I love holidays. It’s that time of the year when I dedicate my time to the family. We went to the seaside for a couple of days. We all love sound and smell of the sea and a morning breeze. I receive calls from the office from time to time. Most calls are just requests for information. Sometimes there is an issue that requires my attention, but usually, I can resolve any issue by connecting via VPN to the office. Sometimes only, there is an issue which is critical. When that happens I wish I was in the office.
It was 9.00 am in the morning. Kids were still asleep. I was also lying in the bed, looking at the kids and thinking how happy I was. All of the sudden the phone rings. I pushed the quite button and decided to let go of that call. Two minutes later, the same number, the same ring. This must be something important I said and picked up the call.
On the other side of the phone, I heard a soft, trembling voice. I hardly recognized my colleague whom I spent the last 5 years in the office, side by side.
I said: „Hi mate, what’s up?“ He replied with the soft voice: „Our shares are being encrypted, the phone in the office rings like crazy.“
In that moment, I felt the blood rushing through my veins. Legs became wobbly. Oh sh.., it happened to us as well I thought. In the same moment, my mind waded away, thinking about the loss, about the backups, restoration, about the virus removal… I know this was a problem. Huge problem. Please read on how I fixed the problem.
When Anti-Virus is not enough
Until this moment, I believed that having up to date anti-virus is sufficient for modern attacks, including CryptoLocker type of malware. As you can see, I was very wrong. CryptoLocker and its variants were undetectable to antivirus software until encryption was well under way or even completed. Even if security software detected the virus, it was not able to remove it.
The first step was to identify infected computers. I had a hunch that Antivirus would identify infected computers even though it was not able to remove it. I also feared that some of the computers were left without antivirus. I logged in the AV console and found some errors related to „generic trojans“. I executed remove action, just in case I was lucky and the problem would go away. Unfortunately, anti-virus software was not able to remove generic trojans. I also executed full scan on all computers . Full scan takes a long time. I left the console, after the scan, I get the email notification so I had some time to think about Crypto virus removal.
Malwarebytes Antimalware business to the rescue
After the initial block, I remembered that I used to clean friends computer with Malwarebytes Anti-malware. The product was great and they also provide free / trial editions. While in a panic I asked the colleague to start installing trial edition on computers but then I figured that we have too many computers for manual Malwarebytes installation. They surely have a business edition as well? Luckily I was right. I downloaded business edition, installed it on a server and deployed clients to all computers in the company. That took me 30 minutes and in that time, all computers that were turned on, had a second layer of protection installed. I have initiated a scan and while waiting for results to come in, decided it’s time for a coffee.
Malwarebytes business in use
Malwarebytes can be used as an additional protection, along the anti-virus protection which is already installed on a computer.
Server console is easy to install and is completed in less than 10 minutes – with initial policy configuration. To begin your configuration, open Malwarebytes Management Console. Malwarebytes console is simple and easy to understand. On the left side, you will find five tabs.
Home tab will show you a summary of your environment. On the Home tab, you will see how many computers have a client installed, infection rate, and type of the client. Client tab will show you information about the clients. On the Policy tab, you will configure the policy, on the Report tab, you will run reports and on the Admin tab, you will configure administrative settings.
First, you need to deploy clients to the computers. You can do that easily on the Admin tab. You will find Client push Install tab which you can use to scan the IP range and install clients on the computers. On the admin tab, you can also set up email alerting, set up sys log server, etc…
Report tab has 4 reports most important reports shown on the dashboard. But you can extend reporting and include custom elements.
When you install Malwarebytes on your server, there is just one tiny step to complete, before you start with the scan. You will want to review the policy. You see by default Malwarebytes scans for the really harmful infections. There are also unwanted programs like adware which you can include in your scan. They are called PUP’s – Potentially unwanted programs. You can create many policies and apply them on various computers differently.
You can start the scan manually on selected computers or as a part of the policy, for example, every day at 12:00. You can also change the client policy on the fly.
Why do you need more than one policy? For example, you could have one policy with a full daily scan for newer, faster computers. On the other hand, slower computers can benefit from a quick scan. You could have one general policy to scan for malware and PUP, but it would only remove malware. If you switch to the second policy, it would remove PUP’s as well.
Malwarebytes Business suite consists of three parts. Server console is used to configure, deploy clients, act on infections and review reports. Anti-Malware client is a program we all know and is the one which will detect and remove dangerous infections. But, there is also a second client called Anti-Exploit. This one works unlike Anti-Malware or Anti-virus client, it doesn’t require up to date malware definitions. It works in a way that it detects a behavior of the malware.
What about the speed?
If you are wondering if computer speed gets affected, since you are running additional layer of protection, then let me confirm that yes, speed is affected. But not that much. Running Malwarebytes along anti-virus would impact speed by around 5 percent. That means that users won’t notice a difference in speed, that is if you are using a modern configuration – at least 2 cores, 4GB RAM and 7200RPM drive. As soon as your computer has 2GB RAM or slower 5400 RPM drive, users will notice.
Support
I have contacted support various times during the trial. I was happy to know that they answer quickly and even for the questions which are written in the manual for example what is PUP – potentially unwanted program with examples. Support is very important when implementing security solutions or when you are breached.
Summary
As you may have imagined, our Anti-virus solution could not clean infections, but Malwarebytes found and removed the CryptoLocker virus. Once I scanned all computers with Malwarebytes and confirmed we are not at risk anymore, I used Shadow Copy on the file server and restored file share to the previous day. I was lucky. I doubt I would be able to pinpoint and remove the infection without Malwarebytes.
I absolutely love Malwarebytes detection and removal power. Bad guys are inventing new technologies daily, having one cause in mind – how to gain power over individuals and companies to steal money and technologies. Anti virus solution as we know it, has lost and we need an additional layer of protection. Luckily Malwarebytes can help.
Napsat komentář