how can I get the volunteers I’m trying to help have the proper software/information available if the their computer has a serious attack from what I’ve seen advertised so much: Cryptolocker & Ransomwares

Anyway my focus was supposed to be
If a computer becomes infected with one of those very serious infections, why pay the bad guys, instead spend the money to replace the hard drive and restore your backup
— As mentioned “an unaffected backup”

This really doesn’t need to be elaborated on anymore as I should have done a better job of focusing on what my intent was but your inputs helped me add to how I will deal with such a situation if/when it comes up
— Since too many folks don’t have a clue on what proper maintenance & protection means I just have to accept it for what it is

Have a great Thanksging Day

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

In reviewing how I posted my concerns I got carried away making up that long list

Exactly, and a lot of post in response were about simplifying that list so that one procedure would fit most, but simultaneously we’re doing some rethinking about attached or network backup drives because of the CryptoLocker virus specifically. The Mike Tech Show #481[/COLOR] podcast is dedicated to Mike’s detailed encounter with CryptoLocker at a business he supports.

Reply | Quote

Here is my experience with Crypto Locker…last week…

Client brought laptop in….infected with CL…I opened some Word and Excel files and a few PDF’s just to see what happens…
The files that would open were pure garbage…Word could not open any .doc’s…

Since I had not seen CL before, I went out to several forums looking for help…

Talked over the issues with client and since he had no backups at all…he decided to pay the ransom and “hope” he would get at least some of his
data back…

Had to get the MoneyPak card which I found out is available at Walmart, in the “Money Center”…

I connected the infected lapper to my network after turning off all my computers…powered up and got the CL warnings…
I scratched off the silver cover over the numbers on the MoneyPak card…and entered them in the laptop…
I stated this about 11pm with the hopes that by the morning, it would have done what it was going to do…

Next morning, no joy….error message said I was not connected to Inet…I opened IE and sure enough I WAS connected to Inet…
I let it run…checked on it in a few hours and found that Vipre had run a scan and cleaned a virus….it was the CL virus…
Now nothing was working…

Following thru the various error messages, I found a place where CL conveniently provided a link so that you can download CL and run it again as
that is the only way you can “reconnect” the virus to the control servers to get the decryption key…

I left the laptop connected to my network most of the day…since CL conveniently provided a message that said…while MoneyPak was being “processed”…

I got several error messages that the MoneyPak number did not exist…but finally, after about almost 2 days I saw it scanning files and it indicated it was
saving those files…

After it was done, I opened a number of files and it looked like about 5% of the files were NOT decrypted…so those files are lost…

About 2 days later I got an email from my ISP, ATT saying that they had detected bot activity on my IP address and that I needed to explain to
ATT what was going on and how I was fixing it or face the possibility that my IP will be blacklisted…I responded pretty quickly…

After my experience and posting on several forums….here are a few thoughts…

1. It appears that CL will infect any attached USB hard drives…
2. It appears that CL will infect any mapped hard drives…
3. It appears that CL will, during the “de-cryption” process place a bot on the computer
for future infections…and perhaps DNS director…
4. I am using the Crypto Prevent from http://www.foolishit.com/vb6-projects/cryptoprevent/
I don;t know how effective it is…but as they say…”any port in a storm”…this is going on all my clients computers…
5. AND I’m advising all my clients about the email that CL seems to use to get the virus out…

For my PC’s I got a 3 TB USB HD and am using Macrium Reflect to create regular full image backups…as it seems
quite likely that CL CANNOT infect a compressed, encrypted backup…I plug the USB HD in and run Macrium about
once a week and UNPLUG the HD after the image has been created…

Reply | Quote

i just bought two cheap 2TB drives

back up my data on each, alternating them, every week
then disconnect them from the pc

the reasoning is to make sure that one of them is still good should cryptolocker hit
and also infect the backup disks. at worst it might have gotten one of them.

i can always scrub the hd and reinstall programs
but i cannot recreate the data

in addition, a separate disk for backup imaging purposes used weekly.

worst case is that i am a weeks worth of work/data that may need to be redone

but prevention is better than cure

unless some expert here can say otherwise (and i am listening!)
use a good antivirus program
also one that guards the registry against changes unless you approve
anti rootkit software

i use mbam, norton, win patrol, spyware blaster, rubotted, plus a number of batch programs including a couple from microsoft that need to be reloaded every time before using them.

turn off java, javascript, flash, activex, active desktop, and never open an email if you dont know for sure it was actually sent by someone you know and not faked.

stay off the internet if you are not actively using it intentionally.

do not open any file without checking it first

stay away from facebook hotmail linkedin and all the sites that admit they are putting software on your pc andor tracking your every move or worse.

Reply | Quote

using Macrium Reflect to create regular full image backups…as it seems
quite likely that CL CANNOT infect a compressed, encrypted backup…I plug the USB HD in and run Macrium about
once a week and UNPLUG the HD after the image has been created…

A file is a file.

A compressed file can be processed by another compression utility (but probably not result in a smaller output file)

If CL has the ability to encrypt a file I see absolutely no reason why it would be unable to additionally encrypt an already compressed and encrypted backup file.

Reply | Quote

Back to an earlier post here: Where do you find the “25” character ID? I have my computer’s product number and serial number and system info, but the Windows Product ID only contains 23 characters including the hyphens.

BTW, I do have redundant full weekly backups and daily data backups, and cloud data backups, plus the manufacturer’s restore DVDs purchased separately in addition to the restore partition on the computer.

Reply | Quote

For my PC’s I got a 3 TB USB HD and am using Macrium Reflect to create regular full image backups…as it seems
quite likely that CL CANNOT infect a compressed, encrypted backup…I plug the USB HD in and run Macrium about
once a week and UNPLUG the HD after the image has been created…

I also use Macrium in the way described. It produces backup files with a .mrimg extension, which in any case is not among the file types which CL is said to act upon. However, I guess this is no guarantee?

My backups go to a partition on an external USB drive. I don’t want to disconnect the drive, because there are other partitions on it which are always in use. Is it possible to disable just one partition, while leaving the drive connected?

Reply | Quote

Does anyone here know if CryptoLocker acts immediately upon infecting your computer?
You can do all the backups you want, but if CL is on your backup, you’re out of luck.

Dave S.

Reply | Quote

So you keep multiple backups – probably at least three – so you can revert to a backup which was taken before the infection occurred.

Reply | Quote

First off, I do appreciate Windows Secrets – Thank you!

Now, I am one of those close-to-average/moderately-advanced “devices at the end of keyboard”. I follow several newsletter and try to take care of things as best I can. But I do also find much of this information somewhat overwhelming – although interesting and important. I have been trying to organize a backup plan for the computers we use in our non-profit association – and continue to be stalled at the barrier of being an fairly advanced user, but lacking technical knowledge.

