Hello all,

Had an interesting past few weeks dealing with the zepto version of the crypto locker virus strain, I'd like to beat my users on occasion but that probably won't fix things ;) Doing a bit of research I came across a couple of blogs with fellow sys-admins who had some unique ideas on how to prevent this thing and thought I'd pop a quick question to the forums here see if these ideas make any sense. One thing in particular caught my eye was to use a 'honey pot' share that the world has access to, this share having a name like _01 (etc) where it would be the first target attacked by the encryption portion of the virus. Then having a cron job (or other) look at that folder say every ten minutes to see if the number of files in it increases, if so you know you are infected (or are likely infected). At this point I'd like to have the script which is monitoring that share set the entire volume to read only using ncpcon commands.

This will obviously anger users, however IT will immediately know something is wrong and hopefully prevent the spread of the virus as the volume will be read only for everyone.

Does anyone see any peril in this?

We have nightly backups and those have saved my bacon so far, however the restoration is tedious and I'd like to nip the downtime to the business during one of these outbreaks as much as I can. The ability to stop the virus from encrypting shares while we figure out which user has the infection and deal with that seems to me to be worth the read only time, we can then quickly recover what data managed to get encrypted in the ten (or whatever interval we choose) and place the volume back in full read / write mode. Additional benefit to placing the volume in read only mode is obviously the users can still access it and do *some* work while IT is investigating / resolving the crypto locker problem.

I guess the point of the thread is a 'honey pot' of my own to see what other ideas may be out there from the standpoint of a Micro Focus sys-admin as most of the blogs I've read are all windows based.