08-04-2015 03:32 AM
Hi There,
We recently have deployed new AV (System Center Endpoint Protection) and we have started to received notification of infections detected in following location "c:\users\%username%\appdata\roaming\evvc\" for multiple users across desktop estate.
Example:
=======================================================================================
Malware Name: Ransom:HTML/Tescrypt.A
Number of infections: 1
Last detection time(UTC time): 8/3/2015 7:27:30 PM
These are the infections of this malware:
1. Computer name: computername.your.domain
Domain: YOUR.DOMAIN
Detection time(UTC time): 8/3/2015 7:27:30 PM Malware file path: file:_C:\Users\%username%\AppData\Roaming\evvc\EV_OV_514_1d0ce22_70674199_28bd0e2_1a29a8ab0345040200message.txt
=======================================================================================
Company has a history of Cryptowall outbreak in past and origin was email attachment, so I believe that there might be some historical emails archived and placed in Enterprise Vault.
I am wondering if someone would be able to explain me, how I could search which is the offending email so that I could remove it from the Mailbox items?
I believe that there should be a way to search for the GUID (ID?) which is in detection report: EV_OV_514_1d0ce22_70674199_28bd0e2_1a29a8ab0345040200message.txt
So would you so kindly help me with this one?
Many thanks.
System setup:
OS: Windows 7 x64
Office: Office 2010 32bit
Add-in: Enterprise Vault v:9.0.9377
08-04-2015 03:44 AM
With cryptowall, best thing to do is wipe the drive and restore from a known good backup. If you don't have a good backup, your files are lost.
Are you using SEP, it doesn't sound like it.
Have you run a full scan?
Have you looked at instituting a software restriction policy to prevent this stuff?
08-04-2015 08:17 AM
Hi Brian,
Thanks for your reply. The thing is that virus is removed but some user had reported the issue by sending the one of the files this Cryptowall creates one HTML and one PNG file which had the details of how to buy remedies.
This email gets archived by Enterprise Vault, as users are running Outlook in Cached mode with Enterprise Vault installed, this archived message gets cached on the computer as well.
Now once the AV is scanning PC and it finds this cached email it flags it and removes it.
All I need is a way how to locate this message in vault by using information I have, in this case all I have is: EV_OV_514_1d0ce22_70674199_28bd0e2_1a29a8ab0345040200message.txt
Where and to what this sting of file name refers to? As it does not give me anything, no subject, no sender, no date by which I could base my search in vault to get it removed from there.
11-03-2015 02:40 AM
Have you been able to track this down?
I'm also trying to find a way.
All I currently have is http://www.veritas.com/docs/000023016