cancel
Showing results for 
Search instead for 
Did you mean: 

Virus detected under c:\users\%username%\appdata\roaming\evvc

AigarsK
Level 2

Hi There,

We recently have deployed new AV (System Center Endpoint Protection) and we have started to received notification of infections detected in following location "c:\users\%username%\appdata\roaming\evvc\" for multiple users across desktop estate.

Example:

=======================================================================================

Malware Name: Ransom:HTML/Tescrypt.A
Number of infections: 1
Last detection time(UTC time): 8/3/2015 7:27:30 PM

These are the infections of this malware:

1. Computer name: computername.your.domain
Domain: YOUR.DOMAIN
Detection time(UTC time): 8/3/2015 7:27:30 PM Malware file path: file:_C:\Users\%username%\AppData\Roaming\evvc\EV_OV_514_1d0ce22_70674199_28bd0e2_1a29a8ab0345040200message.txt

=======================================================================================

Company has a history of Cryptowall outbreak in past and origin was email attachment, so I believe that there might be some historical emails archived and placed in Enterprise Vault.

I am wondering if someone would be able to explain me, how I could search which is the offending email so that I could remove it from the Mailbox items?

I believe that there should be a way to search for the GUID (ID?) which is in detection report: EV_OV_514_1d0ce22_70674199_28bd0e2_1a29a8ab0345040200message.txt

So would you so kindly help me with this one?

Many thanks.

 

System setup:

OS: Windows 7 x64

Office: Office 2010 32bit

Add-in: Enterprise Vault v:9.0.9377

3 REPLIES 3

_r___
Level 6
Certified

With cryptowall, best thing to do is wipe the drive and restore from a known good backup. If you don't have a good backup, your files are lost.

Are you using SEP, it doesn't sound like it.

Have you run a full scan?

Have you looked at instituting a software restriction policy to prevent this stuff?

AigarsK
Level 2

Hi Brian,

Thanks for your reply. The thing is that virus is removed but some user had reported the issue by sending the one of the files this Cryptowall creates one HTML and one PNG file which had the details of how to buy remedies.

This email gets archived by Enterprise Vault, as users are running Outlook in Cached mode with Enterprise Vault installed, this archived message gets cached on the computer as well.

Now once the AV is scanning PC and it finds this cached email it flags it and removes it.

All I need is a way how to locate this message in vault by using information I have, in this case all I have is: EV_OV_514_1d0ce22_70674199_28bd0e2_1a29a8ab0345040200message.txt

Where and to what this sting of file name refers to? As it does not give me anything, no subject, no sender, no date by which I could base my search in vault to get it removed from there.

 

Marcde
Moderator
Moderator
Partner    VIP    Accredited

Have you been able to track this down? 

I'm also trying to find a way. 

All I currently have is http://www.veritas.com/docs/000023016 

PMCS GmbH & Co. KG - A Serviceware Company
www.serviceware.de