2 July 2014

For those who don’t already know, there is one anti-virus system that can help when you are infected with Cryptolocker.  You do need to install it before you are infected and if you share drives, it needs to be on all the systems that the shared drive is hosted on.  It is called Webroot Secure Anywhere (WSA) and has a really good feature allowing changes to be rolled back. WSA has a vast database of known good applications which allows it to give those executables a clean bill of health.  It also has the usual vast database of known malware along with a sophisticated set of heuristics to identify malware.  As a result, it can then identify unknown executables that we all want to be wary of as they might be legitimate but they may also be zero day exploits.  This is where it gets interesting as WSA then journals any changes that this unknown app does to the system it is on whether disk or registry.  So say an app starts encrypting files for instance, a copy is taken of the file before it is encrypted and stored in the journal.  It means that if subsequently this unknown app is identified as yet another variant of Cryptolocker or other encryption malware, the malware can be removed and the encrypted files removed and the unencrypted ones restored. It is the only anti-malware we know of that can actively protect a user if they are unfortunate enough to become infected.  If you need more information on this, then contact us at: info@redscan.com. For more information, visit this article (pdf) and for some personal stories, go to: https://community.webroot.com/t5/Security-Industry-News/How-To-Avoid-CryptoLocker-Ransomware/td-p/65059  

back to all posts