Since a virus infected PC has to download (encrypt) reupload the entire file (to
ID: 655530 • Letter: S
Question
Since a virus infected PC has to download (encrypt) reupload the entire file (to a file server), and repeat the process for every network drive, is is possible to detect this unusually high bandwidth event? Is there a way to respond to it (via QOS or something?)
I'm looking for a way to detect and/or limit Cryptolocker encryption by monitoring how much data is transferred (as it is encrypting files) and possibly set a quota on this transfer (QOS?).
Is such a mechanism available for a Windows machine? I haven't been able to locate this myself in default Windows settings but am open to alternative solutions.
Alternatively, such a bandwith-monitoring approach could be used to prevent a data leak, or an employee stealing company secrets.
Explanation / Answer
Since a virus infected PC has to download (encrypt) reupload the entire file, and repeat the process for every network drive, is is possible to detect this unusually high bandwidth event? Is there a way to respond to it (via QOS or something?)
You're mistaken: the malware doesn't need to transfer the file. It uses asymmetrical encryption: the file is first (symmetrically) encrypted with a long, unique and randomly generated key and that key is the encrypted using only the public half of the decryption key.
Once that symmetrical encryption key is deleted, there is nothing left on your machine to decrypt the files and you never touched the key that will unlock it.
I'm looking for a way to detect and/or limit Cryptolocker encryption by monitoring how much data is transferred (as it is encrypting files) and possibly set a quota on this transfer (QOS?).
Don't try to build your own: there are plenty of security systems that can assist you with detecting (and provide protection against) this and many other threats: antivirus scanners, IPS, IDS, NBAD, firewalls, etc. Any (smart) investment you make is these will be orders of magnitude more efficient than trying to jury-rig a protection on your own - especially if you do not understand the nature of the threat.