Everon & Webroot Secure Anywhere

Standard

WSA_Plain_Logo_Color

Everon’s partner, ITSupport247, is now using a new antivirus provider called Webroot Secure Anywhere.  Webroot is based out of Colorado, in fact, Webroot is so close to our call center that we can see their building from where we sit (maybe they will let us take a tour someday!). Before the switch, Everon had been reviewing various antivirus software. After extensive research, and ultimately choosing Webroot Secure Anywhere as our official antivirus, we couldn’t be happier!

The management for most antiviruses for businesses take place in a centrally managed console on a server or workstation within the network, and all machines must report to that location. The centrally managed console is then the sole connection to the outside world where it will look for definition updates to the antivirus company’s servers. In most cases, if you are not constantly reviewing the console, ensuring it is up to date and pulling the definitions over on a daily basis, you could have issues. Most consoles work decent enough to allow their agents to pull definition updates from the Internet themselves in the event that the console is unavailable, however, you still have many variables that can go wrong. Did you update your notifications properly? Do you back up the local database that manages the console?

After rebuilding a few consoles from scratch due to database failures, I realized that if an antivirus builds their console into the cloud, that would make my life so much easier, and that is exactly what Webroot does. Webroot built the centrally managed consoles right in their collocation facilities, thus taking away a potentially huge point of failure for businesses.

Webroot allows setup within minutes, as you first determine how many seats you need. This is directly proportionate to how many machines you want to be protected with the antivirus. Once you determine that, you create custom groups for your company (you don’t want the same rules to apply for your servers as you do your desktops), and then you are ready to push the product out. Webroot gives you an easy to install link that you can simply run with no login required. It is built custom to your site, and will link the machine back to your site, with all of your rules intact. Notifications are easy as well. You don’t need to set up a custom SMTP server to route notification emails through, you simply choose what you want to be notified on, put in the email addresses in the appropriate locations, and you are done!

Webroot has made antivirus management easy and Everon is proud to provide it to our client base. The antivirus is even good at protecting its resources (which to be honest is probably the first thing you should be concerned with when choosing an antivirus). PCMag rated it one of the best antiviruses of 2015. One thing that is very important in the world of antiviruses is what type of imprint it makes on the machine. Some antiviruses have GBs of files used to manage itself and its definitions, or scans take multiple hours. Webroot is a very small, very light package with hardly any imprint to a machine. Its scans are quick and efficient, and reporting back into the console happens within minutes usually.

Webroot Secure Anywhere is a great antivirus! Give our engineers a call at 1-888-244-1748 to see if Webroot and Everon would be a good fit for your company.

Datto vs Cryptolocker

Standard

alto2box

A few months ago, I wrote about my love for Datto (found here), but it was never more apparent than when I had to go up against the dreaded Cryptolocker virus – head to head.

Cryptolocker has become one of the most notorious pieces of malware that our generation has ever seen. The malware infiltrates a network through various means (usually through Java exploits) and immediately searches out network shares. It encrypts the files, holding them ransom until you pay a VERY hefty fee to recover them. The encryption done by Crytolocker is very secure and it is always changing.

Most recently, I dealt with a case of this virus with a client who was exposed through a Java exploit. Although our antivirus (Webroot Secure Anywhere) picked up the virus and quarantined it,  Cryptolocker found shares and went to work immediately. This caused the client’s main share to become encrypted – with over 34,000 files affected. This could have potentially become a nightmare, but because we have dealt with this before and we had the comfort of a Datto, we sprang into action!

The first step was to assess the damage and determine the culprit. We went to our main console for Webroot Secure Anywhere and found a machine that was reporting the issues. We immediately pulled that machine from the network and left it unplugged. We always wipe the host machines as a precaution. We know that in most instances we can wipe the virus from a simple scan from Webroot or Malwarebytes, however, due to Crytolocker changing the malware so frequently, we don’t like to take chances. Cryptolocker is very easy to wipe from machines, as it doesn’t put anything overly complicated on the machines to infect the network. Its devastation is done in the encryption of the files.

Once the host machine was found, we disabled the affected share from the network, and began full scans of ALL machines in the network. We wanted to ensure no other machines were infected at this time, and disconnecting the share prevents further encryption from happening. With the share disconnected, we then went through the share and gathered up all of the files with the Cryptolocker extension. Because this changes on a regular basis, you just need to identify what is being used for you. In this instance, the extension was .trslcla (they keep making the extensions weirder and weirder). Once we have identified all files encrypted in the share, we then mounted our Datto restore point, ready to move the appropriate files back over.

