Hello;
My network has been hit with both CryptoLocker and more recently CryptoDefense. When first hit with CryptoLocker, the only repair that could be done was network Restore. The same solution with the second. After the first attack, I enabled ShadowCopy on all networked drives in which available. The problem I ran into was finding the source of the infection.
CryptoLocker was quite straightforward that it had infected my network. The end user reported the all-too-familiar CryptoLocker Ransom request. At that time, we only had SEP 11.x running, antivirus only. If found the infection and removed it, but it was too late.
We instituted Group Policies to help alleviate the possibility of future infections . .. but to no avail.
CryptoDefense never made itself pronounced until several days later, when the user reported the Trojan.CryptoDefense poppe up on his SEP Client.
My Real Questions Pertaining to SEP are:
1-What are the least restrictive Settings the SEP Client that could prevent another initial infection?
-----that lightly affect users
-----that minimally impact overall administration of workstations
2-Is there a way to implement the initial SEP Client updates from the local SEPM server?
----bandwidth at my site is extremely limited and client install commonly take an hour to update when run individually, making remote deployment unusuable.
I know the real defense is to never get infected in the first place. . . I have gone over this several times with my users as these attacks gain access through email. Even with our third party smtp scanning, using Brightmail or its newer equivalent, they never catch the possibility of infection.
Each time this network gets infected, the minimal IT staff (Me) gets overwhelmed for several days. That's why I am putting this out there to ask for guidance.
Thanks