DMA Locker virus outbreak

I assume the malware got to the endpoints via email attachments and users would have had to execute the attachments?

From this point on, you would hope that either:

1. SophosLabs had previously seen a sample of the particular threat and had published detection, either in the form of an .ide, a monthly VDB database update or an update to the live lookup cloud service.

2. The behaviour of the malware when executed exhibits behaviour that is commonly associated with malware so it is more generically detected through runtime detection.

Clearly if an .ide/.vdb update is required, then as long as updating is working at a good interval you can't do much more there.

If a Cloud lookup was required, hopefully these are working for your clients as these detections offer the fastest detection as they don't incur the delays through the more traditional "file" updating that relies on polling intervals through the system.

I assume that realtime scanning is enabled and the default options are in place?

The other line of defence would be gateway detection which might include malware scanning, attachment filetype checking but also extends to spam detection, sender checking, reputation, etc. etc.. the list goes on. Clearly the more layers and types of detection the better the chance of capturing something malicious before it gets to the endpoints. The endpoint software is really the last line of defence in a corporate environment.

Without knowing the exact setup and configuration it's hard to say if it should have detected it for that given snapshot in time. Clearly the aim is to detect everything but in reality it's hard to guarantee so all you can do is add more layers to minimise risk.

I assume the malware got to the endpoints via email attachments and users would have had to execute the attachments?

From this point on, you would hope that either:

1. SophosLabs had previously seen a sample of the particular threat and had published detection, either in the form of an .ide, a monthly VDB database update or an update to the live lookup cloud service.

2. The behaviour of the malware when executed exhibits behaviour that is commonly associated with malware so it is more generically detected through runtime detection.

Clearly if an .ide/.vdb update is required, then as long as updating is working at a good interval you can't do much more there.

If a Cloud lookup was required, hopefully these are working for your clients as these detections offer the fastest detection as they don't incur the delays through the more traditional "file" updating that relies on polling intervals through the system.

I assume that realtime scanning is enabled and the default options are in place?

The other line of defence would be gateway detection which might include malware scanning, attachment filetype checking but also extends to spam detection, sender checking, reputation, etc. etc.. the list goes on. Clearly the more layers and types of detection the better the chance of capturing something malicious before it gets to the endpoints. The endpoint software is really the last line of defence in a corporate environment.

Without knowing the exact setup and configuration it's hard to say if it should have detected it for that given snapshot in time. Clearly the aim is to detect everything but in reality it's hard to guarantee so all you can do is add more layers to minimise risk.