We just got CryptoWall infection at one of custmoers with 1500 PCs.
WSA client is capable to recognize new unknown processes starting on an endpoint, and even though
it also reports it to the console, still the most important things are missing:
- send email alert to admins immediately
when an endpoint reports new unknow process running on the endpoint
- be able to create a report in the console for a specific day that includes the new unknows started found on THE SPECIFIED DAY only
If we had these information, we possible could very quickly pinpoint the infection among the 1500 PCs.
Now we could not, because, just imagine, what is the best advice if you see files being encrypted on file server shares? Switch off the shares and disconnect the endpoints from LAN / INTERNET! Well, but then again, that would lead to several days off work, and you will be need to find the infected machine all offline.
So in our example, Saturday morning some user suddenly found encrypted files on a netwrok share. The share was swithed off. We saw the timestamps of HELP_DECRYPT.TXT files so we could see when the malware encrypted the files. It was Saturday morning. OK. Then, IF we had an alert about new unknowns of this Saturday then we could easily pinpoint out of 1500 clients which ones were running an unknown process at the time of encryption
- and we could stop only these PCs and let others work.
So, I believe, as I told it in 2012 several times to Webroot already: sending alerts about caugth viruses to admins (meaning existing "Threat Detected" and "" reports) is simply useless as they contain information after auto-remediation (auto-quarantining the malware). Some email collectors may like to get these alerts, but they will really not have any job with it.
Rather, admins need to focus on hidden things
running in the environments, and those are the unknowns.
We need alerts for each and every unknown process immediately, just as soon as they first run!
That is what admins must take care about! And then admins will have a chance to stay in control.
WSA 6500+ endpoints inatalled and maintained daily, 11+ years with Webroot, 1 yr Webroot MSP