One little bit of information that I have not been able to track down (perhaps due to not finding the right keywords) is related to backups and imaging – I feel like this must be such a basic type of question that I almost feel embarassed to post it, but here goes:

1. how can I prepare a large HD to be used to backup or image several computers? Sometime in the past, when trying to use backup/imaging resources on the Windows systems, messages would come up saying “all content on the drive will be erased”, at which point I always backed off – and stayed scared to try much of anything… .
2. would the use of one larde HD be advisable or would it be wiser/necessary to have a separate back-up drive for each computer (besides considering the “eggs in one basket factor”?
3. We have 3 computers that, if I am understanding things correctly, should have periodic images for emergency recovery, besides something like incremental backups for documents. One has a 500 Gb main drive, another one has a drive that lists as 666 Gb on properties (whatever that would be if I were trying to buy a new one) and the other one lists on properties at 297 Gb – What would be the miniumu size external HD would that could be used? Would 2 Tb be enough?
4. How does one calculate the size needed for back-up?
5. I have been trying (with little success so far) to put a 2 Tb HD on my router to keep backups of documents. It that a good way to go (should I keep slugging away at it, or just use the HD for something else?

When you high tech guys write your beginners’ guides to developing a backup plan, can’t you include information about what kinds of drives/USB devices can be used and how to prepare them for what kinds of uses?

Thanks!

Reply | Quote

First off, I do appreciate Windows Secrets – Thank you!

Now, I am one of those close-to-average/moderately-advanced “devices at the end of keyboard”. I follow several newsletter and try to take care of things as best I can. But I do also find much of this information somewhat overwhelming – although interesting and important. I have been trying to organize a backup plan for the computers we use in our non-profit association – and continue to be stalled at the barrier of being an fairly advanced user, but lacking technical knowledge.

One little bit of information that I have not been able to track down (perhaps due to not finding the right keywords) is related to backups and imaging – I feel like this must be such a basic type of question that I almost feel embarassed to post it, but here goes:

1. how can I prepare a large HD to be used to backup or image several computers? Sometime in the past, when trying to use backup/imaging resources on the Windows systems, messages would come up saying “all content on the drive will be erased”, at which point I always backed off – and stayed scared to try much of anything… .
2. would the use of one larde HD be advisable or would it be wiser/necessary to have a separate back-up drive for each computer (besides considering the “eggs in one basket factor”?
3. We have 3 computers that, if I am understanding things correctly, should have periodic images for emergency recovery, besides something like incremental backups for documents. One has a 500 Gb main drive, another one has a drive that lists as 666 Gb on properties (whatever that would be if I were trying to buy a new one) and the other one lists on properties at 297 Gb – What would be the miniumu size external HD would that could be used? Would 2 Tb be enough?
4. How does one calculate the size needed for back-up?
5. I have been trying (with little success so far) to put a 2 Tb HD on my router to keep backups of documents. It that a good way to go (should I keep slugging away at it, or just use the HD for something else?

When you high tech guys write your beginners’ guides to developing a backup plan, can’t you include information about what kinds of drives/USB devices can be used and how to prepare them for what kinds of uses?

Thanks!

Hi,
Welcome to the Lounge.

With the most used imaging apps here, you can pretty much use any external hard drive without any preparation. The drive will come formatted and you can add any folders that allow you to keep things organized the way you want them. I just keep a main Backup folder, with subfolders named for each computer and I just add the imaging files inside each folder. There’s not much more into it.
Using the native Windows imaging app may require an extra small effort, since you should rename the backup folder created for each image, to avoid a new image deleting the previous one.

When imaging, images take around 60%-70% the actually used imaged disk capacity. I am thinking that probably most of your disk space is not used, so probably a 1TB disk would be enough, but probably a 2TB disk gives you more room and it’s probably the best option.

Now, at the moment, while backing up my 3 active computers, I rotate two hard drives (one 750 MB disk, another 1000MB). Each of the disks takes multiple images of the 3 computers, so I am able to keep at least 2 images of each, in each of the backup disks. So, if you feel a bit more paranoia inclined, like me, you probably could go with 2 x 1TB disks and rotate them. That would save you from an issue with the backup disk itself :). Whether 1 Tb would be enough for you, that would depend on the amount of disk used in each of your computers.
Another option is to use some cloud backup – this could allow you to use just one disk and feel safe, nonetheless.

Bottom line is, backup at least to one external disk, this is the very minimum. For added safety, add another disk and / or the cloud.

HTH.

Reply | Quote

May I ask a simple question about this kind of virus: I have my OS and programs in a partition and my data in another. will the D partition infected and blocked also, as my programs get infected? I make images of the C more or less regulary, but backing-up the data-partition is more troublesome.

Reply | Quote

May I ask a simple question about this kind of virus: I have my OS and programs in a partition and my data in another. will the D partition infected and blocked also, as my programs get infected? I make images of the C more or less regulary, but backing-up the data-partition is more troublesome.

It may be infected. The latest infamous threat, CryptoLocker would infect data files only, so your D drive would surely get contaminated.

Personally I think backing up the data partition is even more important than backing the OS partition. Programs can be replaced with more or less effort, your data may probably be irreplaceable, if you lose it for any reason.

Reply | Quote

And a Happy Thanksgiving Day, and Happy Holidays to follow, to you and yours.

As an IT Professional of 30+ years, this topic always gets my attention, whether on this or other forums.
Medico and I share many of the same thoughts on data preservation. Just read our Signature Lines!
I have extensive experience setting up Backup systems for end users, small companies, Corporations and even one Bank.

It only takes a few minutes with a friend or customer for me to know if I’m just spinning my wheels trying to impart to them the need for proper AV/AS protection and regular scheduled PC Maintenance, or not. Some folks just don’t seem to care, and won’t take the time to do anything for their computer. That’s why I try to automate as much AV protection and HD maintenance as possible.

When I get a “Live One” I do take the extra time, to show them how to do backups of at least their important data files. I’ve even gone so far, with a customer, to where I drive to a retail store and pick them up a 32 GB or bigger Flash Drive to hold all their Data Files. Then I set them up with a shortcut on their desktop, to a Batch File using XCOPY that will back up all their data files to the Flash Drive. With the XCOPY switches properly set, only new files or files that have been updated, will be copied. This keeps the daily backup down to just a few seconds, after the initial backup.
My own Backup batch file, using XCOPY, is now almost 20 lines long, so I get a lot more than just what’s in the MyDocuments folder.

I’m not ignorant of the fact that even an external backup drive can fail, so I use two of them, connected permanently to my computer via a USB3 add-on card.

Going back way too many years, my own favorite saying has always been “the only bad backup is the one you decided NOT to make“.

My computer is way to busy to just get a backup once a month or more. With a month old backup image, I’d loose too much if I had a HD Crash.
So I do my whole-drive backups at least once a week, and my data backups daily.

With the package of AV/AS and AM software that I use, (six programs in total) getting infected by even the most cunning virus is a one in a million chance, but a hard drive crash can happen at any moment of any day. I’ve been there, done that, and it wasn’t pretty!!! In one summer, I lost four hard drives. [but all my data was backed up, so I never lost even ONE file]

They were all WD drives and I’ve never used another one of those since then. But, even the most expensive drive, from the worlds best drive manufacturer will die eventually. So read my sig line!

