Beware! The TrickBot Trojan is back

TrickBot Trojan was first identified in mid-2016 and considered similar to the Dyreza banking Trojan. Initially, the payload (the component of a computer virus that executes a malicious activity) was spreading through a malvertising campaign using the Rig Exploit Kit. From our current findings, we have found that TrickBot has changed its propagation technique and is now spreading using the Necurs Botnet (a distributor of many pieces of malware including ransomware). 1) Earlier we had discovered a malspam (malware that is delivered via email messages) campaign that was delivering the TrickBot Trojan. It contained blank emails with no subject line. It had scan_RandomNo.doc as a file attachment [e.g. – SCAN_4744.doc , SCAN_1254.doc] Fig 1. A blank email with SCAN_4744.doc as an attachment. The doc file contains embedded macro and its functionality was similar to that of the Dridex family. 2) Presently, this malspam campaign is now using zip attachments having keywords such as invoice as shown below. Fig 2. Email containing a .zip attachment contains another .zip which has script file with an .wsf extension Fig 3 This .wsf file is executed using Windows ‘wscript.exe’and downloads extension-less encoded file in %temp% folder which is then decoded in the same location as same_file_name.exe. It then copies itself into the‘%appdata%\winapp’ folder. In addition to this, it downloads two additional components such as ‘client_id’ & ‘group_tag’. ‘client_id’ has information such as the name of the victim’s machine, OS version, etc. ‘group_tag’contain value such as ‘mac1’. This Trojan also inject DLLs into the installed browsers of the infected machine to steal information such as usernames, passwords, etc. In addition to this, we have also observed that a few .wsf files received during our analysis of this malspam campaign are spreading a new variant of JAFF ransomware. 3) On 14.06.17, we have observed another malspam campaign delivering TrickBot. Fig 4. Email containing zip as an attachment Fig 5 Emails delivered through this new malspam campaign contain having .docm file. .docm has embedded macro which when enabled downloads and installs components of the TrickBot Trojan on the infected machine. Quick Heal Detection 1. Quick Heal has detection for .doc, .wsf and the downloaded payload files. Fig 6 Fig 7 2. Quick Heal Behavioral-based detection successfully detects the malicious activities of TrickBot. Fig 8 Precautionary Measures 1) Avoid opening email attachments received from unknown, unwanted or unexpected sources. 2) Open all Microsoft documents, PDF files, etc., received as email attachments only in ‘Protected View’.


Reference by

Data Privacy Day – 10 tips to keep your data secure

Recognized annually on January 28th, Data Privacy Day is defined as a centered approach towards respecting privacy, safeguarding data, and enabling trust. It is a global effort to raise and promote awareness around protecting one’s data and privacy. With this thought in mind, we have put together these 10 security tips on Data Privacy Day.

10 Security Tips on Data Privacy Day

1. Change the passwords of your online accounts. Here are some tips to build strong and unique ones:

  • Use a mix of uppercase and lower letters
  • Use special characters
  • Use numbers
  • Use at least 8 characters

Also, here’s a fun way to create a password that is strong and can be easily remembered. First, think of a phrase or the title of your favorite book or movie; say, “The Girl With The Dragon Tatoo”. Now, take the first letter of every word in the title – this will give you tgwtdt. Capitalize a letter, add some numbers, and special characters – and you will have the ultimate password Tgwtdt#$8945B. We tested the strength of this password, and it seems that a hacker will take about 273 years to crack it. Find it out yourself –

2. Take a back up of all your important data stored on your computer and mobile device. You can either take the backup over Cloud or an external hard drive. Taking regular data backups can save you from the aftermath of a virus attack or system crash – especially a ransomware infection. Ransomware is a malware that hijacks your data and demands money (ransom) to release it.

3. Data Privacy Day is not only about storing or saving data. It also advocates the importance of disposing of your information securely. Data that you delete from your computer or mobile device does not really get deleted permanently. It can still be recovered with advanced data recovery tools. So, while removing sensitive information, ensure it is gone forever. Know how to delete your data securely.

4. It is unsafe to store login ID and passwords, banking details, social security number, and other such sensitive information on your mobile device or computer. But, if you can’t help it, ensure that the data is encrypted. When you encrypt an information, it gets converted into an unreadable form, and can only be read by you. So, even if a situation arises wherein your data falls into the wrong hands, you can rest assured that it won’t get misused.

5. Just like you won’t hand over your wallet, ID card, or house key to a stranger, avoid sharing your personal information on the Internet; these could be unfamiliar websites, survey forms, online friends, unsolicited emails, and anything/anybody that asks for your information. When it comes to Data Privacy, it’s wise to be a miser in sharing your data.

6. Banking or shopping online using unsecured Wi-Fi networks can let attackers steal your personal and financial information. While using any such network, ensure it is accessible only with a login ID and password.