Because encryption was random, and covered over 34,000 files, we used another product (one of my all-time favorites) called Syncback, made by 2BrightSparks. We installed this tool on our server and pointed the source to the Datto restore and the destination to the share. Syncback allows you to compare two directories, determine the differences, and do whatever necessary to rectify those differences. We deleted all encrypted files, and then asked Syncback to tell us what was missing from the share that Datto had in place. Syncback told us the various files (which came out to being only around 18 files off of our original estimate) and we proceeded to restore the files to the share.

Because of Datto’s ease in which you can do restores, pointing to its directory and simply comparing was so quick and easy. We had the client up and running in around 3 hours from when the initial infection was identified, and the client hardly missed a day’s worth of work. This is a shining example of why I will always support the Datto product. It allowed us to take, what could have been an absolute disaster, and turn it into a huge win.

There are certainly no shortages of Crytolocker blogs that we have written in the past. See herehere and here for more information on Cryptolocker. As always, if you find suspicious files on your computer, give Everon a call at 888-244-1748 or email us at help@everonit.com. We’re here for you.

True Story: Rescue From a Zero Day Virus

Standard
080303-N-0517H-003

DoD photo by Shane Hollar, U.S. Navy. (Released)

A zero day virus is a brand, new virus that has just been released to the public, and for which there is not yet any information or antivirus protection. This is the story of how our team encountered and identified a new Cryptolocker variant, and then raced the clock to prevent its spread and data loss.

Last week a client called in stating that their server was filled with files with the extension .ECC. This was an extension that we had never seen before, so it immediately flagged us of a potential threat.

According to our research, .ECC files are associated with DVDisaster — an application created by a developer named Carsten Gnörlich. This didn’t really make any sense; we doubted our clients were using this new application. And even if they were, why would the application create .ECC files on their file server? We couldn’t figure it out.

Unless…!

Suddenly we realized we were dealing with a virus. We began scanning their file server with our antivirus and malware tools. But our tools came up empty. What gives?

Still playing on our virus-hunch, we decided to bring one of the .ECC files into our test environment. Carefully, we opened it up.

And there it was: a variant of Cryptolocker, in all of its terrible glory.

Our client’s network was infected.

We scoured the Internet but couldn’t find anyone, anywhere, who had seen this Cryptolocker variant. Not only were we dealing with a vicious form of ransomware, but, we realized, we were dealing with a zero day virus. There was no antivirus for it yet, because it was brand-new.

Our team has had extensive experience in dealing with Cryptolocker in the past, so we had a baseline for this virus’s potential behavior. Cryptolocker will first encrypt users’ own hard drive and then try to encrypt mapped network drives. We immediately began looking for a host machine.

A host machine is the machine that introduced the virus into the network.

Once you locate the culprit, you can choose to wipe Cryptolocker with your AV or Malware tools from the infected machine. In this case, for precaution, we decided to pack up the machine and wipe the hard drive completely. Cryptolocker has a nasty habit of encrypting files and hiding them on the hard drive. Being that this was a zero day infection, we were not sure if this variant left any malicious files on the server — or anywhere else.

In past versions of Cryptolocker, once you found and killed the host machine, you could delete the files. (They are pretty much useless without the encryption key, and the files themselves are not malicious.) But since we weren’t sure, we decided to use our Microsoft partner account to reach out to the WOLF team.

WOLF is the team at Microsoft that is dedicated to security, vulnerabilities, and virus/malware removal. They are essentially the software world’s version of Navy SEALS. They are fantastic. We called them up, and, like a true black ops team, they jumped in with their custom-built tool and scanned the server and the network, looking for any traces of the virus left behind.

The WOLF team was able to determine that the .ECC files were merely encrypted, and no further infection existed. They were also able to determine how the virus came into the network and what vulnerabilities caused this.

We patched machines to keep them secure, and we also recommended that users do the following:

  1. Ensure your antivirus is up to date and properly scanning.
  2. We recommend installing a complimentary malware scan in addition to the antivirus scan. (We recommended Malwarebytes Pro.)
  3. Install AdBlock Plus for all Internet browsers. This helps block unwanted ads and can potentially protect them from anything trying to get through as well. For information on AdBlock Plus for Chrome, click here.

With good, current backups, patching of your Windows and 3rd party applications, and these steps above, I believe this can help any company stay safe out in the cloud without compromising any employee freedom to go where they choose.

For more information about Cryptolocker, or any security issues, feel free to call our engineers at Everon at 1-888-244-1748.

 

It’s a Bird, It’s a Plane, It’s a…. Superfish? What this is and how you might already be protected

Standard

Humpback_Anglerfish_(Melanocetus_Johnsonii)

You may have heard of a trending topic called Superfish. No, it’s not some kind of giant squid or aquatic vigilante. In fact, it’s something with malicious potential that could live on your very hard-drive.

What is Superfish? Well, it’s a type of adware, the likes of which you have probably seen before: unwanted ads, additional pop-ups when browsing, or highlighted text that links you to online shopping results.