Again, I’d like to wish y’all, a very Happy Holiday Season!

The Doctor (growing old in Florida) 😎

Reply | Quote

I’m not ignorant of the fact that even an external backup drive can fail, so I use two of them, connected permanently to my computer via a USB3 add-on card.:

Hi, Dr. Who,

I’m with you big-time on the need for regular backups, but I’d like to add one further precaution. I’m no techie, but after owning and playing with computers for almost 30 years, I’ve made enough mistakes myself – and have seen others make even more – to actually have some of it penetrate my skull, and the one thing that was hammered into my brain early on was the concept of always having an “off-premises” backup.

Having one, two, or a dozen external backup drives connected to a computer in one location won’t protect data against fire, theft, a lightning strike, or even a CryptoLocker strike that might reach out and affect networked drives. If someone’s house or business burns down or is burglarized, the likelihood of that happening at both locations simultaneously is near zero, so folks are a lot safer keeping their most recent backup of their home computers at work, and vice versa. For those who work at home, keeping the most recent backup in a waterproof container in a locked garden shed or at a friend’s/relative’s house is a way to achieve off-premises backup safety.

Is maintaining a current off-premises backup a bit more of a hassle than just having a backup drive or drives always hooked up? Sure, but it’s not that hard to do, and it’s a heck of a lot less hassle than having to start your digital life all over again from scratch if your backup drives have been incinerated or stolen. Ever hear of a home or business burning to the ground and the owners losing absolutely everything? It’s easy to convince ourselves that it’s not a likely scenario, that such things only happen to other people, and that it’s not worth the trouble, but that’s the way I used to think until I had two HDDs die on me within about 18 months, the second one being the new replacement for the first.

Thanks for all the excellent insights you post, and most especially for encouraging people to BACKUP, BACKUP, BACKUP. If I may be so bold as to adopt and amend a phrase from your signature file, “Off-premises backups rock!”

Cheers,
Al

Reply | Quote

As I read about the need for off site copy, it occurred to me that I could put a copy into bubble wrap and keep it in my glove compartment or spare tire compartment. I don’t keep serious secret data on my system so that’s wasn’t an issue but I think it may be a good move for me – what do your gurus think? By the way, many people don’t read the shock specs for hard drives but the last time I read one at Western Digital, it was impressive – survives a 5′ drop onto the floor, etc. People are all aware that a plugged in HDD mustn’t be shocked. I think I will re-visit WD for the latest shock specs on my WD1001FAES. I might be unpleasantly surprised!
Paul

Reply | Quote

As I read about the need for off site copy, it occurred to me that I could put a copy into bubble wrap and keep it in my glove compartment or spare tire compartment. I don’t keep serious secret data on my system so that’s wasn’t an issue but I think it may be a good move for me – what do your gurus think? By the way, many people don’t read the shock specs for hard drives but the last time I read one at Western Digital, it was impressive – survives a 5′ drop onto the floor, etc. People are all aware that a plugged in HDD mustn’t be shocked. I think I will re-visit WD for the latest shock specs on my WD1001FAES. I might be unpleasantly surprised!
Paul

The problem with keeping the disc there is having it stolen by someone. Probably could make more sense to keep it at a relative’s place. I have seen someone saying that they use a bank safe for that. In either case, you probably should password protect your images.

Reply | Quote

thanks again, ruirib

I agree the danger is having it stolen. However, as I said, I don’t keep serious secret data on my system. It’s just lots of photos of family, my mango tree or black Lab dog or a fish I caught and MD3 files of old CDs, so I don’t have much fear.

Since my nearest relative (or good friend even) is over 100 miles, I would have to buy 3 or 4 drives and UPS them back and forth. I know I am just being silly, but, for me, some of the heavy user solutions are not really feasible. My safe deposit box is only $50 a year and it’s close by.

Reply | Quote

My safe deposit box is only $50 a year and it’s close by.

That’s a great solution, as well :).

Reply | Quote

And a Happy Thanksgiving Day, and Happy Holidays to follow, to you and yours.

When I get a “Live One” I do take the extra time, to show them how to do backups of at least their important data files. I’ve even gone so far, with a customer, to where I drive to a retail store and pick them up a 32 GB or bigger Flash Drive to hold all their Data Files. Then I set them up with a shortcut on their desktop, to a Batch File using XCOPY that will back up all their data files to the Flash Drive. With the XCOPY switches properly set, only new files or files that have been updated, will be copied. This keeps the daily backup down to just a few seconds, after the initial backup.
My own Backup batch file, using XCOPY, is now almost 20 lines long, so I get a lot more than just what’s in the MyDocuments folder.

The Doctor (growing old in Florida) 😎

I have found the Karenware Replicator to be a great little free tool for doing those frequent flash drive backups. You can get it here:
http://www.karenware.com/powertools/ptreplicator.asp

Reply | Quote

“Going back way too many years, my own favorite saying has always been “the only bad backup is the one you decided NOT to make”.

Well said! The second bad backup is the one done carelessly and there is no restore possible, discovered too late.

Roland

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

I’m especially paranoid and make a complete clone copy of my master hard drive at the end of every month. Since all of my data files are backed up in real time on an external drive, those aren’t usually affected. So if I wind up with an infected hard drive and system, I can overwrite the original hard drive from the clone and, worst case, only have to gather up whatever has changed in the prior 30 days. This has already saved me a lot of money and trouble having to wipe and reinstall the system. Fortunately it doesn’t happen often so it hasn’t been a problem, but it’s a great solution for those rare occasions.

Reply | Quote

I’m retired now but part of my job was to make sure that all the computer controllers taking important data was safe from data loss. I always kept what I call a “pristine hard drive” containing all the settings and drivers that were required to keep complex measurement systems functioning. A “working hard drive” was used to take measurements – it was a clone of the pristine hard drive. Images were made routinely of the working hard drives especially after taking a set of critical data. More than once I was called on to restore a computer controller using the recent image of that machine.

Yes, I had some HD crashes and was able to use the pristine hard drive to recone and then the most recent image to restore critical data. Users were advised that I should be allowed access to these machines so that the data would be secure.

The same thing can be done in one exercise: have a pristine hard drive that could be recloned to a fresh HD should there be a crash or use an recent image to restore data including an functional OS in minutes

Al

PS: I use Acronis

Reply | Quote

Regarding Crypto Prevent and the suggestions in several recent Windows Secrets Newsletters:

Why does Windows by default allow executions from these locations in the first place? I am referring to the locations blocked (with Whitelist exceptions) by all the mitigations and Group Policy changes and EMET restrictions I have read about so far. Why not just issue a Critical Security Update for each Windows version, and enforce these policies across the boards — adding a GUI Whitelist configurator for those exceptions which may arise on a particular Windows installation?

