A bit of a problem today as one of our user clicked on a zip file in an attachement and got CTB locker. It encrypted the files on his computer and also on the network through all the mapped network drives.
We have avast server edition and avast pro on the workstation.
Shouldn’t this virus have been stopped by avast?
We got most of our data back, because we have backups. But one of our user put a lot of professional images in a folder without backups. Any way to get our data back except paying for the key? We have around 500 images to recover.
Regards,
PS : also, it seems this malware got installed after the user clicked on the attachment only. From what I know, you have to execute something to get a virus, and there he only opened the zip if I understand right. Am I missing something? Can I prevent this type of file from arriving on our mailboxes? It must be something specific, as it is some kind of zip executable. If it is something specific, I should be able to exclude it.
I don’t think one of our client will need to send us something like that.
Hello,
hmmm, that’s a pity. I think that the file had double extension (.zip.exe) and there was set to hide known extensions. So the “.exe” part was hidden and user only saw a .zip and/or the executable file might have icon of zip archive or folder so user thought it is zip archive/folder and run the .exe directly. But such attachments should be blocked by Avast because it’s exectuable from email and I also guess the file should have low prevalence in our FileRep (cloud based detections) so it should warn the user before running or run the file in DeepScreen. What version do Avast do you have? Do you have enabled “Reputation services” and “DeepScreen”?
We are using exchange and outlook on the workstations.
I know that no security program detects things 100% but I saw on an article on CTB locker that avast recognizes the program as a virus. I guess they made a new one.
We have mxlabs which filters our mail externally. Than we have avast on the server and avast on the workstations… I guess I thought this kind of file didn’t get through 3 layers of protection. Anyway, I asked my users to be more careful.
Deepscreen and reputation service are activated on every workstation. I know deepscreen works because I’ve seen it analyze our inhouse applications quite a few times. This application is never launched on the computer that had the problem, so I’ve never seen the deepscreen popup on that particular workstation. But deepscreen is activated in avast.