If, i repeat if a cryptolocker virus were to sneak by wsa how would the journaling feature deal with this.I use onedrive for my online backups and there is a onedrive folder on my pc's as i have them to sync.I have about 8gb of files stored and if a virus were to enccrypt the files on my pc and sync the encryption across all my pc's and my online account would the journaling be able to do anything?I mean as far as i can understand journaling backs up the files that a suspicious file is messing with but 8gb worth?
Page 1 / 1
Hi brihy1
I think that it depends what you mean by 'sneak by'. If that is in the literal sense of the phrase then basically WSA journalling won't help because that only kicks in as and when WSA detrmines that a file is unknown, i.e.e, a godd/bad determination cannot be made at that time, and therefore initiates monitoring of the file's actions. Sof if 'it has snuck by' then by definition WSA has not detected the above/has flagged it as good.
If by 'sneak by' you mean that it does not declare it bad then as long as it does not think it is good then it will initiate the monitoring which then allows potenteial rollback at a later date when a determination has been made and it is flagged as bad.
Hope that helps?
Also, do bear in mind that when WSA starts monitoring a file because it cannot determine whether good or bad, that file is onlly allowed to carry out a restricted set of actions and I believe that trying to encrypt another file or files would constitute a prohibted action whilst in the monitoring state.
Perhaps one of the Professionals...the Threat Researchers...can confirm or debunk what I am advising...@ @ ?
Regards
Baldrick
I think that it depends what you mean by 'sneak by'. If that is in the literal sense of the phrase then basically WSA journalling won't help because that only kicks in as and when WSA detrmines that a file is unknown, i.e.e, a godd/bad determination cannot be made at that time, and therefore initiates monitoring of the file's actions. Sof if 'it has snuck by' then by definition WSA has not detected the above/has flagged it as good.
If by 'sneak by' you mean that it does not declare it bad then as long as it does not think it is good then it will initiate the monitoring which then allows potenteial rollback at a later date when a determination has been made and it is flagged as bad.
Hope that helps?
Also, do bear in mind that when WSA starts monitoring a file because it cannot determine whether good or bad, that file is onlly allowed to carry out a restricted set of actions and I believe that trying to encrypt another file or files would constitute a prohibted action whilst in the monitoring state.
Perhaps one of the Professionals...the Threat Researchers...can confirm or debunk what I am advising...
Regards
Baldrick
I checked with the threat research team and they said that the journaling should work with onedrive since the files have a copy stored locally. As long as you have sufficient room on your computer for copies of the files to be made, then they will be journaled as usual.
That being said, there are new variants of cryptolocker that come out regularly, as Baldrick mentioned, and they're always looking for ways to subvert our protection. To be fully secure I'd suggest having a backup of your data that isn't synced automatically from your machine - that way you won't get good backup files overwritten by bad encrypted files. With something as nasty as cryptolocker you want layered protection and don't rely on any one layer alone.
That being said, there are new variants of cryptolocker that come out regularly, as Baldrick mentioned, and they're always looking for ways to subvert our protection. To be fully secure I'd suggest having a backup of your data that isn't synced automatically from your machine - that way you won't get good backup files overwritten by bad encrypted files. With something as nasty as cryptolocker you want layered protection and don't rely on any one layer alone.
Baldrick,I mean by sneak by as it doesnt know if the file is good or bad so i believe it would be monitored by wsa.I guess what im trying to see is if it was being monitored by wsa in active processes would it be allowed to encrypt my files in onedrive folder because if it does then it will encrypt my files online and on all my other pc's and therefor i will be screwed.
Thanks for clarifying brihy1...I was taking you too literally...:$
I think that Nic has saved the day with his post..and that you have your answer...from the horse's mouth...so to speak. ;)
Regards
Baldrick
I think that Nic has saved the day with his post..and that you have your answer...from the horse's mouth...so to speak. ;)
Regards
Baldrick
nic,i have plenty of room on the hd and i always back my entire systems(macrium)and backup files to an external hd.Just checkin to see if i was ok with wsa on that subject and seems like im fine.Thanks Baldrick and nic
Good, sounds like you have a solid setup, and glad to help!@ wrote:
nic,i have plenty of room on the hd and i always back my entire systems(macrium)and backup files to an external hd.Just checkin to see if i was ok with wsa on that subject and seems like im fine.Thanks Baldrick and nic
You have to be very careful with online backups. I use Onedrive myself and if one PC gets encrypted and this gets upload to your online skydrive other devices when they boot up and detect the changes will d/l the encryped versions. With Crypto malware its advised to have local/online and offline backups (HDD/USB/DVD etc)
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.