Not been a good week. A bug got on one of the computers and it quietly ran for seven hourrs in the background code similar to the following (Pseudo code)
For all drives that can be accessed by this computer (local and network mapped)
For all folders, find files with the extensions (PDF, DOC, DOCX, XLS, XLSX, PPT, PPTX, WPD)
For each file found
- record name, created date, file size
- if OS permits it, open file for modification
- rewrite contents of file with random data up to preveviously recorded file size
- close file
- reset file date to recorded created date
In our case the result was two workstations that I had to format and re-install, losing all locally stored "work files" (they shouldn't have been stored there anyways...), and roughly 40,000 files located on a network share that were trashed and had to be restored from backup tapes.
Now, the workstations and servers have AV software, a variety of them, but as the bug wasn't actually writing "viruses" to the network share, nothing was ever spotted. It's as if the AV software thought, "Hey, just some guy modifying tens of thousands of files recursively, no need to be concerned".
My question to the forum is as follows:
Does anyone know of an AV application which, running on a Windows workstation or a backend NAS server, would flag an alert that a user was making numerous changes to files, even if those changes were not writing "viral" data? Or maybe, would maintain at the root of all drives a folder containing a series of files (such as listed above) and any attempt to modify any of those files would flag an alert?
This is the second time in three months that I've had to restore several terabytes of data (how are you going to go through a backup selection list and specify 40,000 files to recover; just recover everything that was stored in the network share) and I'm just looking for a way to prevent it from happening again.
I look forward to your response.