PARTNERS

Best practices

Cleaning malware from an e-mail archive when using Bitdefender Endpoint Security Tools

This section provides steps on how to clean malware from an e-mail archive when using BEST.

Bitdefender can identify viruses in e-mail databases and e-mail archives stored on disk.

Sometimes it is necessary to identify the infected message using the information provided in the scan report, and delete it manually.

Here is how you can clean a virus stored in an e-mail archive:

  1. Scan the e-mail database with BEST.

  2. Turn OFF the Bitdefender On-access antivirus protection:

    • Open the BEST using Power User mode or modify the policy currently applied on the machine.

    • Under Antimalware > On-access, disable the On-access Scanning by deselecting the checkbox

    • Save.

  3. Open the scan report and use the identification information (Subject, From, To) of the infected messages to locate them in the e-mail client.

  4. Delete the infected messages. Most e-mail clients also move the deleted message to a recovery folder, from which it can be recovered. You should make sure the message is deleted also from this recovery folder.

  5. Compact the folder storing the infected message:

    • In Outlook Express: On the File menu, click Folder, then Compact All Folders.

    • In Microsoft Outlook 2007: On the File menu, click Data File Management. Select the personal folders (.pst) files you intend to compact, and click Settings. Click Compact Now.

    • In Microsoft Outlook 2010 / 2013: On the File menu, click Info and then Account settings (Add and remove accounts or change existing connection settings). Then click Data File, select the personal folders (.pst) files you intend to compact, and click Settings. Click Compact Now.

  6. Turn ON the Bitdefender On-access antivirus protection.

Creating a password protected archive using

This section contains information on how to use the in order to submit samples of infected files.

You can use the to create secured archives with malware samples. These can later be sent to our experts for further analysis.

To create an archive, simply follow the steps detailed below:

  1. Download from here to your desktop.

  2. Run the Bitdefender-Compress-Tool.exe file.

  3. Drag and drop the infected files in the window.

    11499_1.png

    You can view the paths of the files to be archived.

    11499_3.png
  4. Click OK when finished.

    A secure archive with the password infected is created on your desktop. Send it to us as an attachment to the support ticket.

    11499_4.png

Protecting from ransomware

This section shows you how to protect your computer from ransomware.

Ransomware is a malicious software designed to block access to computer until a sum of money is paid to the attacker. Some of the most notable examples of ransomware are CryptoLocker, CryptoWall, WannaCry and Petya.

Usually, in case of encrypting ransomware, local files are encrypted using a randomly generated key pair that’s associated with the infected computer. While the public key is copied on the infected computer, the private key can only be obtained by paying for it within an allocated amount of time. If the payment is not delivered, the private key is threatened to be deleted, leaving no possible unencrypting method for recovering the locked files.

One of the most common infection vectors relies on drive-by-attacks through infected ads on legitimate websites, but it has also been known to infect via infected downloaded apps.

Ransomware infection can be limited and sometimes prevented with a few best practices:

  • Use an antivirus solution that is constantly updated and able to perform active scanning

  • Schedule file backups (either locally on in the cloud), so data can be recovered in case of corruption

  • Follow safe internet practices by not visiting questionable websites, not clicking links or opening attachments in emails from uncertain sources, and not providing personally identifiable information on public chats rooms or forums

  • Implement / enable ad-blocking capacities and anti-spam filters

  • Virtualize or completely disable Flash, as it has been repeatedly used as an infection vector

  • Train employees in identifying social engineering attempts and spear-phishing emails

  • Enable software restriction policies. System administrators need to enforce group policy objects into the registry to block executables from specific locations. This can only be achieved when running a Windows Professional or Windows Server edition. The Software Restriction Policies option can be found in the Local Security Policy editor. After clicking the New Software Restriction Policies button under Additional Rules, the following Path Rules should be used with Disallowed Security Level:

          - "%username%\\Appdata\\Roaming\\*.exe"
          - "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\\.*exe"
          - C:\\\*.exe
          - "%temp%\\*.exe"
          - "%userprofile%\\Start Menu\\Programs\\Startup\\*.exe”
          - "%userprofile%\\*.exe”
          - "%username%\\Appdata\\*.exe”
          - "%username%\\Appdata\\Local\\*.exe”
          - "%username%\\Application Data\\*.exe”
          - "%username%\\Application Data\\Microsoft\\*.exe”
          - "%username%\\Local Settings\\Application Data\\*.exe”
    9025_1.png
  • Identify the network systems which are exposed externally, by running a port scan on WAN IP addresses. Identify which of the network systems are doing port forwarding on those exposed ports.

  • Secure the following network protocols:

    • SSH: Root access should not be granted, and authentication should be done through certificates, not with usernames. Only one or two admins should have access to SSH.

    • FTP: Avoid FTP servers with vulnerabilities. Avoid logging in with the username Anonymous and without entering a password.

    • RDP and SMB: Disable default user accounts, like Admin or Administrator. Allow connectivity only for a limited number of users.

    • VNC: Do not use VNC for remote desktop connections.

    • HTTP:

      • Do not use weak or default credentials.

      • Frequently scan the installed web services (Django, Python, Java, PHP, WordPress) for any vulnerabilities.

      • Make sure users do not have access to change any aspect of your site.

  • Check IoT devices, or any other network devices for vulnerabilities (CCTV cameras, NAS servers, routers) such as weak passwords, vulnerable or outdated software, vulnerable network protocols.

  • Enforce Two-Factor Authentication (2FA) across your company, including for operating systems.

  • Constantly monitor network logs for incoming external connections and block those IPs in your firewall.

  • Users should only have access to the resources they need. Be especially careful when granting them write permissions to resources.

  • Limit access to the network shared folders based on business need.

  • Disable administrative shares.

  • Network administrators should monitor systems in real time for any suspicious behavior, like high CPU usage.

  • Block access to wevutil.exe and vssadmin, to prevent users from deleting system logs or system back-ups.