Over at the dude ranch there have been a growing string of ransomware infections. (Hence the ongoing GSD posting of ransomware/crypto-whatever threat analysis posts.)
Good news is that (in most cases) our end-user data backup routines are pretty good so we can usually restore their data; give or take a few days back in time.
Bad news is that the current organizational IR plan seems to be detect (post infection or customer help desk call), grab canned report, wipe/reimage the system, then restore the user’s files after additional off-line scan checks.
I keep slapping my face with a prickly pear pad as (granted, based on my limited view from horseback afield and not being in the ranch-house proper) there doesn’t seem to be a clear effort to do real, structured, system/user level based incident response to determine the actual vector of infection(s); was it a Flash Player exploit? Malvertising? Email attachment? Breach in the fence? What is it about our application levels or security posture that keeps letting these things through and execute?
If such data is being collected and analyzed the information isn’t leaking down to us working the herd.
What spurred this post is this SANS ISC Diary post from Didier Stevens.
- Analyzing Quarantine Files - SANS Internet Storm Center
So I dug up these KB’s from Symantec that provide additional info on their Symhelp tool, the Threat Analysis scan, sending a suspicious file, and reading Symhelp’s SDBZ file content on a different system than the infected one.
- Restoring a false positive file detection from the Symantec Endpoint Protection quarantine – Symantec
- Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team. - Symantec Connect
- Symantec - About Symantec Help (SymHelp) – Symantec
- Symantec - Download the Symantec Help (SymHelp) diagnostic tool to detect Symantec product issues – Symantec
- Symantec - How to run the Threat Analysis Scan in Symantec Help (SymHelp) – Symantec
- Symantec - About the Threat Analysis Scan – Symantec
- Symantec - Symantec Help (SymHelp) FAQ – Symantec
- How to send the suspicious file to Symantec Lab - Symantec Connect
- Show sdbz file content - Symantec Connect
Ok. Back into the cacti.