By contrast, my Ubuntu Linux already uses Whitelists and No Exec types of restrictions, has an included firewall, and warns of any “substandard” installation package before allowing it to execute. Most of the security policies are stricter than Windows, and nobody gets to run anything as Root (super-Administrator) without a login popup window.

If Linux can do this, why can’t Windows? Are Windows programs so badly written that they provoke excessive blocks or popup dialogs when proper security restrictions are enforced across the boards? Do too many Windows programs run as Administrator for no good reason? Is the Operating System itself inherently insecure?

This is not to say that an unwary Linux user can’t get hit by crypto-viri. We can, and it has happened occasionally. But almost always it was a case of an inexperienced or unwary user actually overriding warnings and login dialogs, or a locally injected rootkit. At least as far as I have read to date.

If you really want to stay up late at night, think of the next-gen viri which can overwrite parts of the BIOS and other firmware if they can get past hardware DEP. No one would be safe from these monsters.

In reference to DrWho’s backup regimen — he says he leaves his backup drives (all three of them?) always attached to the main computer (even when it is online?). So can’t CryptoLocker encrypt ALL local drives? Including those precious Backup Drives?

I always leave my backup drives unplugged until the system is offline and thoroughly scanned by two or three full-system AV/AS scanners. Yeah, this can take a whole overnight, but it’s worth it for the peace of mind. And in no case are all my backup drives attached at the same time. I don’t think I’m being excessively cautious, given what we’ve seen and been reading lately.

Still, I’d trust my Linux online before I’d trust even hardened Windows online. Which may explain why I’m using Ubuntu right now as I post this. I may not be bomb-proof, but I think I am pretty bullet-proof here.

-- rc primak

Reply | Quote

Regarding Crypto Prevent and the suggestions in several recent Windows Secrets Newsletters:

Why does Windows by default allow executions from these locations in the first place? I am referring to the locations blocked (with Whitelist exceptions) by all the mitigations and Group Policy changes and EMET restrictions I have read about so far. Why not just issue a Critical Security Update for each Windows version, and enforce these policies across the boards — adding a GUI Whitelist configurator for those exceptions which may arise on a particular Windows installation?

By contrast, my Ubuntu Linux already uses Whitelists and No Exec types of restrictions, has an included firewall, and warns of any “substandard” installation package before allowing it to execute. Most of the security policies are stricter than Windows, and nobody gets to run anything as Root (super-Administrator) without a login popup window.

If Linux can do this, why can’t Windows? Are Windows programs so badly written that they provoke excessive blocks or popup dialogs when proper security restrictions are enforced across the boards? Do too many Windows programs run as Administrator for no good reason? Is the Operating System itself inherently insecure?

This is not to say that an unwary Linux user can’t get hit by crypto-viri. We can, and it has happened occasionally. But almost always it was a case of an inexperienced or unwary user actually overriding warnings and login dialogs, or a locally injected rootkit. At least as far as I have read to date.

If you really want to stay up late at night, think of the next-gen viri which can overwrite parts of the BIOS and other firmware if they can get past hardware DEP. No one would be safe from these monsters.

In reference to DrWho’s backup regimen — he says he leaves his backup drives (all three of them?) always attached to the main computer (even when it is online?). So can’t CryptoLocker encrypt ALL local drives? Including those precious Backup Drives?

I always leave my backup drives unplugged until the system is offline and thoroughly scanned by two or three full-system AV/AS scanners. Yeah, this can take a whole overnight, but it’s worth it for the peace of mind. And in no case are all my backup drives attached at the same time. I don’t think I’m being excessively cautious, given what we’ve seen and been reading lately.

Still, I’d trust my Linux online before I’d trust even hardened Windows online. Which may explain why I’m using Ubuntu right now as I post this. I may not be bomb-proof, but I think I am pretty bullet-proof here.

I will focus on one thing you said: whitelisting – you can get whitelisting functionality in Windows simply by using a HIPS. Nothing will run unless you explicitly allow it – which I believe can be a problem for some users, but people need to know what they are doing!

About backup drives being online and CryptoLocker – yeah, keeping the drives online would ensure CrypoLocker would have a field day with them.
Anyway, the main issue is still preventing malware from running, which an HIPS would do and good, behavior blocking AVs would do as well.

Reply | Quote

I think it’s a balancing act Rui.

As you may recall, some time ago, I ran Online Armor in conjunction with Emsisoft Antimalware and was very impressed with them. Unfortunately, I then started to suffer from BSOD’s triggered by the incompatibility of Online Armor and Virtual Box, which I needed to run for other purposes. It resulted in me having to remove Online Armor.

If I had Online Armor still installed on systems at home, I would be quite happy that the HIPS would give me measures needed to prevent CL, but for the reasons above I can’t run them, so I need extra layers. My children would not know how to react, so they also get additional layers of protection too.

At work, it’s a different story. The effort to configure an interactive HIPS in a commercial environment coupled with the inability of non technical staff, who are under pressure to get their work done, would result in simply clicking the accept button when whichever HIPS tool used requests permission. Yes, I agree people shouldn’t click, but it’s really hard to get the message across and people are human after all. I would like to lock down opportunities for people to make mistakes, but to a certain extent, I’m prevented from doing so.

So, at work, we do have HIPS in our Endpoint Security, but it’s silent. I’ve also deployed additional software restriction policies, by group policy, over and above those required to meet company operating policies and receive automated emails through task scheduler if somebody tries to do something they shouldn’t.

I do get occasional problems with restrictions being triggered and can sympathise when bobprimak asks why does Windows allow execution of apps from %appdata% with very little security requirements by default. It’s one of the biggest and most obvious differences between Windows and other families of Operating Systems. In fairness to Microsoft, it stems from historical configurations of their OS that wanted to be easy to use, but in so doing left gaping holes that have now for the most part been plugged. But the legacy continues: why does some software want to run from places that it shouldn’t? It would be nice to say “ban everything from running from there”, but the world turns to a different tune.

In my view HIPS is the go to solution for the home user if they are competent to use it proactively. Failing that something like the Crypto Prevent tool is a useful addition…..but at work, it’s not so quite so straightforward and, yes, I worry a little. :huh:

Reply | Quote

I think it’s a balancing act Rui.

As you may recall, some time ago, I ran Online Armor in conjunction with Emsisoft Antimalware and was very impressed with them. Unfortunately, I then started to suffer from BSOD’s triggered by the incompatibility of Online Armor and Virtual Box, which I needed to run for other purposes. It resulted in me having to remove Online Armor.

If I had Online Armor still installed on systems at home, I would be quite happy that the HIPS would give me measures needed to prevent CL, but for the reasons above I can’t run them, so I need extra layers. My children would not know how to react, so they also get additional layers of protection too.

At work, it’s a different story. The effort to configure an interactive HIPS in a commercial environment coupled with the inability of non technical staff, who are under pressure to get their work done, would result in simply clicking the accept button when whichever HIPS tool used requests permission. Yes, I agree people shouldn’t click, but it’s really hard to get the message across and people are human after all. I would like to lock down opportunities for people to make mistakes, but to a certain extent, I’m prevented from doing so.