How is Superfish different? Superfish was recently discovered pre-loaded on some computers. Most adware is user-installed, inadvertently, when people visit sites and pick up “cookies” that track their shopping habits, etc. While normally harmless, and intended to enhance the online shopping experience, this particular adware has been found to have unfortunate, greater implications — ones that made users vulnerable to hacking. What was created as a partnership to enhance online shopping, in this case, unwittingly turned into a much larger security issue. Superfish had a back door that could allow hackers to access credentials, passwords, or any items they put into their browsers. If a Superfish-carrying computer is used over open-access portals, such as public WiFi, a user could be at risk. This exposure creates a potential security loophole.

Fortunately, Windows was quick to update its Windows Defender anti-malware program to detect and automatically remove the compromised adware. Computer manufacturers have also provided their own set of tools and source code to help others look for any issues that might have been missed.

At Everon, we routinely strip all of the computers we set up for any of our clients. We then reload the hard drives with only the software and systems our clients want and need — leaving out what they don’t. As a precaution, though, as soon as we became aware of the Superfish issue, we immediately assessed all of our Managed Customers’ computers. Because of our standard due diligence in doing set-ups, our customers could breathe-easy: we uncovered only one instance of Superfish, out of over a thousand Managed Customer computers. (We immediately removed the adware on the isolated machine, without the client having to do anything.)

But what if you’re not an Everon Managed Customer? How do you fix this problem?

Well, here is a step-by-step guide to removing Superfish from your computer. However, if you would just feel more comfortable, feel free to contact one of our Everon techs at 888-244-1748. Or contact us at info@everonit.com. We’ll be happy to assist you.

 

Can my phone get a virus? Should I use an antivirus on my Android device?

Standard

download

Hello to everyone reading this, and welcome to another “brain dump” of Tony! :) Today we are going to talk about viruses, malware, and Android devices — how they play together, and my thoughts on antivirus/anti-malware software. This is something quite a few people are curious about: “Can I get a virus on my phone? How would I know if I did have a virus or malware? How would I get rid of said infection? How do I protect myself going forward?”

I have wondered all this myself, honestly, and not until recently had I done research on it. Once I did the research, it really all made sense to me, so I am going to relay my findings, in my own words, and put it into perspective. Like anything else, technology is ever-advancing. With that, so are viruses and malware. When something new comes out, there is always someone breaking apart its code and creating infections that makes everyone’s lives that much harder. That will never change! Since I am a heavy Android user, that’s what I am going to talk about.

When it comes to viruses and malware on phones, is it possible? Yes, it is very possible and is becoming more and more common. When you think of a virus, you think of it in the sense of what you’d experience on a computer. While they have some things in common, they do differ a little bit in behavior. If you happen to get malware on your phone, it would more than likely be in the form of applications that look and act like legitimate apps — they might even look like ones you use on a daily basis. These are the targets, because if people think they’re on their normal apps, then they are more comfortable putting in their personal information. That’s really the sole purpose of malware: stealing information. Also, like Internet browsers on PCs, malware on your phone can come in the form of those pesky popups. And also page redirects. One moment you are browsing your favorite news website, and the next thing you know you are taken to a website trying to sell you something (or worse, an “adult” page).

How would I get this on my phone? That’s a good question. In most instances the Google Play store is the biggest culprit, as that is the easiest way to target most Android users. Google Play is not as regulated as one would think. The process of getting your self-made app into the market is not that extensive. If you have ever just browsed the app store, you can see there are a ton of apps and different versions of the same thing. When you are downloading free apps or purchasing apps, make sure they are from a company that you know, or from the company itself. For example, if you were going to download the Facebook app, make sure it is published by Facebook and not some 3rd party vendor. Beware, some of these apps to which you give permission to use your phone-resources can, in the end, cost you a fortune. They have the ability to do things such as sending out texts without you even knowing. They can send texts to certain numbers that cost more and can rack up a huge bill.

Now that that is out of the way, lets talk about prevention. Of course, the best prevention is always being cautious of what you are downloading and opening. This, ultimately, is best but can also be difficult (because when applications look and act like real apps it’s hard to tell the difference). Next, some people utilize and antivirus/anti-malware software. When it comes to using software like that, my suggestion would be to use a paid version and not a free version. Just as with programs on a PC, the free versions are limited and are lacking in the things that are most important. Also, when using such a program on your phone, be aware of the performance issues that you may face, as well. They tend to run frequently, which slows down your processing power, eats up your battery, and the notifications can become annoying.

In all of this, there are many options to help protect yourself, but the biggest tool you have is knowledge. And a company, such as Everon, to help educate you. If you have any questions about security on your devices, or have a question about an app before you download it, please feel free to reach out to us (888-244-1748 or info@everonit.com). We are always more than happy to help!