7. Before installing any mobile app, review its permissions carefully. Many a time, you may come across an app that asks for permissions that are not actually required for it to function on your device. For instance, if a simple Flash Light app is asking your permission to access your device’s Internet, contact details, photos, etc., then chances are it is a malicious or a potentially dangerous app. So, stay cautious against such threats.

8. One of the greatest threats to your data and privacy is phishing. Phishing is defined as an attempt to trick you into providing your personal or financial details so that the attacker can commit illegal acts using your name. Any unknown or unexpected communication (email, call, SMS, etc.) that carries a sense of urgency and requires you to provide your personal information should be treated as a phishing attack. Always ignore such communications and report them to the right authority.

9. With mobile devices becoming an integral part of our everyday lives, they store massive amounts of data about us, our friends and family members. More importantly, being smaller and compact, they are more vulnerable to theft. So, it is only logical to protect these devices with a PIN, fingerprint or a password. We do not recommend the Pattern Lock because they are easily noticeable and less secure. Also, it is wise to keep the Automatic Lock feature ON at all times.

10. While you follow all the steps mentioned above, also consider getting a trusted antivirus solution. The software that you choose must offer multiple layers of security that can block ransomware, fake, infected and phishing websites, emails designed for phishing attacks, malicious downloads, and unauthorized data storage devices.


Reference by Quick Heal

Ransoc – An unusual ransomware that threatens to expose your personal information

Mostly a ransomware encrypts your files and demands money in exchange for a key that can decrypt the data. And the payment is demanded in Bitcoins. Ransoc is different in the way it works and the medium it uses for the payment.

How does Ransoc work?
Once your computer is infected by Ransoc, it gathers your personal information from your Skype and social media profiles and scans your system for Torrent files and other sensitive information. It then displays a ransom note. Interestingly, the ransom note is customized for a particular user and has their social media details including their profile picture. The ransom note threatens the victim with a fake legal proceeding and also that the ‘sensitive’ information found on their computer will be made public if the ransom is not paid.

Now, two important points to note here:

  1. Ransoc, unlike other ransomware, does not encrypt any files on the infected computer.
  2. Reportedly, the ransom note is displayed only in a case where the ‘sensitive’ information found by the ransomware includes child pornography or illegally downloaded Torrent media files.

So basically, the creators of this ransomware are targeting the victim’s fear of facing legal complications and losing their reputation instead of their data.

Further, where all ransomware creators use Bitcoin to remain hidden from law enforcement, Ransoc asks its victims to pay via credit card; this kind of payment approach has been unheard of in ransomware attacks till now.

How Quick Heal helps?

Quick Heal’s Virus Protection proactively detects the ransomware as “Ransomware.TorLocker.PB5” and prevents it from performing any activity on your computer.

Quick heal Total Security Detected Ransomeware

How to stay safe from ransomware attacks

  • Never click on links or download attachments that arrive in emails from unwanted, unknown or unexpected sources.
  • Apply all recommended security updates (patches) to your Operating System, and programs like Adobe, Java, web browsers, etc.
  • Take regular backups of your files. Remember to disconnect the Internet when you are backing up on a hard drive. Unplug the drive before you go online again.
  • Avoid using outdated browser plugins or plugins that you do not use anymore.
  • Invest in an antivirus software that comes with several layers of security such as Web Security that blocks infected websites, Email Security that blocks infected emails, Phishing Protection that blocks fake websites, etc.
  • Always keep your antivirus software up-to-date to stay safe against new threats.

Reference by Quickheal



Symantec File Share Encryption

Encrypt files with policy-enforced file encryption for collaborating teams

File Share Encryption allows users to automatically and transparently encrypt individual files and folders on laptops, desktops, and file servers enabling secure sharing of protected documents, spreadsheets, graphics files and more. File Share Encryption provides client-based server encryption that can be managed via Symantec Encryption Management Server to enforce corporate data protection and key management policies.


Key Features

  • Allows users to transparently read, write, and share encrypted files across their organization internally and in the cloud.
  • By embedding encryption into the file or folder, it can be moved without losing its protection, ensuring authorized access only by those with appropriate permissions.
  • Role separation is supported by enforcing different permission levels for users, data owners, and administrators.
  • Enables Symantec Encryption Management Server administrators to enforce automatic file encryption based on application type without end-user disruption.

Key Benefits

  • Allows users to easily and transparently share encrypted files and folders, improving data security without impacting user productivity.
  • Enables administrators to provide owner-based content encryption for files and folders on file shares while maintaining control over encryption keys and encryption policies.
  • Leverages existing Encryption Management Server capabilities such as Active Directory support and key management services to reduce the complexity inherent in providing  user-based file server encryption services.