So, at work, we do have HIPS in our Endpoint Security, but it’s silent. I’ve also deployed additional software restriction policies, by group policy, over and above those required to meet company operating policies and receive automated emails through task scheduler if somebody tries to do something they shouldn’t.

I do get occasional problems with restrictions being triggered and can sympathise when bobprimak asks why does Windows allow execution of apps from %appdata% with very little security requirements by default. It’s one of the biggest and most obvious differences between Windows and other families of Operating Systems. In fairness to Microsoft, it stems from historical configurations of their OS that wanted to be easy to use, but in so doing left gaping holes that have now for the most part been plugged. But the legacy continues: why does some software want to run from places that it shouldn’t? It would be nice to say “ban everything from running from there”, but the world turns to a different tune.

In my view HIPS is the go to solution for the home user if they are competent to use it proactively. Failing that something like the Crypto Prevent tool is a useful addition…..but at work, it’s not so quite so straightforward and, yes, I worry a little. :huh:

I totally understand your position. No app is perfect and we do need make choices, when we have conflicting options. In your case, the decision not to use a specific HIPS was a pondered decision, knowing the pros and cons of using it.

My comment on CryptoLocker was basically meant to say that people should at least consider better overall protection strategies, if they are so worried with malware like CryptoLocker (which they should be). Addressing this specific threat alone will work just for this threat. A different threat, or a different modus operandi will not be prevented through this. I think it’s just better to find an overall strategy than covering specific holes, although I agree that adding CryptoPrevent as an additional layer will not hurt. Hopefully, that won’t give anyone a false sense of security :).

If for some reason, I couldn’t run OA, I would look for an alternative HIPS. I have never experienced a malware infection on my systems, but I still would rather have a HIPS in place. Call me nuts, I don’t mind :). This doesn’t mean that I am trying to preach that you should do the same, it’s just that I feel comfortable with the HIPS in place and find there is nothing better, security wise, than running a good HIPS.

Do you still run EAM? EAM provides protection against CryptoLocker, through it’s behavior detection feature, so you’d be safe just from using it, anyhow :).

Reply | Quote

Do you still run EAM? EAM provides protection against CryptoLocker, through it’s behavior detection feature, so you’d be safe just from using it, anyhow :).

Actually Rui, you have got me thinking now. Due the change of circumstances that I referred to in another place a few weeks ago, I no longer need to run Virtual Box at home. If I must have access to the platforms that my VM’s supported, I have plenty of other resources available to me elsewhere.

So….maybe, it’s time for me to revisit Online Armor + EAM while at home. 😎

Reply | Quote

Actually Rui, you have got me thinking now. Due the change of circumstances that I referred to in another place a few weeks ago, I no longer need to run Virtual Box at home. If I must have access to the platforms that my VM’s supported, I have plenty of other resources available to me elsewhere.

So….maybe, it’s time for me to revisit Online Armor + EAM while at home. 😎

Cool :).

Reply | Quote

CLiNT’s 2 cents…

This CryptoLocker thing is hyped out of proportion imo.

Only a novice would ever consider installing a application like CryptoPrevent purely out of fear of getting infected with CryptoLocker.
Only a novice would disregard the true and time honored advice that’s always been out there, either because it’s too hard and takes too much
time and effort to implement.

The best forms of prevention are the BASICS that we have always advocated doing, without one single iota of change;
And they’re relatively simple things…

Stop MINDLESSLY opening attachments in email.
Stop MINDLESSLY clicking every link in your browser.
Be careful of where you and your browser go on the internet.
Keep your internet browser as up to date as possible and be familiar with it’s advanced settings.
Pay close attention to WHAT you are downloading, and from WHERE.
Ensure that all downloads are ALWAYS scanned prior to running them, and NOT run from directly off the internet.
Keep your AV and AM software up to date, every single day.
Keep your OS up to date with all latest security patches.
Avoid auto-playing any form of media given to you from friends or acquaintances, and always scan them.
Run as much lower level automated OS maintenance as you can tolerate based on your specific system’s performance specifications.

BACKUPS

Drive imaging is OK but it’s not everything, not by a long shot.
This is what you need to have in place in some form or another;

*Need to have all of your OS recovery disks, be they genuine, OEM types, or other bootable media, readily available and tested well beforehand, …not lost or damaged.
*Need to have all of your usable programs and drivers with updated versions safely tucked away and backed up independently and on multiple
forms of media. (CD/DVD, pen drives, external hard disk drives, NAS, Cloud, etc.)
*Need to have any “out of the ordinary” personal OS settings written down in a notepad or word docu and easily accessible so that they may be re-implemented quickly.
*Need to test any image that you have made until you are comfortable and confident of the outcome, this includes all boot disks.
*Need to have every scrap of personally generated data safely backed up independently of anything else.
This includes email and all of it’s settings, photos, document, or anything else you would consider as a loss if you actually did loose them.
*At least one external HDD dedicated specifically to data backup that is NOT always connected to your system.
*Stop thinking of backup as a last line of defense. The best recovery is the quickest one.

ORGANIZATION
Take a page from a good CPA, and get organized with your data’s how and where you store it.
Good organization is one half of everything.

Drive imaging is alright for the obvious reasons, but it’s also the very best uninstaller tool around. Nothing does a better job
at removing all traces of complex higher level software, like Office and large antivirus suits, browsers and Windows updates.

ATTITUDE
If you are the kind of person who attempts to independently search for resolutions to problems, rather than wine and blame others,
then you are leaps and bounds ahead of the crowd.

If I seam preachy, forgive me.
Most of what I got here is gained from reading the wisdom of others, seeking out the same, and the many hard learned lessons.

Reply | Quote

Addressing this specific threat alone will work just for this threat. A different threat, or a different modus operandi will not be prevented through this.

Will this protect against other malware?

YES! A LOT of trojan based malware out there utilizes the same infection tactics and launch point locations as Cryptolocker, therefore CryptoPrevent will protect against all malware that fits the same or similar profile and behavior.

CryptoPrevent Q&A

Only a novice would ever consider installing a application like CryptoPrevent purely out of fear of getting infected with CryptoLocker.

What’s the disadvantage of installing CryptoPrevent?

we can block CryptoLocker from launching its payload in your computer.

Bruce

Reply | Quote

Will this protect against other malware?

YES! A LOT of trojan based malware out there utilizes the same infection tactics and launch point locations as Cryptolocker, therefore CryptoPrevent will protect against all malware that fits the same or similar profile and behavior.

CryptoPrevent Q&A

What’s the disadvantage of installing CryptoPrevent?

we can block CryptoLocker from launching its payload in your computer.

Bruce

Well, sorry for stating the obvious, I would rather have apps to prevent anything I don’t want to run, from running.

Reply | Quote

What’s the disadvantage of installing CryptoPrevent?

