Immediate email alert for new unknown process run (based on a CryptoWall infection)

  • 14 December 2015
  • 5 replies

Userlevel 6

We just got CryptoWall infection at one of custmoers with 1500 PCs.

Even though WSA client is capable to recognize new unknown processes starting on an endpoint, and even though it also reports it to the console, still the most important things are missing:

- send email alert to admins immediately when an endpoint reports new unknow process running on the endpoint
- be able to create a report in the console for a specific day that includes the new unknows started found on THE SPECIFIED DAY only

If we had these information, we possible could very quickly pinpoint the infection among the 1500 PCs.

Now we could not, because, just imagine, what is the best advice if you see files being encrypted on file server shares? Switch off the shares and disconnect the endpoints from LAN / INTERNET! Well, but then again, that would lead to several days off work, and you will be need to find the infected machine all offline.

So in our example, Saturday morning some user suddenly found encrypted files on a netwrok share. The share was swithed off. We saw the timestamps of HELP_DECRYPT.TXT files so we could see when the malware encrypted the files. It was Saturday morning. OK. Then, IF we had an alert about new unknowns of this Saturday then we could easily pinpoint  out of 1500 clients which ones were running an unknown process at the time of encryption - and we could stop only these PCs and let others work.

So, I believe, as I told it in 2012 several times to Webroot already: sending alerts about caugth viruses to admins (meaning existing "Threat Detected" and "" reports) is simply useless as they contain information after auto-remediation (auto-quarantining the malware). Some email collectors may like to get these alerts, but they will really not have any job with it.

Rather, admins need to focus on hidden things running in the environments, and those are the unknowns.
We need alerts for each and every unknown process immediately, just as soon as they first run! That is what admins must take care about! And then admins will have a chance to stay in control.

Kind regards,

WSA 6500+ endpoints inatalled and maintained daily, 11+ years with Webroot, 1 yr Webroot MSP

5 replies

Userlevel 7
Personally i don't consider an email a fast enough way of allerting in case you are getting Crypto'd and therefor i'd consider another solution. Don't know if it is feasible for Webroot and if they deem this secure enough but here it goes.
Depending on your network setup you might be able to log into a router and execute a disable from the network port on which the affected machine is connected so if somehow you were able to report the mac address from the machine affected and pipe this to an external script you could run to disable that port on a router then you immediately throw that pc of the network.
Either that or when the allert comes see if you can disable the internal network  card or wireless adapter a few hundreds of a second after you direct an allert to the admins
So to sum it up maybe there should be an option to run a custom built script when an allert is triggered as you can't ask Webroot to build in the code to manage your network resources.
Userlevel 6
Edwin, thank you for improving the idea! I am totally on your side! Now let's see on which side Webroot development is! If only they were as quick in development as this idea got to thismany kudos...
Userlevel 2
As an add-on to the message of Edwin, there are solutions in the marked that can do NAC or NAP.
with these solutions you are able to filter out problemens on endpoint automaticly. when an error occours they can manage switches, vlans blocking or switching into a quarantine vlan, disable network ports on switches etc.

The only problem is that the solutions are checking the windows action center in many cases, and if there are problems it will block or disable the port but what if a new process if beeing started,  this is not a problem according to the windows action center because it is not receiving any failures or issues from the AV vendor, when an option becomes available from the webroot part saying that the device is having a Potential problem with the AV solutions". we can use this to filter in the NAP/NAC solution and build automatic rules around that.

There is only one problem with this. everytime a new process is beeing started/monitored all the devices with that process will not be able to work because they are beeing quarentined in the network. 

I hope this can be usefull, i am willing to help out writing a concept for this is product development would like to see more of this.
Userlevel 6
Guys, From recent months Locky infections, I believe we better ask this feature much harder:
Userlevel 7
Badge +35
We appreciate your suggestion and have taken it into consideration. We are working on a complete transformation of the alerts and reporting functionality, which we are currently planning to release towards the end of 2018. Once that update has been rolled out, we will look forward to hearing your thoughts on the new functionality. Thank you!