Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2279
Views
0
Helpful
3
Replies

Locky

tsilveruits
Level 3
Level 3

‎02-19-2016 06:21 AM

Can anyone confirm whether the Sophos anti-virus (or even the anti-spam) definitions are protecting against Locky [1]? Our ESA's avstatus is:

SAV Engine Version 3.2.07.363.1_5.22
IDE Serial 2016021901
Last Engine Update 19 Feb 2016 13:57 (GMT +00:00)
Last IDE Update 19 Feb 2016 09:59 (GMT +00:00)

[1] https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/

Labels:
0 Helpful
3 Replies 3

Mathew Huynh
Cisco Employee
Cisco Employee

‎02-19-2016 06:52 PM

Hello Tim,

While I cannot confirm if it's capturable from Sophos or the spam engine as i would need to see a sample to escalate it forward to them, if there has been prior escalations to the security teams they would likely have updated the rules, but at this point there is no confirmed answer.

Else a proactive method is to stop emails where there is an attachment file which is an office format (doc, docx etc.) to be quarantined if there is a macro within the office document embedded. 

Regards,

Matthew

0 Helpful

exMSW4319
Level 7
Level 7

‎02-21-2016 04:37 AM

Tim, I wouldn't conflate Locky as published by Sophos with the example vector Troj/DocDl-BCF they quote in their article. Locky is the encrypting malware and it's probably been distributed by a dozen different variations of the malware downloader Troj/DocDl already. The signatures published by Sophos and the rules published for CASE (in my observation) tackle specific versions of Troj/DocDl - there's no general signature or rule that will catch them all, and you need to face up to the prospect of a constant drizzle of new zero-day variations hitting your gateway. This is also why Matthew would need to see the specific downloader in order to tell you when Sophos or CASE became capable of stopping it (because by now I'll bet at least one of them can).

The rest is off-topic for this forum, but a little while ago I ensured that all of our Office installations were duly sceptical of Office macros and we've had enough scares for staff to be wary of unfamiliar senders. We're also sitting behind a web proxy with SSL interception that is not only looking for malware but also takes a robust view of anything executable. Even so, what the Sophos article says about backups is absolutely true; encrypting malware that gets into a big network drive can cause a massive amount of damage and only good backups can help you, though a sensible degree of subdivision can also mitigate.

My point is that defence in layers has now become fairly indispensable. I'm in the lucky position where we can set the technical architecture used by my recipients. IronPort admins just providing a service to their recipients can only make plain the fact that the zero-day Troj/DocDl threat can only be completely blocked by banning the attachment types in question. For many of us, that isn't a realistic proposition.

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee

‎02-22-2016 08:19 AM

As long as Sophos is up-to-date, I have confirmed with Sophos that our IDE library operates to cover Locky based on the following IDEs:

ESA updated Sophos IDEs --->

   'Rans-Cgw.Ide'         Virus Sig. - 17 Feb 2016 02:35:03

Other IDE associated to Troj/DocD* are --->

   'Docd-Bcs.Ide'         Virus Sig. - 17 Feb 2016 14:30:26

   'Docd-Bcq.Ide'         Virus Sig. - 17 Feb 2016 09:50:51

You can see this information from the CLI and running avstatus sophos detail.

Variants at this time are included in the Class/IDE name, and will increment when new variants are found and covered w/ IDE updates.  

-Robert

Cheers,
Robert Sherwin
0 Helpful
Customers Also Viewed These Support Documents