None.
Never said there were.

Reply | Quote

In my case, regular full system imaging is the answer. Currently, I use Acronis 2013 and it has saved me on several occasions. I do full images about twice a month.

Reply | Quote

In my case, regular full system imaging is the answer. Currently, I use Acronis 2013 and it has saved me on several occasions. I do full images about twice a month.

Welcome to the Lounge,

Acronis is, indeed, a life saver. It has saved me a few times, too :).

Reply | Quote

cmptrgy: Thanks for this article –

Several questions: 1) How big of an ext HD do you think I should get (or how do I tell) for the Win 7 backup? I assume you backup and then disconnect. How often do you (personally} re-backup onto this external HD?

2) To clean any hard drive, internal or external: is it sufficient to call it up on the COMPUTERS screen and select Format or do you have to use Ccleaner one pass security clean? – that takes soooo long (on my computer). It took 5 hrs for a 160GB external to clean. Or any other suggestions for cleaning?

What is COA sticker?

As you mentioned, the average computer user may have trouble with some of these concepts – I am so grateful for folks like you, cmptrgy, and all the others who both know and are willing to share with us. (I hope my couple of questions add to your Q&A bag for your other ordinary computer friends.)

Paul

Reply | Quote

Several questions: 1) How big of an ext HD do you think I should get (or how do I tell) for the Win 7 backup? I assume you backup and then disconnect. How often do you (personally} re-backup onto this external HD?
[/quote]
An image takes about 60% to 70% of your used disk space. Use this as a reference. You probably want to keep several images, so take that into account, too.
You may want to backup your documents and other data more regularly than you image. If you want to do that, factor it into the space count.

An image should be done with some regularity. This varies from person to person. I image once a week.
Your backup regiment should include the documents and data separately. I sync every document automatically once it changes. Your choice should be based on what you are prepared to lose, in case something goes bad, either due to a hardware problem or a software glitch, and the rate at which your document varies. Only you do that, so make a choice. If you want more specific help with this, maybe tell us how you use your computer and how frequently documents change.

2) To clean any hard drive, internal or external: is it sufficient to call it up on the COMPUTERS screen and select Format or do you have to use Ccleaner one pass security clean? – that takes soooo long (on my computer). It took 5 hrs for a 160GB external to clean. Or any other suggestions for cleaning?

Unless you are giving the drive away, I don’t see why you would need to do anything other than formatting. If you want to give it away, then every bit stored needs to be safely cleaned up and that takes time.

What is COA sticker?

It’s the Windows Certificate of Authenticity and it’s a sticker found in computers purchased with a Windows version that certifies the authenticity of the Windows version and includes the Windows key.

Reply | Quote

Thank you ruirib,

Further on COA,
I recently unfortunately bought a Toshiba laptop with Win 8.0 installed. I didn’t think to search for the COA but when I saw I needed it to upgrade to 8.1, I couldn’t find it. Is this a Microsoft evil scheme of a Toshiba one? Is there a good way to fix it (other than buying a Win 8.1 installation upgrade disk)?

Reply | Quote

It seems that COA stickers are gone with Windows 8: http://answers.microsoft.com/en-us/windows/forum/windows_8-windows_install/how-to-retrive-the-windows-8-product-key-when-it/ef416984-fd4d-4259-974b-158f9ad4482e.
I have the same exact situation with a Toshiba u920t bought last summer. The idea is to use the recovery partition, if you have a problem. I imaged mine and keep an image of the original disk setup.

You can try and use a key finder, such as Belarc Advisor or Nirsoft’s ProduKey. I can’t say whether they are effective with Windows 8, never had to try the key shown by either.

Reply | Quote

Paul thanks for posting your concerns in post 47. It appears to me your concerns have been answered
I would like to add that having the COA information is missed too many times by the average computer user but when something goes wrong the typical reaction is “How am I supposed to know what my product id is?”
What I do now is I run Belarc, sometimes Speccy even if the COA is still readable and applicable and create a factory restore disc at a minimum. I keep a copy of the pertinent id numbers and I leave the factory restore disc with the user; as happened in a couple of cases – something went wrong in which the factory restore disc was needed but couldn’t be found – but at least the user could recall how they should have paid attention to when I did create it and asked them to save that disc in case of an emergency.

On my external hard drive, it’s a portable one and I do a full weekly backup of Windows 7 computer. It only takes 7 minutes.
— And yes the external hard drive is disconnected once the backup is completed
— I keep 2 backups on it; the current backup and last weeks backup
— I use the same external hard drive to backup up 2 other computers; one for my son’s Vista computer and another one for my my brother’s XP computer. There isn’t any set schedule for them as it depends on when I visit them

On my data backup, I have a batch file that automatically saves my data on a daily basis onto a USB flash drive
— I have batch files to do the same for my son & my brother

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

On my data backup, I have a batch file that automatically saves my data on a daily basis onto a USB flash drive
— I have batch files to do the same for my son & my brother

Just my $.2 here. Flash drives are notoriously unreliable, in my experience. I wouldn’t rely on them to be anything other than (very) transient locations for your important data.

Reply | Quote

The best backup method will always be the one you’re satisfied with & works for you.
It’s the point just prior to that which is the most frustrating.

Most people who purchase computers don’t pay a whole lot of attention to their recovery disks.
It’s only in time of extreme need do they concern themselves with product ID keys and the rest of it.

Reply | Quote

I agree with FUN. We must assume all accessible images are encrypted for ransom.
I also agree with MEDICO that its is only a matter of time before I [or a family member] gets caught.

So assuming a CryptoLocker attack is inevitable, here are my thoughts on how best to be prepared.

1. Cloud based protection.
One suggestion in these columns is a cloud based backup which allows roll back.

I have not tried cloud backup and feel it will require a large amount of data transfer time and cost for a recovery process that is not simple or guaranteed.

Views from users of this approach are welcome.

Does anyone know how far back in time the roll back needs to reach? ie. The time taken for CryptoLocker to do its encryption work and demand the ransom?

2. Local protection by manual intervention.
Several members of the lounge argue for a regular backup/image onto separate media which is then disconnected.
This is true, but I do not trust myself to keep the discipline of connecting and disconnecting a separate hard drive and waiting for what could be a long update time.

3. Local protection by WORM storage.
This needs a large network attached store [NAS] which provides ‘write once & read many’ [WORM] facilities so the backups are available after writing but cannot be changed or encrypted later. This is a local equivalent of the Cloud store with roll back. WORM devices are available now for corporate archive use but well beyond a domestic budget. Hopefully Seagate and others will see this as a significant market which only needs some internal code and a manual switch on the NAS to prevent written files from remote change after writing. When the NAS is full, we flip the switch and delete old files, or do a reformat.

4. Local protection by second PC. [My current proposed approach]
Using any old PC or laptop as a backup client, connect it to my local network, and give it access to the store which holds backups/images of the working PC. Maybe, give it access to all the drives on the main PC.
=> The essential issue is to disallow all sharing or access FROM the working PC into my backup machine.