Reference by :

Symantec Gateway Email Encryption

Network-based email encryption with no client software

Gateway Email Encryption provides centrally managed email encryption to secure email communications with customers and partners. With Gateway Email Encryption, organizations can minimize the risk of a data breach and comply with partner and regulatory mandates for information security and privacy.

Key Features

  • Centralizes the creation, enforcement, management and reporting of data protection and encryption policies.
  • Enables automatic encryption and decryption of sensitive email without changing the user experience.
  • Provides multiple, flexible secure delivery options for email, including Encryption Web Email Protection, Encryption PDF Email Protection and standards-based OpenPGP and S/MIME message formats.
  • Delivers central management of encryption keys for email as well as for all Symantec encryption products.

Key Benefits

  • Secures email without burdening users, this improves compliance with policies and regulations without hindering productivity.
  • Ensures all sensitive email can be delivered encrypted regardless of the recipient’s use of encryption. This enhances customer, partner and vendor communication without increasing the cost.
  • Centralizes administration of encryption policies and management to reduce the time required to implement and maintain email protection.

Encryption PDF Email Protection

Encryption PDF Email Protection can automatically secure email messages as they leave the enterprise network according to highly configurable encryption rules. By leveraging the broad adoption of PDF reader software the need for client decryption software is eliminated while email messages are completely protected from the sender to the recipient.

Reference by :

Symantec Endpoint Encryption Removable Storage Edition

Laptop and notebook security software

Symantec Endpoint Encryption Removable Storage Edition provides policy-controlled encryption of data on removable media and provides organizations with a safe harbor from data breach notification if removable media is lost or stolen. This industry-leading laptop security software allows users to encrypt data according to policy on most any form of removable storage ensuring that users can safely transport and use sensitive data on portable media.

New Features

  • Expanded device controller support: USB 3.0 and eSATA-based removable storage device support provides greater control of removable device encryptions.
  • Integration with Symantec Endpoint DLP: Policy integration with Symantec Endpoint DLP for content-based encryption of removable storage (powered by FlexResponse)* increases the efficiency of data loss prevention by having content-aware DLP policies automatically enforce encryption when sensitive files are copied to removable media.
  • More Granular Control with Device Whitelisting: “Do not encrypt” device white lists allow administrators to exclude specific makes and models of removable storage devices from automatic encryption supporting hybrid environments that utilize both hardware-based self-encrypting removable storage devices and software-based encryption by avoid complexity and double-encryption. Lowers the overhead for administrators by whitelisting specific devices from automatic encryption enforcement (e.g. do not encrypt iPods)
  • User-choice encryption of files: Allows the end-user to modify the automatic encryption policy and choose which files to or not encrypt which lowers the overhead for administrators when specific power users require the ability to modify encryption policies for valid business purposes.
  • Improved end-user password management: The end-user can now set both a default password and session password. Administrators can also control how default passwords are used by end-users. This improves the end-user experience by providing end-users with better options for managing file encryption credentials.

Key Features

  • Share information with authorized users via group keys transparently
  • Manage Active Directory GPO and native policy deployment
  • Share encrypted media/devices with the Removable Storage Access Utility
  • Notebook security software allows you to deliver files with self-extracting archives for one-way distribution (email, ftp, etc.)

Key Benefits

  • Safeguard intellectual property
  • Share encrypted data easily and seamlessly
  • Transparently manage security policies through Active Directory integration
  • Allows recipients to decrypt files without having Symantec Endpoint Encryption client installed
  • Decrypts and encrypts data without an installed client
  • Laptop security software enables access to encrypted data on Windows and Mac computers


Reference by :

Symantec Drive Encryption

Full disk encryption software

Symantec Drive Encryption provides organizations with comprehensive, high performance full disk encryption for all data (user files, swap files, system files, hidden files, etc.) on desktops, laptops, and removable media. This full disk encryption software protects data from unauthorized access, providing strong security for intellectual property, customer, and partner data. Protected systems can be centrally managed by Symantec Encryption Management Server simplifying deployment, policy creation, distribution, and reporting.

Key Features

  • Easy Passphrase and Machine Recovery – Local self-recovery, one-time-use token and other recovery options.
  • Built PGP Strong – High performance, optimized, and strong encryption, built with PGP Hybrid Cryptographic Optimizer (HCO) technology. FIPS 140-2 validated, CAPS-approved, DIPCOG-approved, CC EAL 4+ certification.
  • User-Friendly – Background encryption with throttle capabilities. Fewer passwords to remember with support for Windows single sign-on.

Key Benefits

  • Comprehensive Multi-Platform Coverage – Symantec Drive Encryption provides constant protection across laptops, desktops, and removable media. Compatible with PC, Mac, and Linux environments, Drive Encryption encrypts and decrypts data instantaneously with no disruption to an end-user’s normal workflows.
  • Optional Silent Deployment – To ease rollouts, Drive Encryption can be pushed down by administration with no need for end-user involvement.
  • High Performance – Utilizes AES-NI hardware in Windows, Mac OS X, and Linux operating systems for greater performance.
  • Part of a Long-Term Enterprise Security Strategy – Drive Encryption is a key component and building block for many security implementations, providing organizations Safe Harbor should a device be lost or stolen and protection against unauthorized access.