Then write a batch file to periodically create a new folder named ‘Today-date-time’ and copy the latest image file or incremental changes from the main PC.
Repeating this process generates a series of dated folders holding copies of the main PC files and allows roll back recovery as needed.

A possible weakness in this approach is the use of Windows share settings to block access from the main PC.
I agree that any windows program in the main PC will not ‘see’ the backup PC or get access but a blackhat encryption program may be able to ignore the share settings and access files in the backup?

Even better could be to use linux for the copying tasks in the backup PC, but this is way out of my skill range.

All views to improve or help are welcome.

I am also sending this to Tracy Capen as a possible topic for his experts.

Reply | Quote

Unfortunately since Karen’s untimely passing, her tools are no longer being updated. I wonder if they might work with the newer OSes.

Reply | Quote

Unfortunately since Karen’s untimely passing, her tools are no longer being updated. I wonder if they might work with the newer OSes.

FWIW, I am using several of her utilities with W7 without a problem. I think most, if not all, of her utilities are written in VB.

Reply | Quote

In case anyone besides me was interested in what the acronym “HIPS” expands to (although its meaning seemed fairly clear from context in this thread), it’s “Host-based Intrusion Prevention System.“

Dave

Reply | Quote

In case anyone besides me was interested in what the acronym “HIPS” expands to (although its meaning seemed fairly clear from context in this thread), it’s “Host-based Intrusion Prevention System.“

Dave

Yes, that’s precisely what it means :).

Reply | Quote

Rui your $.2 is appreciated.
One of my best friends daughter just lost data on her flash drive that she was using as the medium on which she was doing her files and a local computer shop told my friend it would cost about $400 to retrieve that data. So the consequences are: lost data.

I should have included in my storage strategy that I have another computer I use to maintain a 3rd copy of my data so that I have 3 locations of saved data: my XP desktop computer, the flash drive & my Windows 7 laptop computer

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

Rui your $.2 is appreciated.
One of my best friends daughter just lost data on her flash drive that she was using as the medium on which she was doing her files and a local computer shop told my friend it would cost about $400 to retrieve that data. So the consequences are: lost data.

I should have included in my storage strategy that I have another computer I use to maintain a 3rd copy of my data so that I have 3 locations of saved data: my XP desktop computer, the flash drive & my Windows 7 laptop computer

Yes, I have seen that happening all too frequently :(.

Reply | Quote

Lest my point be lost, I am still wondering why the protections which the Windows Secrets article suggests, or which Crypto Prevent supplies, could not be rolled into a patch and applied as a critical Security Patch by Microsoft? Would too much software crash if this were done? Are there any other side effects which would make people wish Microsoft hadn’t issued such a patch?

-- rc primak

Reply | Quote

Lest my point be lost, I am still wondering why the protections which the Windows Secrets article suggests, or which Crypto Prevent supplies, could not be rolled into a patch and applied as a critical Security Patch by Microsoft? Would too much software crash if this were done? Are there any other side effects which would make people wish Microsoft hadn’t issued such a patch?

Bob, Microsoft probably wouldn’t care about breaking Spotify, or Foxit Reader Updater, but they probably would care about breaking Microsoft Office Installation. All three have been tripped by the recommended software restriction policies that I pushed to my users by GPO.

Spotify shouldn’t run in my environment, so that was left blocked. Foxit was fixed by whitelisting.

However, the Office Installation was a nightmare at first. I tried several variations of whitelisting, but eventually cheated. I dropped the machine off the domain to run it as a local machine with default group policy, installed office, and then rejoined it to the domain. In a home environment with Crypto Prevent installed the quick way would be to back out the restrictions, install office, then re-install the restrictions.

I’m sure MS could figure out a full fix for that, but I didn’t have the time to work the problem for something that I’ll probably do infrequently on a machine already domain joined.

Reply | Quote

Bob, Microsoft probably wouldn’t care about breaking Spotify, or Foxit Reader Updater, but they probably would care about breaking Microsoft Office Installation. All three have been tripped by the recommended software restriction policies that I pushed to my users by GPO.

Spotify shouldn’t run in my environment, so that was left blocked. Foxit was fixed by whitelisting.

However, the Office Installation was a nightmare at first. I tried several variations of whitelisting, but eventually cheated. I dropped the machine off the domain to run it as a local machine with default group policy, installed office, and then rejoined it to the domain. In a home environment with Crypto Prevent installed the quick way would be to back out the restrictions, install office, then re-install the restrictions.

I’m sure MS could figure out a full fix for that, but I didn’t have the time to work the problem for something that I’ll probably do infrequently on a machine already domain joined.

You mean CryptoPrevent prevents Office from installing?

Reply | Quote

You mean CryptoPrevent prevents Office from installing?

Yes, if my understanding and implementation of the Crypto Prevent mechanism is correct.

I use the same generic rules that Crypto Prevent uses, but pushed through GPO to our machines on a domain based network. Installation of Office 2010 and Office 2013 were both blocked on two new machines I recently setup. I don’t have the details of the blocked application to hand right now, but I’ll see if I can dig it out later and update.

The event log was quite explicit recording the software restriction policy being triggered.

After dropping the machines off the domain therbye implementing default group policies, Office installed without a hitch. After installation, both versions of Office run just fine on the domain with the restriction policies implemented.

I’m torn between blaming MS for deploying the Office installer to execute from within %appdata%/temp and Crypto Locker for giving me a headache I didn’t have before.

However, every cloud has a silver lining and Crypto Locker has given me reason to review security at work and at home with a fresh pair of eyes.

Reply | Quote

Yes, if my understanding and implementation of the Crypto Prevent mechanism is correct.

I use the same generic rules that Crypto Prevent uses, but pushed through GPO to our machines on a domain based network. Installation of Office 2010 and Office 2013 were both blocked on two new machines I recently setup. I don’t have the details of the blocked application to hand right now, but I’ll see if I can dig it out later and update.

The event log was quite explicit recording the software restriction policy being triggered.

After dropping the machines off the domain therbye implementing default group policies, Office installed without a hitch. After installation, both versions of Office run just fine on the domain with the restriction policies implemented.

I’m torn between blaming MS for deploying the Office installer to execute from within %appdata%/temp and Crypto Locker for giving me a headache I didn’t have before.

However, every cloud has a silver lining and Crypto Locker has given me reason to review security at work and at home with a fresh pair of eyes.

That’s a pretty big downside to CryptoPrevent, if confirmed. I am curious to see if this will bring any changes to how Microsoft deals with similar situations (using of %appdata%/temp).

Reply | Quote

Agreed.

I’ll try make time to install Office on a fresh VM with Crypto Prevent installed and feedback the results. Or maybe somebody else could verify and add their experience?

Reply | Quote

Agreed.

I’ll try make time to install Office on a fresh VM with Crypto Prevent installed and feedback the results. Or maybe somebody else could verify and add their experience?

Afraid I can’t help with that now, but it would be interesting to know if anyone hit this barrier.

Reply | Quote

Something very odd….

On a XP Virtual Machine, with Crypto Prevent v4.3 installed, Office 2010 installs without error.

However, if I run RSOP on the machine there are no software restriction policies set. Crypto Prevent appears to be passing its own self test because I can see an even 866 in the event logs when I use it’s self test:

35646-Crypto-Prevent-self-test

but RSOP shows no restrictions:

35643-RSOP-Computer-Config
35644-RSOP-User-Config

My manually set software restriction policies pushed by GPO do indeed cause Office Installation to fail by blocking ose0000.exe :

35645-event-866

This is not what I had expected from Crypto Prevent. I had expected it to apply the restriction policies in the same way as the bleepingcomputer article previously referred to. So now I’m not sure where Crypto Prevent is applying these policies and whether it has a white list entry for ose0000.exe.

Sorry, I think the waters just got even murkier:huh:

Reply | Quote

Hmm… interesting and puzzling.

Reply | Quote

I did some more digging around. It seems the Crypto Prevent tool injects software restrictions directly into the registry and does not use local policies at all. I guess that makes sense, since it is designed for pro and home versions of the OS so can’t rely on group policy editor being present.

I then searched the registry, for various entries and did find a couple of keys related to Foolish IT (the developer), but didn’t have time to locate any kind of table that might indicate which applications are being blocked and which are whitelisted. If I had time I could take a clean install of Crypto Prevent and one with a single app added to the whitelist and run a file compare on the saved registries to find out where and how.

But I din’t have time and for the purposes of this discussion I think it is a mute point because of the following reasons:

In a limited deployment of similar blocking techniques, some genuine software was tripped up. Thus, to address the question from Bobprimak earlier, in my opinion that means MS would have a pretty hard time developing and updating a blocking algorithm that is anywhere near responsive enough for all the apps that at some point in time might want to execute from there.

Foolish IT can do it because they are a small shop offering a standalone patch with caveats and are open about the hazards. MS couldn’t do it because countless hundreds of millions of users would pick up the patch and goodness knows how many apps would break.

I think this goes back to closing the door after the horse has bolted. The problem does not appear in hardened OS’s, but does in Windows because of historical design choices that were made well over a decade ago.

In some cases (for example my work environment) it makes sense to deploy software restriction policies, but that is not necessarily proven to be the best solution for home situations where a behavioural firewall (i.e. a HIPS) could provide a better option.

HIPS costs money, Crytpo Prevent is free. Perhaps that’s the differentiation?

Reply | Quote

I did some more digging around. It seems the Crypto Prevent tool injects software restrictions directly into the registry and does not use local policies at all. I guess that makes sense, since it is designed for pro and home versions of the OS so can’t rely on group policy editor being present.

I then searched the registry, for various entries and did find a couple of keys related to Foolish IT (the developer), but didn’t have time to locate any kind of table that might indicate which applications are being blocked and which are whitelisted. If I had time I could take a clean install of Crypto Prevent and one with a single app added to the whitelist and run a file compare on the saved registries to find out where and how.

But I din’t have time and for the purposes of this discussion I think it is a mute point because of the following reasons:

In a limited deployment of similar blocking techniques, some genuine software was tripped up. Thus, to address the question from Bobprimak earlier, in my opinion that means MS would have a pretty hard time developing and updating a blocking algorithm that is anywhere near responsive enough for all the apps that at some point in time might want to execute from there.

Foolish IT can do it because they are a small shop offering a standalone patch with caveats and are open about the hazards. MS couldn’t do it because countless hundreds of millions of users would pick up the patch and goodness knows how many apps would break.

I think this goes back to closing the door after the horse has bolted. The problem does not appear in hardened OS’s, but does in Windows because of historical design choices that were made well over a decade ago.

In some cases (for example my work environment) it makes sense to deploy software restriction policies, but that is not necessarily proven to be the best solution for home situations where a behavioural firewall (i.e. a HIPS) could provide a better option.

HIPS costs money, Crytpo Prevent is free. Perhaps that’s the differentiation?

Thanks for all the work checking this :). Nice job.

As to the money, well, a decent HIPS can cost $25-$30 and protects against a lot more than just against Crypto. I suppose that can be expensive… until you get one single infection. That alone will make up for the cost, IMVHO.

Reply | Quote

Trend Micro has some very good info about ransomware on their website:

http://blog.trendmicro.com/trendlabs-security-intelligence/defending-against-cryptolocker/

http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-its-spam-and-zeuszbot-connection/

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

So I guess the answer to my query about Microsoft implementing something like CryptoPrevent in the form of a patch is:

While this might be a good idea in principle, in practice there are indeed some products, including Microsoft’s own offerings, which would break badly. End users would not tolerate this amount of breakage.

So unless MS rewrites installers and Apps, we are doomed to repeat the insecurities of the past and the present.

*Sigh*

-- rc primak

Reply | Quote

… I think we should ask our representatives in Congress to use the NSA to identify and block all the purveyors of viruses/malware/ID theft/ransomware/etc. And for our representatives to task the FBI and CIA to putting an end to their nefarious activities by whatever means necessary. I already have asked my representatives (Feinstein, Boxer and Eshoo) to do just that:
“First, Congress should pass legislation making illegal and subject to prosecution, fines, punitive damages, and prison, practices such as identity theft, using the Internet and/or phone system to foist malware, viruses, adware, ransomeware and other digital abuses to phone and computer users.
You should add to the NSA’s mandate, to identify, locate and track these cybercriminals, whether domestic or foreign; and if possible, shut them down.
Then mandate the FBI to vigorously investigate, and prosecute the perpetrators with stiff fines and lengthy prison sentences.
Cybercrime is a growing source of revenue to criminals, and Congress must pass legislation to make it unprofitable and risky.
Best regards,”
I encourage everyone to copy/paste my message, or create your own, so Congress gets the message that cybercrime is out of control and needs to be harshly dealt with.

Reply | Quote

I didn’t see if the following has already been mentioned:
The replacement harddrive can be larger. If you’re restoring Windows 7 and older boot legacy in the BIOS.
If you’re restoring Windows 8 — boot U[something] has to be in the BIOS.
I think it’s best if the harddrive is in the same manufacture-specs family.
I’m not sure if you can safely mix IDE with SATA with SSD — ask around 🙂
Roland

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

The good news is that CryptoLocker can only arrive on your computer by email with an attachment , usually a bogus service message with a pdf attachment where the .exe hides so education can stop this threat . The simplest thing to do is have data copy and paste full size to an external drive. Keep it simple. The rest of what you said about reinstalling windows applies. The data is what matters teach this to your users and you will be ok I know its not easy as I also do what you do in Montreal Good luck and thanks for your article

Reply | Quote

… CryptoLocker can only arrive on your computer by email with an attachment …

That may have been true last week, who knows how it will be mutated?

Reply | Quote