Reference by :

SymantecTM Protection Engine for NAS, Sharepoint and any file upload application.

B) SharePoint
C) Uploading data or files on a site , server etc. ( Resume, data sheet, document , files )

We need to protect the NAS, Sharepoint, data which is uploaded and scan for virus or malware if any in the document.

SymantecTM Protection Engine for Cloud Services 7.5 is a flexible and feature-rich client/server application that allows customers to incorporate malware and threat detection technologies into almost any application. Powered by Symantec InsightTM, Protection Engine gives customers access to innovative security that will ensure their information and employees stay safe on the Web. Insight is a security technology that puts files in context, using their age, frequency, location, and more to expose threats otherwise missed. Protection Engine includes Symantec’s proprietary, patented URL categorization technology and industry-leading malware protection for fast, scalable, and reliable content scanning services helping organizations protect their data and storage systems against the ever growing malware threat landscape.

Alongside the native ICAP protocol support, Protection Engine provides a full client Software Development Kit (SDK) enabling customers to embed fully-fledged malware protection in business critical applications, services, and devices.

Platform support spanning Linux, Windows®, and Solaris® ensures that customers can take advantage of the market leading malware detection wherever they need it.

Key Features

  •  Provides fast, scalable, and reliable content scanning
  • Protects against viruses, spyware, and other unwanted content in a single scan
  • Easily integrates proprietary and patented URL filtering scanners and industry-leading antivirus technologies

Dedicated virus scanning for Web traffic is recommended for the following reasons:

  • Scanning Web traffic lets you catch and block threats at the gateway, rather than multiple times at each desktop. Users can potentially disable desktop protection, which can leave your network vulnerable to attack.
  •  Because many people now use Web-based email, email-born viruses that would otherwise be caught by antivirus scanning at the SMTP gateway can slip through to infect the network.
  • The industry trend has been to Web-enable many application environments to include the use of technologies like ActiveX, JavaScript, and Java applets to  enhance the user experience. Many new threats are associated with these Web technologies. Malicious mobile code viruses, such as Nimda and Code Red, have entered networks as executables (for example, ActiveX, JavaScript, or Visual Basic Scripts) that appear to be part of safe Web content.
  • Once a threat has been cached, malicious code can potentially be passed to other users on the network, which can compromise additional computers and data on the network.
  • Malicious code can result in lost, stolen, or corrupted files, which can result in costly downtime to the enterprise.

Reference by :

Change Admin Password in Mcafee ePo

Open browser and go to Mcafee ePo website.
Change end of URL to “Config”
Example – https://ServerName:8443/core/config
You can change password at bottom

How to perform a Mcafee command-line scan in Microsoft Windows


Usually, all On-Demand Scans are done through the VirusScan Console. However, sometimes it might be necessary to run a scan with strictly required programs only. Scenarios which require this include, but are not limited to:

  • Scanning a computer before installing VirusScan to ensure it is clean.
  • When a workstation has been infected and you are unable to load the VirusScan Console.
  • When VirusScan Enterprise (VSE) does not install successfully.



  • It some cases it may be necessary to run the Command Line Scan in Safe Mode.
  • McAfee recommends deleting all temporary files from your computer before running any scan. This includes files in the temp folder, temporary Internet files, Internet usage history and cookies.

Use the latest VirusScan Command Line Scanner (CLS). The CLS has the most up-to-date cutting edge generic drivers.

  1. Download the CLS scanner using your grant number.

To download McAfee products, updates, and documentation, visit the Downloads page at

For instructions on downloading, see: KB56057.

NOTE: If you do not have a license for VirusScan Command Line Scanner, please contact McAfee Technical Support.

For contact details:

    • Non-US customers – select your country from the list of Worldwide Offices



Log in to the ServicePortal at

    • If you are a registered user, type your User Id and Password and click OK.
    • If you are not a registered user, click New User and complete the required fields. Your password and login instructions will be emailed to you.


  1. Create a folder on the root of your primary partition. In this example: c:scan
  2. On the infected computer, extract the contents of or later to c:scan
  3. Download the latest beta.dats from one of the location below:
  4. Extract the contents of to c:scan and overwrite the existing files.
  5. Perform a complete system scan (best practice).
  6. Click Start, Run, type cmd and press ENTER.
  7. From the directory created above, type scan.exe /adl /all /analyze /clean /program /unzip /winmem /rptall /report=c:scan.log and press ENTER.


Courtesy :- Mcafee Corporation

Portfolio Items